Edit tour

Windows Analysis Report
loader.exe

Overview

General Information

Sample Name:	loader.exe
Analysis ID:	679607
MD5:	e5fd705d3e71f8305fa11e8d1cd2984e
SHA1:	551751a4e05ddc9fb3fc3989d50032c15b99caf9
SHA256:	557caa9cc31a834b807583b61c2b81a001962cd85419616c0f297d0c84b29d21
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect debuggers (CloseHandle check)

PE file contains section with special chars

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE file contains sections with non-standard names

Contains capabilities to detect virtual machines

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

IP address seen in connection with other malware

Entry point lies outside standard sections

Classification

Process Tree

System is w10x64

loader.exe (PID: 5972 cmdline: "C:\Users\user\Desktop\loader.exe" MD5: E5FD705D3E71F8305FA11E8D1CD2984E)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: loader.exe	Virustotal: Detection: 22%	Perma Link
Source: loader.exe	Metadefender: Detection: 17%	Perma Link
Source: loader.exe	ReversingLabs: Detection: 46%

Source: global traffic	TCP traffic: 192.168.2.3:49735 -> 51.79.119.230:13371
Source: global traffic	TCP traffic: 192.168.2.3:49734 -> 51.79.119.231:13371
Source: global traffic	TCP traffic: 192.168.2.3:49744 -> 51.79.119.229:13371
Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 51.79.119.228:13371
Source: global traffic	TCP traffic: 192.168.2.3:49748 -> 51.79.119.221:13371

Source: Joe Sandbox View	IP Address: 51.79.119.229 51.79.119.229
Source: Joe Sandbox View	IP Address: 51.79.119.228 51.79.119.228
Source: Joe Sandbox View	IP Address: 51.79.119.221 51.79.119.221
Source: Joe Sandbox View	IP Address: 51.79.119.230 51.79.119.230

Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.229
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.228
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.221
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.230
Source: unknown	TCP traffic detected without corresponding DNS query: 51.79.119.231

Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: loader.exe, 00000000.00000003.259055056.00000000057FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?78d9fd3997324
Source: loader.exe, 00000000.00000003.282588903.0000000000601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enEM32

System Summary

PE file contains section with special chars

Source: loader.exe	Static PE information: section name: 4uN%
Source: loader.exe	Static PE information: section name: A]zn
Source: loader.exe	Static PE information: section name: +/*9
Source: loader.exe	Static PE information: section name: 'x00
Source: loader.exe	Static PE information: section name: 'IAL
Source: loader.exe	Static PE information: section name: w^]>
Source: loader.exe	Static PE information: section name: h`J?

Source: loader.exe	Virustotal: Detection: 22%
Source: loader.exe	Metadefender: Detection: 17%
Source: loader.exe	ReversingLabs: Detection: 46%

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Users\user\Desktop\loader.exe

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: classification engine

Classification label: mal76.evad.winEXE@1/4@0/6

Source: C:\Users\user\Desktop\loader.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File opened: C:\Users\user\Desktop\loader.cfg

Jump to behavior

Source: loader.exe

Static file information: File size 9042944 > 1048576

Source: loader.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: loader.exe

Static PE information: Raw size of w^]> is bigger than: 0x100000 < 0x89f400

Source: loader.exe	Static PE information: section name: 4uN%
Source: loader.exe	Static PE information: section name: A]zn
Source: loader.exe	Static PE information: section name: +/*9
Source: loader.exe	Static PE information: section name: 'x00
Source: loader.exe	Static PE information: section name: 'IAL
Source: loader.exe	Static PE information: section name: w^]>
Source: loader.exe	Static PE information: section name: h`J?

Source: initial sample

Static PE information: section where entry point is pointing to: w^]>

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC867E0008 value: E9 7B A9 EA FF	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC8668A980 value: E9 90 56 15 00	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC867F000D value: E9 6B 9B EC FF	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Memory written: PID: 5972 base: 7FFC866B9B70 value: E9 AA 64 13 00	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\loader.exe	Special instruction interceptor: First address: 0000000140FA9A84 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\loader.exe	Special instruction interceptor: First address: 0000000140FA9A9C instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\loader.exe	RDTSC instruction interceptor: First address: 0000000140FF5B60 second address: 00000001410056D0 instructions: 0x00000000 rdtsc 0x00000002 xor dl, FFFFFF8Bh 0x00000005 dec eax 0x00000006 add edx, edx 0x00000008 inc eax 0x00000009 xor dh, bh 0x0000000b bswap ax 0x0000000e bsf dx, dx 0x00000012 mov edx, dword ptr [esp+edi] 0x00000015 dec ecx 0x00000016 sub eax, 00000004h 0x0000001c inc ecx 0x0000001d mov dword ptr [eax], edx 0x0000001f lahf 0x00000020 shrd ax, cx, 00000034h 0x00000025 dec eax 0x00000026 sub ebp, 00000004h 0x0000002c mov eax, dword ptr [ebp+00h] 0x00000030 xor eax, esi 0x00000032 rol eax, 02h 0x00000035 cmc 0x00000036 inc ecx 0x00000037 cmp eax, ebp 0x00000039 clc 0x0000003a sub eax, 0E9B52EAh 0x0000003f neg eax 0x00000041 inc ecx 0x00000042 test cl, 0000003Ch 0x00000045 sub eax, 14C9657Ch 0x0000004a push esi 0x0000004b xor dword ptr [esp], eax 0x0000004e dec eax 0x0000004f arpl dx, si 0x00000051 neg si 0x00000054 pop esi 0x00000055 inc eax 0x00000056 test dh, FFFFFF8Fh 0x00000059 dec eax 0x0000005a arpl ax, ax 0x0000005c jmp 00007FB2D0CC171Fh 0x00000061 dec esp 0x00000062 add edx, eax 0x00000064 jmp 00007FB2D0CD78C9h 0x00000069 jmp 00007FB2D0C95CB9h 0x0000006e dec esp 0x0000006f lea ebx, dword ptr [esp+00000140h] 0x00000076 dec ebp 0x00000077 cmp eax, ebx 0x00000079 jmp 00007FB2D0CF947Ah 0x0000007e ja 00007FB2D0CBFCC6h 0x00000084 inc ecx 0x00000085 push edx 0x00000086 ret 0x00000087 dec eax 0x00000088 sub ebp, 00000001h 0x0000008e sal ah, 00000076h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\loader.exe	RDTSC instruction interceptor: First address: 00000001407FEBE4 second address: 000000014074229E instructions: 0x00000000 rdtsc 0x00000002 xor dl, FFFFFF8Bh 0x00000005 dec eax 0x00000006 add edx, edx 0x00000008 inc eax 0x00000009 xor dh, bh 0x0000000b bswap ax 0x0000000e bsf dx, dx 0x00000012 mov edx, dword ptr [esp+edi] 0x00000015 dec ecx 0x00000016 sub eax, 00000004h 0x0000001c inc ecx 0x0000001d mov dword ptr [eax], edx 0x0000001f lahf 0x00000020 shrd ax, cx, 00000034h 0x00000025 dec eax 0x00000026 sub ebp, 00000004h 0x0000002c mov eax, dword ptr [ebp+00h] 0x00000030 xor eax, esi 0x00000032 rol eax, 02h 0x00000035 cmc 0x00000036 inc ecx 0x00000037 cmp eax, ebp 0x00000039 clc 0x0000003a sub eax, 0E9B52EAh 0x0000003f neg eax 0x00000041 inc ecx 0x00000042 test cl, 0000003Ch 0x00000045 sub eax, 14C9657Ch 0x0000004a push esi 0x0000004b xor dword ptr [esp], eax 0x0000004e dec eax 0x0000004f arpl dx, si 0x00000051 neg si 0x00000054 pop esi 0x00000055 inc eax 0x00000056 test dh, FFFFFF8Fh 0x00000059 dec eax 0x0000005a arpl ax, ax 0x0000005c jmp 00007FB2D06E9542h 0x00000061 dec esp 0x00000062 add edx, eax 0x00000064 jmp 00007FB2D07848DCh 0x00000069 jmp 00007FB2D06C4ED6h 0x0000006e dec esp 0x0000006f lea ebx, dword ptr [esp+00000140h] 0x00000076 dec ebp 0x00000077 cmp eax, ebx 0x00000079 jmp 00007FB2D0756AADh 0x0000007e ja 00007FB2D067A9FFh 0x00000084 inc ecx 0x00000085 push edx 0x00000086 ret 0x00000087 dec eax 0x00000088 sub ebp, 00000001h 0x0000008e sal ah, 00000076h 0x00000091 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXES
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IMPORTREC.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXETION
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAQ.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 3247			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Window / User API: threadDelayed 2487			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe TID: 1760

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmmemctl.sys	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	File opened / queried: C:\Windows\System32\drivers\vmmouse.sys	Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

System information queried: ModuleInformation

Jump to behavior

Source: loader.exe, 00000000.00000003.282692502.0000000000632000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\C:\Windows\System32\drivers\vmmemctl.sys

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\loader.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\loader.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\loader.exe	Process queried: DebugObjectHandle			Jump to behavior

Source: C:\Users\user\Desktop\loader.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lordpe.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: loader.exe, 00000000.00000003.272407449.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.292218034.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.263600234.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.300046554.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.271260895.0000000005372000.00000004.00000020.00020000.00000000.sdmp, loader.exe, 00000000.00000003.295344503.0000000005372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 Credential API Hooking	1 Query Registry	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	14 Virtualization/Sandbox Evasion	LSASS Memory	541 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	14 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	213 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
loader.exe	23%	Virustotal		Browse
loader.exe	17%	Metadefender		Browse
loader.exe	46%	ReversingLabs	Win64.Trojan.Phonzy

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
51.79.119.229	unknown	Canada	16276	OVHFR	false
51.79.119.228	unknown	Canada	16276	OVHFR	false
51.79.119.221	unknown	Canada	16276	OVHFR	false
51.79.119.230	unknown	Canada	16276	OVHFR	false
51.79.119.231	unknown	Canada	16276	OVHFR	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679607
Start date and time: 06/08/202204:27:07	2022-08-06 04:27:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	loader.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.winEXE@1/4@0/6
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 8.248.147.254, 8.248.115.254, 8.241.126.121, 8.253.95.120, 67.26.81.254, 173.222.108.210, 173.222.108.226
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:28:15	API Interceptor	1x Sleep call for process: loader.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
51.79.119.229	dmTIRVid3Q.exe	Get hash	malicious	Browse
	8fQoZiYq5t.exe	Get hash	malicious	Browse
	xzmHphquAP.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe	Get hash	malicious	Browse
	GhsHZhMqmV.exe	Get hash	malicious	Browse
	His4jRklYe.exe	Get hash	malicious	Browse
	0DbGF14T3G.exe	Get hash	malicious	Browse
51.79.119.228	dmTIRVid3Q.exe	Get hash	malicious	Browse
	8fQoZiYq5t.exe	Get hash	malicious	Browse
	xzmHphquAP.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe	Get hash	malicious	Browse
	GhsHZhMqmV.exe	Get hash	malicious	Browse
	His4jRklYe.exe	Get hash	malicious	Browse
	0DbGF14T3G.exe	Get hash	malicious	Browse
51.79.119.221	dmTIRVid3Q.exe	Get hash	malicious	Browse
	8fQoZiYq5t.exe	Get hash	malicious	Browse
	xzmHphquAP.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe	Get hash	malicious	Browse
	GhsHZhMqmV.exe	Get hash	malicious	Browse
	His4jRklYe.exe	Get hash	malicious	Browse
	0DbGF14T3G.exe	Get hash	malicious	Browse
51.79.119.230	dmTIRVid3Q.exe	Get hash	malicious	Browse
	8fQoZiYq5t.exe	Get hash	malicious	Browse
	xzmHphquAP.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.46539420.31445.exe	Get hash	malicious	Browse
	GhsHZhMqmV.exe	Get hash	malicious	Browse
	His4jRklYe.exe	Get hash	malicious	Browse
	0DbGF14T3G.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	sOj0q7Np4V.exe	Get hash	malicious	Browse	149.56.27.47
	RYnLNlp3ys	Get hash	malicious	Browse	192.99.71.203
	KbqArOlW06.exe	Get hash	malicious	Browse	51.195.166.178
	NJid695aBy.exe	Get hash	malicious	Browse	51.91.51.170
	https://e44d0bcf771442d1b7f980fb69a85e9a.svc.dynamics.com/t/r/QxAD3OL-Kzz_3R2oEdDMSYxT1Y8B16o062ijyH6-f7Y	Get hash	malicious	Browse	51.91.236.193
	ssh-updater.sh	Get hash	malicious	Browse	37.187.87.141
	Lg3gn9y1Cj.exe	Get hash	malicious	Browse	51.81.194.202
	https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.au	Get hash	malicious	Browse	51.210.3.236
	new artwork.exe	Get hash	malicious	Browse	151.80.78.96
	new artwork.exe	Get hash	malicious	Browse	151.80.78.96
	testfile.js	Get hash	malicious	Browse	213.186.33.19
	What_is_digital_contract_note (df).js	Get hash	malicious	Browse	188.165.135.193
	https://cdeusa.od2.vtiger.com/pages/8f3624gue6_98246trf7	Get hash	malicious	Browse	149.56.27.11
	https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/fr7vvvtoichy/b/SHAR3P0IN7forVI3W/o/5star.html	Get hash	malicious	Browse	51.210.156.152
	http://r.newsletter.data-enrich.com	Get hash	malicious	Browse	46.105.126.224
	https://emelia.link/jrVdzeXIojl	Get hash	malicious	Browse	5.196.213.214
	Length_of_tenancy_agreements (zue).js	Get hash	malicious	Browse	213.186.33.19
	https://brawleyed-my.sharepoint.com:443/:o:/g/personal/pat_diaz_besd_org/Ek8mAaZEiZlEh3_TyUIqgmwBcChgMgalTBbpDY0zl8vn5w?e=5%3aA3aDr8&at=9	Get hash	malicious	Browse	51.210.32.103
	Difference_between_service_level_agreement_and_memorandum_of_understan (ey).js	Get hash	malicious	Browse	213.186.33.19
	tD0xQrHoVu.exe	Get hash	malicious	Browse	51.254.27.112
OVHFR	sOj0q7Np4V.exe	Get hash	malicious	Browse	149.56.27.47
	RYnLNlp3ys	Get hash	malicious	Browse	192.99.71.203
	KbqArOlW06.exe	Get hash	malicious	Browse	51.195.166.178
	NJid695aBy.exe	Get hash	malicious	Browse	51.91.51.170
	https://e44d0bcf771442d1b7f980fb69a85e9a.svc.dynamics.com/t/r/QxAD3OL-Kzz_3R2oEdDMSYxT1Y8B16o062ijyH6-f7Y	Get hash	malicious	Browse	51.91.236.193
	ssh-updater.sh	Get hash	malicious	Browse	37.187.87.141
	Lg3gn9y1Cj.exe	Get hash	malicious	Browse	51.81.194.202
	https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.au	Get hash	malicious	Browse	51.210.3.236
	new artwork.exe	Get hash	malicious	Browse	151.80.78.96
	new artwork.exe	Get hash	malicious	Browse	151.80.78.96
	testfile.js	Get hash	malicious	Browse	213.186.33.19
	What_is_digital_contract_note (df).js	Get hash	malicious	Browse	188.165.135.193
	https://cdeusa.od2.vtiger.com/pages/8f3624gue6_98246trf7	Get hash	malicious	Browse	149.56.27.11
	https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/fr7vvvtoichy/b/SHAR3P0IN7forVI3W/o/5star.html	Get hash	malicious	Browse	51.210.156.152
	http://r.newsletter.data-enrich.com	Get hash	malicious	Browse	46.105.126.224
	https://emelia.link/jrVdzeXIojl	Get hash	malicious	Browse	5.196.213.214
	Length_of_tenancy_agreements (zue).js	Get hash	malicious	Browse	213.186.33.19
	https://brawleyed-my.sharepoint.com:443/:o:/g/personal/pat_diaz_besd_org/Ek8mAaZEiZlEh3_TyUIqgmwBcChgMgalTBbpDY0zl8vn5w?e=5%3aA3aDr8&at=9	Get hash	malicious	Browse	51.210.32.103
	Difference_between_service_level_agreement_and_memorandum_of_understan (ey).js	Get hash	malicious	Browse	213.186.33.19
	tD0xQrHoVu.exe	Get hash	malicious	Browse	51.254.27.112

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f83f6d5d89b61b17f0d3863070323a34_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\Desktop\loader.exe
File Type:	data
Category:	dropped
Size (bytes):	2249
Entropy (8bit):	7.644646383207026
Encrypted:	false
SSDEEP:	48:4o/OwVUqbMxLUFq8g5bnF3RoIofFCRI2fqBaj:4o/tjbMx4cbnFhJWs8Baj
MD5:	F34CC48D39D75F0E8170A85E925F085F
SHA1:	9CB613D56269FD8420EAD7ADE1B1E064315334AF
SHA-256:	9B52B1D4D6CB0C7332A884F7DE4D52ADA49B71213359D0A0A5DC755187FABE51
SHA-512:	1088C204A04A1B7E565CFBF49A261478DA98B586DDFBCD15785DFC84654B05F5226E6C1EB0FE0EFC15725C34930D8E87D535659E140134BD41335F1B3A1365D3
Malicious:	false
Reputation:	low
Preview:	........%.......P.......................95505749-1328-4162-b38a-e051b523ca17.....................RSA1................%....F...:Ry...g.......pz..L......a...nu.....{.....,..'......}..l....3.6R..3............K.7%].].N.8`F.sYv.W..t.$R...a.#..K...m..I..W..8T.$.u.<.6.lG.q...&.D.......3.D.._..a.&<.L.5K....Oo.;,..oNkLV....2N.;....C..U..V#...2..}_..4.E.^.._.$....s..........................z..O......X......L...5...y....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .......F.5.G.........B..m..C...S.............. ....d.&......@t..].R..0..I...a. iAP.........{..55..<~.......%]....B...j.......+..m\|\....GR..JLP.Z!..B7).aT..\m.o.s....V.........j..E.b...k.Cz...i`.p......4q.=.st.h..f.[yW..jNnkU34..W..pU...g&(..v.Q0\|...V..G..d^...$..u[...w.......9`.p...x.....7D...M..R.....Et..U.`...:z..#.:=..q.4...........0G..@...`.ET4..i.,.._.....B.J=.X0^n.79..;.U..}9......V.........I.!W.'r........\.7....*.O,..wis.........}......C.G.KF\|.&.!.L.rU.v...R?<.....zK

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\loader.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\loader.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.1297566246827087
Encrypted:	false
SSDEEP:	6:kKI+N+SkQlPlEGYRMY9z+4KlDA3RUeWlEZ21:wNkPlE99SNxAhUeE1
MD5:	FBDB41C5DDAACA78BA5ECB1A0BEE5640
SHA1:	BC8BFC1D376958D61439422930850CD5F69F1805
SHA-256:	7D4BB9D9E727895C6EEA59FEA9C766799C120402D5490FA31831D1CF6CA4CE0C
SHA-512:	9AAB9746189C9A8B4B396BA2D825AEFDECAA68BD06943F6A7326978531C8F7B0BBE87B0CB995FFB30C65B7B93B74923AA94511FB88E3D91F907C9F3DCAB4DA03
Malicious:	false
Reputation:	low
Preview:	p...... ..........v.....(....................................................... .........L.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.9.f.4.c.9.6.9.8.b.d.8.1.:.0."...

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6D57A09278E9D03E442F152BE212C307E8475812

Download File

Process:	C:\Users\user\Desktop\loader.exe
File Type:	data
Category:	dropped
Size (bytes):	980
Entropy (8bit):	6.899463213878604
Encrypted:	false
SSDEEP:	24:8AgmQpZduzlC4bYs6PhUBoo2t7KKyNLcR9mMdmgmmCZwghn:819UoaJyWWlKKwIdX3E1n
MD5:	D38C7B9090AE1D5DC15821B44650C7AB
SHA1:	0AD315F5327304EE4E03D77DA8B67BDF9B076D9D
SHA-256:	1FB5BD89E9CE594F0B266F4B43B008A8DF122A139FD1F77379BE5FF6601F221F
SHA-512:	1C0594BC6F926BBDFAC00421AF11568EE2C69BCF2ECBC4EEA760757B6006B557DCAAEA25656F198C28C542D952653E7D06A60E12AD82A4D1870828A3522A239F
Malicious:	false
Reputation:	low
Preview:	.......................".l..3.............d.d.d.d.d...............m.i.c.r.o.s.o.f.t...............0...+...............l............... ...............9.5.5.0.5.7.4.9.-.1.3.2.8.-.4.1.6.2.-.b.3.8.a.-.e.0.5.1.b.5.2.3.c.a.1.7.....................mW..x..>D/.+.....GX. ...........0...0..........f./V...B......10....H........0.1.0...U....user at 4245050...220806112813Z..270806112813Z0.1.0...U....user at 4245050.."0....H.............0.............s....$._.^.E.4._}..2..#V..U..C....;.N2....VLkNo..,;.oO...K5.L.<&.a._..D.3.......D.&...q.Gl.6.<.u.$.T8..W..I..m...K..#.a..R$.t..W.vYs.F`8.N..].]%7.K............3..R6.3.....l..}......'..,....{.....un...a.......L...zp.......g...yR:...F....%.....0....H.............8.....g..k..'.Tar....F..L.'...u'...~g.A...<...Q.x.`!,..;..{..{..+..w..p..-.$.Z..}8,T....Hj........O0vyn[.'..xi_.H.k.\|r.U.=j1.U .Ew.t..y.v.'...LC..............~.2.4E<9.^.#.......-..k6.E.sVx..",.z...'..f.j..v..1....I}z!..:.G..H.E\|.8JC{;...\|.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.956098799743011
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	loader.exe
File size:	9042944
MD5:	e5fd705d3e71f8305fa11e8d1cd2984e
SHA1:	551751a4e05ddc9fb3fc3989d50032c15b99caf9
SHA256:	557caa9cc31a834b807583b61c2b81a001962cd85419616c0f297d0c84b29d21
SHA512:	5b20a5ffe995f76f99714d9b0cce3e3a85f4b71440a76138039e6bf9854c08da0adbe6a3c08cead1bcb67c5302419574cef8c5ca87c3eab34a5f02c3a5311b0c
SSDEEP:	196608:Vs1m7bBPEAUdZzfjBDZ9AU84V0zFyWv6AJ5ypqetZ9j1:VWmh1YPBDZ9AnFCyNIfj1
TLSH:	A39623EFA1103768C01EC4345823BD49B1F6962E1EF88A6AB5DF7AC06F6E811D542F47
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....k.b..........#......v...&.......B.........@.......................................... ................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140f54281
Entrypoint Section:	w^]>
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x62E46B1F [Fri Jul 29 23:19:59 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	15fd01fb7e6ca57c8d5b667e1bfac6f6

Entrypoint Preview

Instruction
push 69D78D6Dh
call 00007FB2D101DC7Fh
sub dword ptr [ebx-5D758BD8h], eax
or bl, ah
retf
wait
ret
or al, dl
or ecx, dword ptr [F425F3B7h]
movsd
mov byte ptr [edx], dl
and eax, 59B480F4h
fmulp st(3), st(0)
jmp far FBF8h : 74239330h
and ch, dl
retf
outsb
xchg eax, edx
adc al, FFFFFF8Bh
daa
push esp
das
sub dh, byte ptr [esi+ebp+742F3B55h]
xor eax, D334260Fh
sbb ah, byte ptr [esi]
ror ebx, 1
inc eax
wait
and al, DDh
or edi, dword ptr [edi+17F428DFh]
mov eax, 89F4283Eh
fdiv qword ptr [ebp-2Dh]
retf
mov al, byte ptr [742EBFF8h]
sbb byte ptr [ebx], bh
or al, D8h
retf
adc eax, 8BDDAC8Ah
cmpsb
mov bl, 37h
xchg dword ptr [edi+1Eh], esp
adc al, B3h
jns 00007FB2D0EBF82Ah
xchg eax, esp
push esi
adc dword ptr [edi-34068A59h], 0000A319h
push ebx
cwde
int 63h
mov ebp, BF44FEFAh
movsd
adc dword ptr [edi-2031AE10h], 65CF94F8h
pop eax
call 00007FB337BC01DFh
jnp 00007FB2D0EBF775h
insd
sub byte ptr [ebx+4F849E82h], ah
mov al, 2Eh
stosd
popfd
push ebp
aaa
mov edi, 2412C97Ah
inc ecx
movsb
sar ah, 1
push edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x93f5b8	0xc4f	w^]>
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf167b0	0x2f8	w^]>
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x110e000	0x2e1	h`J?
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x10fc9e0	0x10a10	w^]>
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x966b30	0x48	w^]>
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10fc8a0	0x138	w^]>
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x959000	0x2b0	w^]>
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
4uN%	0x1000	0xe74fe	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
A]zn	0xe9000	0x7ff6a	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
+/*9	0x169000	0xc4150	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
'x00	0x22e000	0xda7c	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
'IAL	0x23c000	0x631241	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
w^]>	0x86e000	0x89f3f0	0x89f400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
h`J?	0x110e000	0x2e1	0x400	False	0.4013671875	data	4.307570076268581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x110e058	0x289	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	Wow64DisableWow64FsRedirection
USER32.dll	ShowWindow
GDI32.dll	DeleteObject
ADVAPI32.dll	RegSetKeyValueA
SHELL32.dll	SHGetKnownFolderPath
ole32.dll	CoCreateGuid
OLEAUT32.dll	VariantClear
ntdll.dll	NtSuspendThread
MSVCP140.dll	?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
SHLWAPI.dll	PathRemoveFileSpecA
IMM32.dll	ImmSetCompositionWindow
WS2_32.dll	WSAGetLastError
CRYPT32.dll	CertAddCertificateContextToStore
Secur32.dll	InitSecurityInterfaceW
d3d11.dll	D3D11CreateDeviceAndSwapChain
D3DCOMPILER_47.dll	D3DCompile
gdiplus.dll	GdipFree
DNSAPI.dll	DnsNameCompare_W
RPCRT4.dll	UuidCreate
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	memmove
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode
api-ms-win-crt-runtime-l1-1-0.dll	_errno
api-ms-win-crt-stdio-l1-1-0.dll	_get_stream_buffer_pointers
api-ms-win-crt-string-l1-1-0.dll	isalnum
api-ms-win-crt-utility-l1-1-0.dll	rand
api-ms-win-crt-convert-l1-1-0.dll	strtof
api-ms-win-crt-filesystem-l1-1-0.dll	remove
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-math-l1-1-0.dll	powf
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	GetSystemTimeAsFileTime
USER32.dll	GetUserObjectInformationW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2022 04:28:13.433515072 CEST	49735	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:13.433659077 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:13.538110971 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:13.538678885 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:13.539931059 CEST	13371	49735	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:14.178667068 CEST	49735	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:14.285240889 CEST	13371	49735	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:14.631762028 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:14.736622095 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:14.768516064 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:14.788032055 CEST	49735	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:14.896356106 CEST	13371	49735	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:14.897473097 CEST	49744	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:14.933604956 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:15.001610041 CEST	13371	49744	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:15.002943993 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:15.016450882 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:15.121400118 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:15.334917068 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:15.433712959 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:15.433820963 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:15.678740025 CEST	49744	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:15.783205032 CEST	13371	49744	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:16.131970882 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:16.236836910 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:16.288161039 CEST	49744	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:16.393563986 CEST	13371	49744	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:16.452487946 CEST	49747	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:16.559268951 CEST	13371	49747	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:16.979001999 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:17.086649895 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:17.131998062 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:17.178889036 CEST	49747	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:17.286429882 CEST	13371	49747	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:17.301624060 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:17.406037092 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:17.522602081 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:17.788279057 CEST	49747	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:17.895164013 CEST	13371	49747	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:17.896352053 CEST	49748	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:17.994832993 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:18.000715017 CEST	13371	49748	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:18.152419090 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:18.585171938 CEST	49748	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:18.689703941 CEST	13371	49748	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:19.282669067 CEST	49748	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:19.335388899 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:19.387276888 CEST	13371	49748	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:19.439780951 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:20.522902966 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:20.627474070 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:21.632378101 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:21.736681938 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:22.015671968 CEST	49749	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:22.124047995 CEST	13371	49749	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:22.635829926 CEST	49749	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:22.744920969 CEST	13371	49749	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:22.835557938 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:22.939927101 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:23.335596085 CEST	49749	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:23.444709063 CEST	13371	49749	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:23.811834097 CEST	49750	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:23.918912888 CEST	13371	49750	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:24.023243904 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:24.127542019 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:24.492155075 CEST	49750	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:24.599430084 CEST	13371	49750	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:25.132746935 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:25.176233053 CEST	49750	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:25.237627983 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:25.283571959 CEST	13371	49750	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:25.569619894 CEST	49751	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:25.672688007 CEST	13371	49751	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:26.335875034 CEST	49751	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:26.337289095 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:26.440452099 CEST	13371	49751	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:26.441461086 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:27.023390055 CEST	49751	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:27.126451969 CEST	13371	49751	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:27.242733002 CEST	49752	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:27.348345995 CEST	13371	49752	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:27.523454905 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:27.627635002 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:27.992371082 CEST	49752	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:28.097898960 CEST	13371	49752	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:28.634192944 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:28.738545895 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:28.789309025 CEST	49752	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:28.894906998 CEST	13371	49752	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:29.836213112 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:29.940418959 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:31.023808956 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:31.127978086 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:31.535465956 CEST	49753	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:31.641992092 CEST	13371	49753	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:32.133248091 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:32.237550020 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:32.336344957 CEST	49753	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:32.444093943 CEST	13371	49753	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:33.023994923 CEST	49753	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:33.130862951 CEST	13371	49753	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:33.255003929 CEST	49754	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:33.336509943 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:33.359460115 CEST	13371	49754	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:33.440663099 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:33.992784023 CEST	49754	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:34.096923113 CEST	13371	49754	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:34.524113894 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:34.628261089 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:34.680408955 CEST	49754	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:34.784492016 CEST	13371	49754	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:34.791198969 CEST	49755	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:34.893789053 CEST	13371	49755	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:35.524251938 CEST	49755	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:35.626804113 CEST	13371	49755	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:35.633516073 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:35.738217115 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:36.133605957 CEST	49755	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:36.236296892 CEST	13371	49755	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:36.237126112 CEST	49756	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:36.340725899 CEST	13371	49756	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:36.836761951 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:36.941016912 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:37.024295092 CEST	49756	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:37.128036022 CEST	13371	49756	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:37.633675098 CEST	49756	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:37.737518072 CEST	13371	49756	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:38.024750948 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:38.129067898 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:39.133862972 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:39.238286972 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:40.337090015 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:40.401993990 CEST	49757	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:40.441322088 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:40.508578062 CEST	13371	49757	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:41.180937052 CEST	49757	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:41.287504911 CEST	13371	49757	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:41.524677038 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:41.628787994 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:41.790416956 CEST	49757	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:41.897430897 CEST	13371	49757	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:41.919681072 CEST	49758	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:42.022465944 CEST	13371	49758	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:42.525074959 CEST	49758	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:42.628040075 CEST	13371	49758	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:42.634152889 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:42.738465071 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:43.134181976 CEST	49758	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:43.237062931 CEST	13371	49758	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:43.284308910 CEST	49759	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:43.393093109 CEST	13371	49759	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:43.852987051 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:43.957339048 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:43.993602037 CEST	49759	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:44.102348089 CEST	13371	49759	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:44.681224108 CEST	49759	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:44.789994955 CEST	13371	49759	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:44.801239967 CEST	49760	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:44.905896902 CEST	13371	49760	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:45.024988890 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:45.129204988 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:45.493753910 CEST	49760	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:45.599776983 CEST	13371	49760	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:46.113070965 CEST	49760	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:46.134428024 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:46.217415094 CEST	13371	49760	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:46.238492012 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:47.337665081 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:47.442213058 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:48.525995970 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:48.630439997 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:49.234345913 CEST	49773	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:49.339004993 CEST	13371	49773	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:49.837850094 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:49.942184925 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:50.025459051 CEST	49773	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:50.130079031 CEST	13371	49773	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:50.634886980 CEST	49773	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:50.739557981 CEST	13371	49773	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:50.740514994 CEST	49776	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:50.846961975 CEST	13371	49776	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:51.025500059 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:51.129987955 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:51.525899887 CEST	49776	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:51.632806063 CEST	13371	49776	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:52.134939909 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:52.135008097 CEST	49776	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:52.239343882 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:52.241507053 CEST	13371	49776	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:52.305687904 CEST	49777	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:52.410505056 CEST	13371	49777	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:52.936572075 CEST	49777	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:53.041347027 CEST	13371	49777	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:53.338205099 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:53.442720890 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:53.682023048 CEST	49777	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:28:53.786644936 CEST	13371	49777	51.79.119.228	192.168.2.3
Aug 6, 2022 04:28:53.787642002 CEST	49778	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:53.891818047 CEST	13371	49778	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:54.525803089 CEST	49778	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:54.527787924 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:54.630106926 CEST	13371	49778	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:54.631800890 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:55.135181904 CEST	49778	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:28:55.242027998 CEST	13371	49778	51.79.119.221	192.168.2.3
Aug 6, 2022 04:28:55.650227070 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:55.754558086 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:56.838515997 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:56.942893982 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:57.855519056 CEST	49780	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:57.961654902 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:57.961850882 CEST	13371	49780	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:58.068382025 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:58.463630915 CEST	49780	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:58.568161011 CEST	13371	49780	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:59.073039055 CEST	49780	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:28:59.073568106 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:28:59.177874088 CEST	13371	49780	51.79.119.230	192.168.2.3
Aug 6, 2022 04:28:59.177937031 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:28:59.178972006 CEST	49781	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:59.281918049 CEST	13371	49781	51.79.119.229	192.168.2.3
Aug 6, 2022 04:28:59.791955948 CEST	49781	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:28:59.894921064 CEST	13371	49781	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:00.182595015 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:00.287637949 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:00.401321888 CEST	49781	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:00.504385948 CEST	13371	49781	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:00.508431911 CEST	49782	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:00.616215944 CEST	13371	49782	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:01.120477915 CEST	49782	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:01.229336977 CEST	13371	49782	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:01.292026997 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:01.396235943 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:01.745176077 CEST	49782	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:01.852417946 CEST	13371	49782	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:01.853696108 CEST	49783	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:01.957572937 CEST	13371	49783	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:02.401511908 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:02.464049101 CEST	49783	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:02.505744934 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:02.567755938 CEST	13371	49783	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:03.074958086 CEST	49783	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:03.178724051 CEST	13371	49783	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:03.511013031 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:03.615344048 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:04.636346102 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:04.740853071 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:05.747042894 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:05.793253899 CEST	49784	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:05.851509094 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:05.900557995 CEST	13371	49784	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:06.417447090 CEST	49784	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:06.525755882 CEST	13371	49784	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:06.870546103 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:06.974663019 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:07.026844025 CEST	49784	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:07.135468960 CEST	13371	49784	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:07.138068914 CEST	49785	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:07.246248960 CEST	13371	49785	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:07.761236906 CEST	49785	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:07.869488955 CEST	13371	49785	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:07.980192900 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:08.084619045 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:08.370748997 CEST	49785	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:08.479125977 CEST	13371	49785	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:08.482940912 CEST	49786	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:08.588738918 CEST	13371	49786	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:09.089545965 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:09.091058969 CEST	49786	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:09.194020987 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:09.195595026 CEST	13371	49786	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:09.702451944 CEST	49786	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:09.807109118 CEST	13371	49786	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:09.810090065 CEST	49787	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:09.914737940 CEST	13371	49787	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:10.199059010 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:10.303256035 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:10.417860985 CEST	49787	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:10.522178888 CEST	13371	49787	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:11.027159929 CEST	49787	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:11.131395102 CEST	13371	49787	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:11.308569908 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:11.413803101 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:12.433593035 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:12.538036108 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:13.636929989 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:13.742149115 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:14.308480024 CEST	49788	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:14.415988922 CEST	13371	49788	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:14.840033054 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:14.944365978 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:15.027637005 CEST	49788	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:15.134900093 CEST	13371	49788	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:15.637034893 CEST	49788	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:15.744343996 CEST	13371	49788	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:15.745733976 CEST	49789	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:15.848807096 CEST	13371	49789	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:16.027930021 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:16.132250071 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:16.527714014 CEST	49789	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:16.630913019 CEST	13371	49789	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:17.137079954 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:17.137744904 CEST	49789	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:17.240731955 CEST	13371	49789	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:17.241189957 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:17.241756916 CEST	49790	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:17.344954014 CEST	13371	49790	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:18.004869938 CEST	49790	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:18.108088017 CEST	13371	49790	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:18.340291023 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:18.444552898 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:18.637254000 CEST	49790	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:18.740466118 CEST	13371	49790	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:18.741583109 CEST	49791	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:18.846404076 CEST	13371	49791	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:19.527997971 CEST	49791	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:19.528110981 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:19.632323027 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:19.632756948 CEST	13371	49791	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:20.137492895 CEST	49791	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:20.242341042 CEST	13371	49791	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:20.637355089 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:20.741724014 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:21.840771914 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:21.945199013 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:22.858535051 CEST	49799	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:22.965043068 CEST	13371	49799	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:23.033432961 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:23.137619019 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:23.528229952 CEST	49799	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:23.634654999 CEST	13371	49799	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:24.137680054 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:24.137681007 CEST	49799	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:24.241791964 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:24.243995905 CEST	13371	49799	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:24.246735096 CEST	49804	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:24.353260040 CEST	13371	49804	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:25.028367043 CEST	49804	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:25.135104895 CEST	13371	49804	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:25.340877056 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:25.445031881 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:25.638138056 CEST	49804	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:25.744838953 CEST	13371	49804	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:25.746140003 CEST	49809	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:25.853046894 CEST	13371	49809	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:26.434751034 CEST	49809	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:26.528508902 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:26.541554928 CEST	13371	49809	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:26.632563114 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:27.137959003 CEST	49809	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:27.246392965 CEST	13371	49809	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:27.247489929 CEST	49815	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:27.351775885 CEST	13371	49815	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:27.638005972 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:27.742449999 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:28.028856993 CEST	49815	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:28.133390903 CEST	13371	49815	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:28.638088942 CEST	49815	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:28.742456913 CEST	13371	49815	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:28.841187954 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:28.945487022 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:30.028881073 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:30.133136034 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:31.138366938 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:31.242877007 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:31.358063936 CEST	49823	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:31.464970112 CEST	13371	49823	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:31.995776892 CEST	49823	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:32.102514029 CEST	13371	49823	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:32.341538906 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:32.445817947 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:32.638453960 CEST	49823	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:32.745194912 CEST	13371	49823	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:32.746085882 CEST	49825	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:32.854604959 CEST	13371	49825	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:33.529999018 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:33.530075073 CEST	49825	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:33.634241104 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:33.638686895 CEST	13371	49825	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:34.341705084 CEST	49825	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:34.450187922 CEST	13371	49825	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:34.452804089 CEST	49827	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:34.557420969 CEST	13371	49827	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:34.638804913 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:34.743002892 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:35.138668060 CEST	49827	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:35.243246078 CEST	13371	49827	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:35.794509888 CEST	49827	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:35.842052937 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:35.898917913 CEST	13371	49827	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:35.899797916 CEST	49830	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:35.946193933 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:36.002377033 CEST	13371	49830	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:36.529520988 CEST	49830	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:36.632483006 CEST	13371	49830	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:37.029422045 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:37.134407043 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:37.138792038 CEST	49830	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:37.241576910 CEST	13371	49830	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:38.138859034 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:39.138948917 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:39.243180037 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:39.927563906 CEST	49837	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:40.030891895 CEST	13371	49837	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:40.342642069 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:40.446908951 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:40.639121056 CEST	49837	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:40.743141890 CEST	13371	49837	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:41.342282057 CEST	49837	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:41.445363045 CEST	13371	49837	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:41.448837996 CEST	49838	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:41.529788971 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:41.551444054 CEST	13371	49838	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:41.634052992 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:42.139261961 CEST	49838	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:42.241888046 CEST	13371	49838	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:42.639331102 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:42.743673086 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:42.842365980 CEST	49838	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:42.944947004 CEST	13371	49838	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:42.945808887 CEST	49840	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:43.052628994 CEST	13371	49840	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:43.639383078 CEST	49840	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:43.746470928 CEST	13371	49840	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:43.842464924 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:43.946841955 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:44.342544079 CEST	49840	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:44.449484110 CEST	13371	49840	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:44.452996016 CEST	49842	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:44.561357021 CEST	13371	49842	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:45.030195951 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:45.134531021 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:45.139517069 CEST	49842	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:45.247747898 CEST	13371	49842	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:45.842611074 CEST	49842	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:45.951205969 CEST	13371	49842	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:46.139568090 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:46.243872881 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:47.342833042 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:47.447329998 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:48.546046019 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:48.650762081 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:48.918514967 CEST	49844	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:49.023128033 CEST	13371	49844	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:49.639880896 CEST	49844	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:49.744790077 CEST	13371	49844	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:49.842988968 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:49.947289944 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:50.343122005 CEST	49844	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:50.447762966 CEST	13371	49844	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:50.449600935 CEST	49847	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:50.556857109 CEST	13371	49847	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:51.030705929 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:51.138546944 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:51.140007973 CEST	49847	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:51.246706963 CEST	13371	49847	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:51.843177080 CEST	49847	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:51.950274944 CEST	13371	49847	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:51.951354980 CEST	49848	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:52.054157019 CEST	13371	49848	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:52.140121937 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:52.244807959 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:52.640125990 CEST	49848	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:52.742861032 CEST	13371	49848	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:53.343274117 CEST	49848	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:29:53.343301058 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:53.446177006 CEST	13371	49848	51.79.119.228	192.168.2.3
Aug 6, 2022 04:29:53.447408915 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:53.448864937 CEST	49849	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:53.551578999 CEST	13371	49849	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:54.140264034 CEST	49849	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:54.243056059 CEST	13371	49849	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:54.530987978 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:54.635325909 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:54.843489885 CEST	49849	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:29:54.946060896 CEST	13371	49849	51.79.119.221	192.168.2.3
Aug 6, 2022 04:29:55.640943050 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:55.745059013 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:56.843594074 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:56.947716951 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:57.548628092 CEST	49861	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:57.651690960 CEST	13371	49861	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:58.031254053 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:58.135476112 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:58.162290096 CEST	49861	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:58.265758038 CEST	13371	49861	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:58.765794039 CEST	49861	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:29:58.868977070 CEST	13371	49861	51.79.119.230	192.168.2.3
Aug 6, 2022 04:29:58.870172024 CEST	49867	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:58.973213911 CEST	13371	49867	51.79.119.229	192.168.2.3
Aug 6, 2022 04:29:59.140696049 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:29:59.244776011 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:29:59.484477997 CEST	49867	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:29:59.587476015 CEST	13371	49867	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:00.093878984 CEST	49867	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:00.196809053 CEST	13371	49867	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:00.198041916 CEST	49872	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:00.250096083 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:00.300817013 CEST	13371	49872	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:00.354142904 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:00.812688112 CEST	49872	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:00.915483952 CEST	13371	49872	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:01.359879971 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:01.422097921 CEST	49872	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:01.464096069 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:01.524940968 CEST	13371	49872	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:01.525876999 CEST	49876	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:01.630609035 CEST	13371	49876	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:02.140882015 CEST	49876	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:02.246131897 CEST	13371	49876	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:02.469644070 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:02.573920012 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:02.750361919 CEST	49876	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:02.855278015 CEST	13371	49876	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:03.579397917 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:03.683615923 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:04.703747988 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:04.808187008 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:05.801750898 CEST	49878	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:05.828742027 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:05.906163931 CEST	13371	49878	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:05.932822943 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:06.531982899 CEST	49878	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:06.637304068 CEST	13371	49878	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:07.047699928 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:07.152036905 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:07.235153913 CEST	49878	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:07.339591980 CEST	13371	49878	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:07.417711973 CEST	49879	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:07.526087046 CEST	13371	49879	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:08.125840902 CEST	49879	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:08.235239983 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:08.235991955 CEST	13371	49879	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:08.339607954 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:08.923032999 CEST	49879	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:09.031199932 CEST	13371	49879	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:09.033193111 CEST	49882	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:09.138031006 CEST	13371	49882	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:09.422808886 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:09.527024984 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:09.719763041 CEST	49882	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:09.824472904 CEST	13371	49882	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:10.422894001 CEST	49882	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:10.531455040 CEST	13371	49882	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:10.532321930 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:10.533626080 CEST	49883	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:10.639812946 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:10.642599106 CEST	13371	49883	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:11.219830036 CEST	49883	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:11.325777054 CEST	13371	49883	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:11.641803026 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:11.745973110 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:11.829287052 CEST	49883	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:11.935179949 CEST	13371	49883	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:12.751271963 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:12.856115103 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:13.860848904 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:13.965358019 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:14.550414085 CEST	49884	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:14.653400898 CEST	13371	49884	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:14.970185995 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:15.074657917 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:15.157702923 CEST	49884	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:15.260747910 CEST	13371	49884	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:15.767234087 CEST	49884	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:15.870260000 CEST	13371	49884	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:15.872337103 CEST	49885	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:15.975073099 CEST	13371	49885	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:16.079664946 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:16.183835983 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:16.485917091 CEST	49885	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:16.588720083 CEST	13371	49885	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:17.095293045 CEST	49885	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:17.189553022 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:17.197850943 CEST	13371	49885	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:17.198405027 CEST	49886	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:17.296418905 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:17.305361986 CEST	13371	49886	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:17.814157009 CEST	49886	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:17.921538115 CEST	13371	49886	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:18.298573971 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:18.406640053 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:18.423602104 CEST	49886	13371	192.168.2.3	51.79.119.228
Aug 6, 2022 04:30:18.532749891 CEST	13371	49886	51.79.119.228	192.168.2.3
Aug 6, 2022 04:30:18.533278942 CEST	49887	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:18.636857986 CEST	13371	49887	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:19.142421961 CEST	49887	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:19.246223927 CEST	13371	49887	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:19.408068895 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:19.512320042 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:19.751959085 CEST	49887	13371	192.168.2.3	51.79.119.221
Aug 6, 2022 04:30:19.857898951 CEST	13371	49887	51.79.119.221	192.168.2.3
Aug 6, 2022 04:30:20.517468929 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:20.621917963 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:21.627140045 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:21.731493950 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:22.471364021 CEST	49888	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:22.579829931 CEST	13371	49888	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:22.736572027 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:22.840773106 CEST	13371	49734	51.79.119.231	192.168.2.3
Aug 6, 2022 04:30:23.080250025 CEST	49888	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:23.188777924 CEST	13371	49888	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:23.689672947 CEST	49888	13371	192.168.2.3	51.79.119.230
Aug 6, 2022 04:30:23.798233986 CEST	13371	49888	51.79.119.230	192.168.2.3
Aug 6, 2022 04:30:23.803463936 CEST	49889	13371	192.168.2.3	51.79.119.229
Aug 6, 2022 04:30:23.846179008 CEST	49734	13371	192.168.2.3	51.79.119.231
Aug 6, 2022 04:30:23.910142899 CEST	13371	49889	51.79.119.229	192.168.2.3
Aug 6, 2022 04:30:23.950349092 CEST	13371	49734	51.79.119.231	192.168.2.3

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: loader.exePID: 5972, Parent PID: 5332

General

Target ID:	0
Start time:	04:28:08
Start date:	06/08/2022
Path:	C:\Users\user\Desktop\loader.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\loader.exe"
Imagebase:	0x140000000
File size:	9042944 bytes
MD5 hash:	E5FD705D3E71F8305FA11E8D1CD2984E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report loader.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f83f6d5d89b61b17f0d3863070323a34_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6D57A09278E9D03E442F152BE212C307E8475812

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: loader.exePID: 5972, Parent PID: 5332

General

Windows Analysis Report
loader.exe